Tuesday, June 15, 2010

Guide: How to catch hackers on your wireless network

Guide: How to catch hackers on your wireless network: "

Wireless networks are a wonderful invention. They give us the ability to easily deploy a complex network of computers without the need to physically wire them up.

However, this ease of use can also mean that, without proper precautions, neighbourhood parasites can leech bandwidth and generally use your network against your wishes. Trapping such people is easy with a little thought and some borrowed equipment.

What is wireless?

What's usually known as Wi-Fi belongs to a family of wireless networking technologies called IEE 802.11. These all use the same protocol for transmitting and receiving data over short distances.

Home wireless routers and hubs (commonly called wireless access points) conform to the 802.11g variant of the specification. This uses transmission frequencies centred on 2.4GHz. Each transmission channel gives a raw data throughput of either 54 or 65 Mbps, depending on your equipment.

However, the useful data transmission rate is more like 19 Mbps, with the rest of the available bandwidth being used for error correction, encryption and packet collision detection.

Wireless LANs operate on one of 13 channels. If you're getting low data transfer rates, it's worth switching your wireless access point to a different channel – the chances are that another network in the neighbourhood is using the same one. Using the same channel won't cause data leakage onto other networks, because each is also uniquely identified and should feature strong encryption.

Encrypt to survive

Encryption is vital for wireless networks. There are two main standards in popular use. The first, which is older and decidedly less secure, is Wired Equivalent Privacy (WEP).

The original idea behind WEP was that it would be as secure as using a wired network. However, it's been widely known for around half a decade that if you can capture enough data packets from a secure connection, WEP encryption can be cracked using freely available hacking tools.

After cracking WEP encryption on a target network, it's possible for a hacker to read the login credentials required to connect to that network. After that, he will discover and exploit whatever vulnerabilities can be found on the network to consolidate his hold over it, possibly by deploying a keylogger to snatch identities, as well as using your computers for the storage of files he doesn't want on his own network.

The core aim is to leech your bandwidth to download undesirable content. For this reason, WEP should no longer be used. In its place, your wireless network should support WPA (Wi-Fi Protected Access).

This features far stronger encryption and the tools used to crack it are still either at the proof-of-concept stage or take so long to run that updating your passwords regularly will mean that your wireless network remains a very slippery target indeed.

If your network still uses WEP, stop reading immediately, log into your wireless access point's web interface, go to the admin page and select WPA (or, if available, the stronger variant WPA2) and save the configuration. Now disconnect and reconnect your computers to the network and they'll begin using the stronger encryption.

That done, let's now explore your neighbourhood.

Network discovery

The first thing a hacker will do when scouting for Wi-Fi targets is check the networks in range to find the best one to attack. While you could simply use your PC's Wi-Fi connectivity software to discover local networks, there are better tools available online that will show you far more.

One such tool is the free Inssider from MetaGeek. Installation on a computer with a wireless network card is as simple as running the installation package and clicking 'Next' a couple of times.

Inssider

You don't need to be a member of a wireless network to run Inssider. Run it and select your wireless network interface from the dropdown list at the top of the Inssider window. Click the 'Start Scanning' button and the interface will begin to fill with networks.

At the top of the screen is a table containing a line for each network that the program discovers. This contains information including the wireless access point device each network uses, the name (called the SSID) of the network, the signal strength and the type of security used.

In the lower section of the interface are real-time graphs showing the signal strengths of each network as they change over time. Water in the atmosphere absorbs radio waves, so if the weather's bad, signal strengths may be lower than on a bright, dry day. Such fluctuations in atmospheric interference will cause networks on the edge of the detectable range to occasionally pop up and disappear again.

On the right-hand pane is a chart showing the signal strengths as the height of a set of bell curves centred on the channels used. If you're not getting very good bandwidth, try changing the access point's channel to one that isn't in use by the networks around you, then reconnect.

As a general guide, the RSSI (Received Signal Strength Indication) column in the table is a useful measure of the distance between you and each network's base station. This can be used to get a rough idea of whose networks you can see if they've not been identifiable from their SSID.

The SSID is the 'service set ID'. This is the user-defined name of the network. When you buy a new wireless access point, the SSID will usually be set to a default. If you leave this as it is, it gives people a good indication that little if any configuration or security work has been done. If the network is also using WEP encryption (or worse, no encryption at all), it is open to easy abuse.

Inssider gives you a great way to see what Wi-Fi networks are in your neighbourhood. However, if you find a network that has no protection at all, don't be tempted to join it and leech bandwidth.

It may well be that an incompetent neighbour has set it up and doesn't realise that it's open to abuse, but it may equally have been set up like that deliberately. It's possible that someone may have set up a data collection utility such as Wireshark on the open network. If you connect to the network, the person who owns it will be able to see everything you do.

Catching a Wi-Fi hacker

So let's turn the tables. Let's use this technique to set a trap for anyone in the vicinity who may fancy exploring networks and leeching bandwidth that doesn't belong to them. You can also use this technique to monitor traffic on your own networks in general.

We're going to use what's known as a honeypot – a PC or network that appears unprotected. They're designed to tempt hackers and malware to explore and infect them. In reality, they're heavily monitored.

Researchers use them to detect new strains of malware, and we're going to use a honeypot wireless network to catch bandwidth leeches. The technique involves setting up a wireless network without any protection and then monitoring it for unauthorised connections.

The network is physically isolated, but anyone joining it illegally won't know that. It just looks like a juicy connection waiting to be exploited.

To set up a simple wireless honeypot, you first need a spare wireless access point for potential hackers and freeloaders to attempt to access. This is plugged into an old network hub.

The hub is important because whatever traffic it receives on one port, it automatically retransmits on all the others. This doesn't happen in a network switch, which is why we need a hub. We can plug a PC running a traffic-monitoring program into another port on the hub, begin collecting data and wait for the fun to begin.

The monitoring program we'll use is Wireshark. This app is used by network security professionals the world over and is very easy to set up and use.

Setting the trap

Go to www.wireshark.org and download the latest Windows version. This is compatible with all supported versions of Windows from XP onwards. Installation is a simple matter of running the downloaded executable and accepting the defaults.

WireShark

Unlike Linux, Windows doesn't have the ability to put its network card into 'promiscuous' mode automatically (whereby it will accept all traffic, thus allowing Wireshark to monitor whatever flows past). To enable this, part of the Wireshark installation procedure will install a library called WinPcap.

Once installed, run Wireshark and select your wired network interface card from the interface list. This begins a collection session. You should start to see traffic being sent every few seconds by the wireless access point as it monitors and discovers resources, and finds out what machine has which IP address. You'll also see traffic from the PC on which Wireshark is running.

On the monitoring PC, log into the wireless access point's web-based management page and set security to 'none'. If there's a function for returning it to its factory settings, run this to reset all passwords.

Now test your handiwork by joining the network wirelessly from another PC. On the joining computer, open a command line and enter the command ipconfig/all.

Find the wireless network card's details in the morass of information that appears. Make a note of its IP address. If you now click the source or destination columns in Wireshark to sort the incoming information, you can easily find the traffic being generated by this IP address.

The traffic reveals a surprising amount of detail, including the machine's name and its MAC address. If, while monitoring, you find other computers joining the network, their machine's Windows name, MAC address and current IP address will be recorded by Wireshark.

If you picked up another PC, the owner was obviously scanning the neighbourhood looking for new networks to join. Why not have a little fun by letting him know you're on to him?

Try changing the name of the network to his PC's name or some other piece of identifying information, and crank the security up to WPA2 so he won't be able to do anything about it. Doing so may scare him sufficiently to leave you well alone in future.



"

(Via TechRadar: All latest feeds.)

No comments: