RE: About War Driving ..

Responses inline...

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On
Behalf Of FatalSaint
Sent: 01 December 2006 00:18
To: gaurav saha; security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: About War Driving ..

Just a couple.. I'm kind of a noob here but:

1) Use WPA/TKIP instead of WEP. Harder to crack (though not impossible)

--> good dea, WPA/WPA2 with a decent strong passphrase is probably one of
the best steps to take.


2) Disable DHCP if you have it running or
2a) Enable static DHCP for the MAC Addresses of the authorized PC's

--> Wouldn't achieve much I'm afraid, a valid IP is too easy to spoof.

3) MAC Address Filter your router

--> Doubt it will help in this particular intrusion since I think OP said
the guy is already smart enough to change MAC. Not going to hurt for general
wireless security though.

4) Disable SSID Broadcast (easily got around by anyone with kismet.. but
still an added layer)

--> I've always found it causes more hassle then its worth.

5) If your router has the capability; explicitly allow only the IP's for the
machine's you assign to get out to the internet.

--> Wouldn't achieve much I'm afraid, a valid IP is too easy to spoof.

6) Disable the torrent ports at the firewall .. I am not sure what they are
or if torrent will get around them by using port 80 instead. (in
actuallity, in a business environment I'd disable -all- outgoing ports
except 80 and 443 - if someone needs specific access have your net-admin
explicitly allow their machine out.)

--> This would probably be a good idea as a general net security thing. If
you can identify what services people need legitmately then deny everything
and allow just those.

7) You could get as detailed as static routing and limiting the amount of
bandwidth each machine/IP could use.

--> Only offers damage limitation - preventing an intruder from saturating
your connection, a lot of work and restritcion to legitmate traffic just for
that though.

Log MAC Addresses. If he's smart enough to crack your wep then he's prolly
spoofing MAC's.. but you could always go into your logs, see which MAC is
associated with that IP - and then go to all the machines in your building
that you can control and check the MAC Addresses - might tell you which
machine is doing it.

--> If he is spoofing MAC addresses then logging it wont tell you much

Some more advanced things could be to install a proxy server; require the
use of login's to get to the internet - then you can track by login.
Or even installing a transparent proxy and logging all
websites/communication out to the internet (this could cause a very large
logfile.)

--> they *CAN* be got around using tunnelled traffic - can help to stop
casual intruders but I doubt that's what this guy is. If you want to go down
the authentication a RADIUS server would be a better route.

I don't know your network infrastructure so these are just random thoughts
on what you -could- do if you're buisness plan allows.


On 11/30/2006, "gaurav saha" <gauravsaha007@xxxxxxxxx> wrote:

Hi ,
I was wondering if it is possible to locate and catch a guy who is
connecting to our wep wireless network and downloading stuff from
torrents and using up our bandwidth ..
I checked up with arp scan and found 2 unknown IPs
192.168.1.246 and 247
Is there anyway of locating the guy in a building of 7 floors and how
to stop this ..I have tried changing the Wep keys so . he is cracking
the wep key.
Any Suggestion People ?
---gaurav



_______________________________________________________________________
_____________
Do you Yahoo!?
Everyone is raving about the all-new Yahoo! Mail beta.
http://new.mail.yahoo.com



---------------------------------------------------------------------------
This list is sponsored by: ByteCrusher

Detect Malicious Web Content and Exploits in Real-Time.
Anti-Virus engines can't detect unknown or new threats.
LinkScanner can. Web surfing just became a whole lot safer.

http://www.explabs.com/staging/promotions/xern_lspro.asp?loc=sfmaildetect
---------------------------------------------------------------------------

Relevant Pages

  • Re: radius+ wireless
    ... if you or someone else has duplicated a MAC address on the same ... current set up with weak WEP and but decent authentication, ... You didn't mention what kind of wireless, what your coverage area is, ... gear, RADIUS might be sufficient. ...
    (Security-Basics)
  • Re: God I hate macs
    ... I've spent hours trying to set up the WEP password and trying other ... router, but won't travel to the internet. ... On the Mac, for some unfathomable reason, you can't just type ... I have never seen a wireless Network over which the Mac will not work, ...
    (comp.sys.mac.advocacy)
  • Re: More fun with "my" New Laptop
    ... Not so happy about getting WiFi to work on Windows though. ... It's much more complicated and picky than it is on the Mac. ... "other" type in the network name and the WEP code ... He put it in a folder inside the ...
    (comp.sys.mac.advocacy)
  • Re: Wireless security
    ... I have no concept of how long it would take an attacker. ... Well, that was one of my questions, "is the MAC encrypted by WEP?" ... >>I am in the process of setting up wireless access in our small office. ...
    (alt.computer.security)
  • Re: Wireless security
    ... I have no concept of how long it would take an attacker. ... Well, that was one of my questions, "is the MAC encrypted by WEP?" ... >>I am in the process of setting up wireless access in our small office. ...
    (comp.security.misc)