Sign in with
Sign up | Sign in
Your question

Intrusion possible?

Last response: in Wireless Networking
Share
Anonymous
September 29, 2005 1:59:13 AM

Archived from groups: (More info?)

I have d-link wireless router DI614+. Its always on. Is it possible that
somebody with a wireless enabled PC uses my internet connection even when
my PC is switched off? I use 64 bit WEP encryption on the router. Tardus

More about : intrusion

Anonymous
September 29, 2005 3:08:23 AM

Archived from groups: (More info?)

On Wed, 28 Sep 2005 21:59:13 +0200, "Tardus_merula"
<tardus_merula@yahoo.com> wrote:

>I have d-link wireless router DI614+. Its always on. Is it possible that
>somebody with a wireless enabled PC uses my internet connection even when
>my PC is switched off?

Yes. The PC probably is not necessary to connect the DI-614+ to the
internet. There are some SBC PPPoE clients that a controlled by the
PC which do require that the PC first login, but those are few.

> I use 64 bit WEP encryption on the router. Tardus

Useless. WEP64 can be cracked in about 15 minutes of sniffing.


--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice Skype: JeffLiebermann
# http://www.LearnByDestroying.com AE6KS
# http://802.11junk.com
# jeffl@comix.santa-cruz.ca.us
# jeffl@cruzio.com
September 29, 2005 3:27:13 AM

Archived from groups: (More info?)

On Wed, 28 Sep 2005 21:59:13 +0200, Tardus_merula wrote:

> I have d-link wireless router DI614+. Its always on. Is it possible that
> somebody with a wireless enabled PC uses my internet connection even when
> my PC is switched off? I use 64 bit WEP encryption on the router. Tardus

Yes - if your cable modem or dsl modem is turned on it is possible for
someone to use your internet connection even with WEP.
Related resources
Anonymous
September 29, 2005 5:19:45 AM

Archived from groups: (More info?)

Tardus_merula wrote:
> I have d-link wireless router DI614+. Its always on. Is it possible that
> somebody with a wireless enabled PC uses my internet connection even when
> my PC is switched off? I use 64 bit WEP encryption on the router. Tardus
>
>

First off - Linksys is the way to go - its cisco's version of products
for the home. I havn't used D-Link with wireless however I know with
the Linksys routers you can setup a list to restrict which MAC addresses
can access your Wireless Internet. I have it setup to accept 3 MAC
addresses, two are used and the other is sitting next to my linux box.
There are 3 people who are trying to connect but can't because of that.

If you can do that in D-Link, provided its fesable, which unless your
running it as a wireless access point it is (and i doubt sence you care
who is connecting.) definatly do it. It will keep everyone out except
those who you want in.

--
Meph
September 29, 2005 5:19:46 AM

Archived from groups: (More info?)

On Thu, 29 Sep 2005 01:19:45 GMT, teh Mephisto <dont.worry@bout.it>
wrote:

>First off - Linksys is the way to go - its cisco's version of products
>for the home. I havn't used D-Link with wireless however I know with
>the Linksys routers you can setup a list to restrict which MAC addresses
>can access your Wireless Internet. I have it setup to accept 3 MAC
>addresses, two are used and the other is sitting next to my linux box.
>There are 3 people who are trying to connect but can't because of that.
>
>If you can do that in D-Link, provided its fesable, which unless your
>running it as a wireless access point it is (and i doubt sence you care
>who is connecting.) definatly do it. It will keep everyone out except
>those who you want in.

Meph, I can hardly believe you wrote this stuff after your post
"Public Access WIFI Security". And with an email like
"dont.worry@bout.it" you have got to be joking. Unfortunately the OP
might take you seriously and we don't want that, do we?

Tardus_merula, MAC filtering is not a security measure.

Think of it like this. There are baggage locks that shy away the
occasional temptation and there are kryptonite locks that resist New
York mobsters. WEP is so fragile today that it hardly offers
resistance against tampering. It is very easy to find tools that crack
WEP, they are publicly available on the internet. All that is needed
to break in is the will.

MAC filtering is even less than WEP. Even if you never turned on your
computer (which transmits your MAC) it is easy to silently try all the
possibilities until a match is found.

Don't listen to Meph. And from this point on, neither will I.
Anonymous
September 29, 2005 6:36:20 AM

Archived from groups: (More info?)

On Thu, 29 Sep 2005 01:19:45 GMT, teh Mephisto <dont.worry@bout.it>
wrote:

>First off - Linksys is the way to go - its cisco's version of products
>for the home.

I can see where you got that impression but reality is quite
different. Cisco has adopted an "hands off" policy toward running
Linksys since they bought it in Mar 2003. Most of the original
Linksys management are still in place. Absolutely none of Cisco's IOS
operating system has appeared in Linksys products. Most are just
commodity products, made in China, and similar to other major players
in the market (Netgear and DLink). Cisco may be on the front panel,
but not inside.

>I havn't used D-Link with wireless however I know with
>the Linksys routers you can setup a list to restrict which MAC addresses
>can access your Wireless Internet. I have it setup to accept 3 MAC
>addresses, two are used and the other is sitting next to my linux box.
>There are 3 people who are trying to connect but can't because of that.

MAC address filtering is nice but offers little in the way of
security. It's incredibly easy to sniff of an authorized MAC address,
and then change your clients MAC address to the same as theirs. See:
http://www.klcconsulting.net/smac/

>If you can do that in D-Link, provided its fesable, which unless your
>running it as a wireless access point it is (and i doubt sence you care
>who is connecting.) definatly do it. It will keep everyone out except
>those who you want in.

It won't keep anyone out that knows how MAC addresses operate.
However, it might slow them down until they figure it out.



--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831.336.2558 voice Skype: JeffLiebermann
# http://www.LearnByDestroying.com AE6KS
# http://802.11junk.com
# jeffl@comix.santa-cruz.ca.us
# jeffl@cruzio.com
Anonymous
September 29, 2005 8:02:28 AM

Archived from groups: (More info?)

speeder wrote:
> Meph, I can hardly believe you wrote this stuff after your post
> "Public Access WIFI Security". And with an email like
> "dont.worry@bout.it" you have got to be joking. Unfortunately the OP
> might take you seriously and we don't want that, do we?
>
> Tardus_merula, MAC filtering is not a security measure.
>
> Think of it like this. There are baggage locks that shy away the
> occasional temptation and there are kryptonite locks that resist New
> York mobsters. WEP is so fragile today that it hardly offers
> resistance against tampering. It is very easy to find tools that crack
> WEP, they are publicly available on the internet. All that is needed
> to break in is the will.
>
> MAC filtering is even less than WEP. Even if you never turned on your
> computer (which transmits your MAC) it is easy to silently try all the
> possibilities until a match is found.
>
> Don't listen to Meph. And from this point on, neither will I.

There is no way anything can be totally secure, the only thing security
mesaures do is prolong the time until you have been compromised. If you
have more than one security measure (ex. WPA2 and MAC address filtering)
it will take longer to crack than if you only had one of them.

BTW i'm still new at wireless security, and even the entire security
field in general, so you will have to cut me a little slack.
--
Meph
Anonymous
September 29, 2005 12:32:23 PM

Archived from groups: (More info?)

Jeff Liebermann wrote:
....
>>I use 64 bit WEP encryption on the router. Tardus
>
>
> Useless. WEP64 can be cracked in about 15 minutes of sniffing.
>
>
And 128-bit wep? How secure's that?

--
Please use the corrected version of the address below for replies.
Replies to the header address will be junked, as will mail from
various domains listed at www.scottsonline.org.uk
Mike Scott Harlow Essex England.(unet -a-t- scottsonline.org.uk)
September 29, 2005 1:10:51 PM

Archived from groups: (More info?)

> There is no way anything can be totally secure, the only thing security
> mesaures do is prolong the time until you have been compromised. If you
> have more than one security measure (ex. WPA2 and MAC address filtering)
> it will take longer to crack than if you only had one of them.

True but MAC address filtering will add all of about 3 seconds. Not
worth the hassle IMO.
The only useful purpose of a MAC access control list is to log MAC
adresses that are not allowed and to warn an administrator that
unauthorized acces has been attempted. You might find the attacker
before he/she succeeds in breaking tho other security measures. Not a
likely scenario for a home network.

Sander
September 29, 2005 1:17:47 PM

Archived from groups: (More info?)

Jeff Liebermann wrote:

> Useless. WEP64 can be cracked in about 15 minutes of sniffing.

Before you can sniff traffic there has to _be_ traffic.
Beacon frames are not very useful.
If a network is not in active use you'll have to wait until a client
associates before you can actively attack that network. If you can
capture the date of a client associating you have the tools to do the
rest quickly and no other traffic is neccesary. You can generate it
yourself. But you do need that traffic first so you can replay it.

Sander
Anonymous
September 29, 2005 1:34:09 PM

Archived from groups: (More info?)

On Thu, 29 Sep 2005 09:17:47 +0200, Sander <Big_Scary_Man@hotmail.com>
wrote:

>Jeff Liebermann wrote:
>
>> Useless. WEP64 can be cracked in about 15 minutes of sniffing.
>
>Before you can sniff traffic there has to _be_ traffic.

Agreed.

>If a network is not in active use you'll have to wait until a client
>associates before you can actively attack that network.

Yep. I leave my laptop running in my vehicle sniffing away merrily. I
was more interested in traffic and use patterns than in cracking WEP
keys, but the methodology is the same. 8 hours later, I usually have
enough traffic captured to crack many networks. My client is setup
like a radio scanner. It listens on a channel for traffic. When the
traffic stops, it move on to the next channel.

My all time record was about 2 years ago. My car was facing a large
office building, where I captured about 4 gigabytes of traffic during
the workday. I was able to later crack about 30 WEP keys out of about
40 encrypted SSID's heard. A few were trivial. Just crunching the
mess after doing the capture took most of the next day. I had to
crunch it several times because there was one system that had 4 SSID's
associated with a single MAC address. Drove me nuts until I figured
out what was happening.

WPA had just been released in early 2003, so none of the networks I
sniffed were using WPA. However, I'm not sure as the RC4 encrypted
payloads for WEP and WPA are identical. Only the key exchange is
different.

The traffic patterns showed serious problems. About 25% of all
packets heard were retransmissions implying lots of reflections and
interference. A full 50% of the packets heard were "malformed" which
is a nice term for a collision. I discarded these. A few systems
were operating at 1 and 2 mbits/sec which also indicates substantial
co-channel interference. One system had about 1/3 of their traffic
wasted as ARP requests, DNS lookups, and repetitive broadcasts, which
indicates a screwed up network. I found zero indication of any VPN's
in use, but may have missed them some under the packets I couldn't
sniff or decrypt. There was a considerable amount of UDP traffic
which implies streaming content. That could be VoIP, but is more
likely to be watching movies or listening to music at work. There was
some worm that had just been released and there was plenty of ICMP
probes flying around.

I should do this again to see how things have changed.

>If you can
>capture the date of a client associating you have the tools to do the
>rest quickly and no other traffic is neccesary. You can generate it
>yourself. But you do need that traffic first so you can replay it.

Agreed.

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
Anonymous
September 29, 2005 1:47:30 PM

Archived from groups: (More info?)

> > Useless. WEP64 can be cracked in about 15 minutes of sniffing.
> >
> >
> And 128-bit wep? How secure's that?

40 bit WEP requires about 150,000 packets, 104 bit WEP requires about
500,000. It doesn't take that much longer, a few minutes to get the
extra ones and given that wepcrack can be run against the data as it's
being collected, you can keep trying and might get lucky earlier.

David.
Anonymous
September 29, 2005 1:52:37 PM

Archived from groups: (More info?)

On Thu, 29 Sep 2005 09:10:51 +0200, Sander <Big_Scary_Man@hotmail.com>
wrote:

>
>> There is no way anything can be totally secure, the only thing security
>> mesaures do is prolong the time until you have been compromised. If you
>> have more than one security measure (ex. WPA2 and MAC address filtering)
>> it will take longer to crack than if you only had one of them.
>
>True but MAC address filtering will add all of about 3 seconds. Not
>worth the hassle IMO.
>The only useful purpose of a MAC access control list is to log MAC
>adresses that are not allowed and to warn an administrator that
>unauthorized acces has been attempted. You might find the attacker
>before he/she succeeds in breaking tho other security measures. Not a
>likely scenario for a home network.

Well, there are other uses for MAC filters. I run an open
(unencrypted) neighborhood WLAN with about 15 machines connected via
wireless. New machines come and go as people bring their laptops and
PDA's into range. No problem. However, we have a few teenagers with
no clue about misusing or hogging the system. So, when the traffic
goes tilt, and I see it's mostly porno, I block the MAC address and
await the inevitable "is the network down" phone call. Not the best
means of blocking abuse, but it gets their attention.

Some of the local public hot spots go a step furthur. They run some
IDS (intrusion detection system) such as Snort to detect abuse. If it
detects anything obviously disgusting, it blocks the MAC address for a
few minutes. That's caught 3 different spammers at one hot spot. (Why
3 different spammers would select the same hot spot to do their
spamming is an open question).

Another dumb use of MAC filtering is where there's a system of
multiple access points, all with the same SSID and no easy way to
select a specific access point. This became a problem in a large
concrete (refridgerated) produce warehouse. The reflections off the
walls would sometimes cause workstation to select the wrong access
point. So, I added MAC address filters into the non-desired access
points leaving the clients to connect to the others. Keeping track of
these setting has been no fun, but it did the job.

Another use it to mitigate a form of abuse. One hot spot operate was
plagued by a nearby home user who decided that the hot spot would
become his private broadband connection. Unfortunately, he was not
very considerate with his usage patterns. At first, I blocked his MAC
address, but he quickly figured out how to change that (probably from
one of my postings). So, the hot spot had to go to an authentication
system where the users get tokens at the cash register which entitles
them to use the system. The owner keeps juggling systems and schemes,
but one of them simply registered the MAC address in the access points
MAC address filter.

--
Jeff Liebermann jeffl@comix.santa-cruz.ca.us
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558
September 29, 2005 2:46:10 PM

Archived from groups: (More info?)

Mike Scott wrote:

>> Useless. WEP64 can be cracked in about 15 minutes of sniffing.
>>
>>
> And 128-bit wep? How secure's that?

There's not too much difference between them because the weaknesses in
WEP are not in the actual encryption algorithm itself (RC4) but in the
way it is implemented in WEP. It might take a little bit longer to find
a longer key.

Sander
Anonymous
September 30, 2005 2:59:42 AM

Archived from groups: (More info?)

Thanks all for a thorough discussion of the security problem.
So, what can one do to make WLAN reasonably secure (home network conditions
apply).
Tardus


"Tardus_merula" <tardus_merula@yahoo.com> wrote in message
news:vCC_e.452$h6.145504@news.siol.net...
>I have d-link wireless router DI614+. Its always on. Is it possible that
>somebody with a wireless enabled PC uses my internet connection even when
>my PC is switched off? I use 64 bit WEP encryption on the router. Tardus
>
September 30, 2005 2:59:43 AM

Archived from groups: (More info?)

On 9/29/2005 3:59 PM, Tardus_merula wrote:
> Thanks all for a thorough discussion of the security problem.
> So, what can one do to make WLAN reasonably secure (home network conditions
> apply).
> Tardus
>
>
> "Tardus_merula" <tardus_merula@yahoo.com> wrote in message
> news:vCC_e.452$h6.145504@news.siol.net...
>> I have d-link wireless router DI614+. Its always on. Is it possible that
>> somebody with a wireless enabled PC uses my internet connection even when
>> my PC is switched off? I use 64 bit WEP encryption on the router. Tardus
>>
>
>

Use WPA if you can, else use 128 WEP. Hide SSID. MAC Filter.
Anonymous
September 30, 2005 2:59:44 AM

Archived from groups: (More info?)

> Use WPA if you can, else use 128 WEP. Hide SSID. MAC Filter.

At the end of that discussion, it should be clear that "reasonably
secure" only excludes people accidentally falling onto the network and
WEP alone would prevent those accidental incursions.

Hiding SSID does nothing whatsoever from a security point of view, MAC
filtering is next to useless as even if the WEP key is unknown, the
allowed MAC addresses are sniffable anyway, finding the WEP key can take
as little as around 10 minutes.

So, if some script kiddie is sitting next door with a copy of one of the
live hacking CD's, they won't take long before they're on your network
with those 3 "features".

WPA it is then.

David.
!