Re: How to track down a wireless hacker

On 11/7/07, ep <captgoodnight@xxxxxxxxxxx> wrote:
So setup a duplicate of the previously vulnerable wireless configuration and
from a secure linux laptop (only thing on the segment) simply every 15
minutes pass some unique clear text working credentials to a internet facing
service you can monitor, like a ftp server or pop3 account. Wait for the
connection/authentication and log the ip, then get law enforcement and the
what I think will be a local ISP involved.

We are talking about wireless, right? Because in such a scenario,
logging the IP address won't make much of a difference since any IP
that the intruder has would be *one that your DHCP server leased to
him*. There is no ISP to involve here. Unless of course the intruder
accesses the FTP/POP3/whatever server from a different connection, in
which case he may very well be on someone *else's* WLAN and you'll end
up expending a great deal of effort and time (both yours and others')
and be no closer to knowing the identity of your malefactor than you
were before.

Yeah, I think hoping that the intruder would be daft enough to access
his Hotmail account is about the best you can hope for here.

--Nick

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

Relevant Pages

  • RE: How to track down a wireless hacker
    ... give them a cookie and track it's use. ... at it's simplest it's monitoring a log file of the service. ... intruder has would be *one that your DHCP server leased to him*. ...
    (Pen-Test)
  • Legato Networker vulnerability
    ... There's a weakness in the authentification scheme of Legato Networker Software prior to version 6.1. ... Then the server tries to resolve the ip adress of the machine which have initiated the dialog, if it fails, it sends an "unknow host" answer but doesn't stop the authentification process. ... every machine which ip coundn't be resolved by the server can fake any host or user. ... We are now using a machine which could communicate freely with "server" called "intruder" which IP is A.B.C.D ...
    (Bugtraq)
  • 80 and 88
    ... Anyone care to suggest how they'd tackle it? ... "Discuss how an intruder using ONLY the TCP/80 and TCP/88 ports can ... Assume that the Windows 2000 Server is not making using ...
    (microsoft.public.win2000.security)
  • Re: How to reboot a 2000 server everyday by Task Scheduler
    ... Because my ISA 2000 find an intruder from external ... so I want to reboot this server every night. ... Jonathan ...
    (microsoft.public.win2000.cmdprompt.admin)