.

Hacking through wi-fi networks

<<

br945

Newbie
Newbie

Posts: 4

Joined: Thu Sep 25, 2008 11:01 am

Post Thu Sep 25, 2008 11:07 am

Hacking through wi-fi networks

Recently in India, someone hacked into another person's wi-fi connection and sent an undesirable email message.

the investigators have not yet been able to establish as to how and from which PC the prohibted act was done.

Any detailed thoughts welcome.
<<

jimbob

Post Thu Sep 25, 2008 1:37 pm

Re: Hacking through wi-fi networks

If all you have is the email then analysis of the headers is a good start. This is not an uncommon situation, people often send email from unsecured wifi hotspots, public access computers etc. There's several avenues of investigation.

There's often a wealth of information in an email's headers. It can contain who the email is from, who it was addressed to, which IP address is came from and the route it took. I assume in this case the IP address was in the headers but the owner of said address claims no knowledge of the email being sent. It can get trickier here one but you can look to other headers for additional evidence.

Was the mail sent from a web mail account (gmail, yahoo!, hotmail) or from an email client like Outlook Express? If it came from an email client does the version number in the headers match that installed on a suspect's PC? If a webmail account was used can the provider give up and other IP addresses from which the account was accessed?

Do you believe that someone other than the owner used the wifi connection? Was encryption turned on and if so how likely is it that someone could have cracked the key? Are there any logs on the wireless access point which may provide additional info?

Those are just some thoughts.

Jimbob
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Thu Sep 25, 2008 2:22 pm

Re: Hacking through wi-fi networks

If I put on my "groucho glasese" http://www.fakecrap.com/products/groucho_glasses.html and go to a free wifi spot , change my mac address and set up a new email account on yahoo, see if you can find me! I have made so many death threats to Don already, lol.  Just kidding !!!!!!!

But really, you have to know the difference if you are into security.
Last edited by Kev on Thu Sep 25, 2008 2:23 pm, edited 1 time in total.
<<

slimjim100

User avatar

EH-Net Columnist
EH-Net Columnist

Posts: 385

Joined: Wed Nov 08, 2006 12:50 pm

Location: Atlanta

Post Thu Sep 25, 2008 2:54 pm

Re: Hacking through wi-fi networks

Kev have you taken your Ritalin today?

lol just kidding!

Anyway I have an article here that covers some of the basics on what Kev was trying to say..

http://www.ethicalhacker.net/content/view/131/24/

Basically explains how to change your MAC address and gain access to hot spots. I do not recommend doing anything dumb from hot spots as it a matter of time till you get caught and get in trouble.

Cheers,

Brian
Last edited by slimjim100 on Thu Sep 25, 2008 2:57 pm, edited 1 time in total.
CISSP, CCSE, CCNA, CCAI, Network+, Security+, JNCIA, & MCP
<<

Kev

Sr. Member
Sr. Member

Posts: 428

Joined: Sat Sep 29, 2007 12:26 pm

Post Thu Sep 25, 2008 3:13 pm

Re: Hacking through wi-fi networks

LOL , damn you! How did you know I was taking a new medication!  Ha Ha !  Oh and who the hell is this guy? By Brian Wilson, CCNA, CCSE, CCAI, MCP, Network+, Security+, JNCIA ????
Last edited by Kev on Thu Sep 25, 2008 3:19 pm, edited 1 time in total.
<<

br945

Newbie
Newbie

Posts: 4

Joined: Thu Sep 25, 2008 11:01 am

Post Thu Sep 25, 2008 11:09 pm

Re: Hacking through wi-fi networks

jimbob wrote:If all you have is the email then analysis of the headers is a good start. This is not an uncommon situation, people often send email from unsecured wifi hotspots, public access computers etc. There's several avenues of investigation.

There's often a wealth of information in an email's headers. It can contain who the email is from, who it was addressed to, which IP address is came from and the route it took. I assume in this case the IP address was in the headers but the owner of said address claims no knowledge of the email being sent. It can get trickier here one but you can look to other headers for additional evidence.

Was the mail sent from a web mail account (gmail, yahoo!, hotmail) or from an email client like Outlook Express? If it came from an email client does the version number in the headers match that installed on a suspect's PC? If a webmail account was used can the provider give up and other IP addresses from which the account was accessed?

Do you believe that someone other than the owner used the wifi connection? Was encryption turned on and if so how likely is it that someone could have cracked the key? Are there any logs on the wireless access point which may provide additional info?

Those are just some thoughts.

Jimbob


Thanks very much.

1. it is sure that the owner did not send the email himself and also certain that it was not sent from his PC. The IP address is obviously his and thats how he could be locatd in the first instance.

2. The headings might not have revealed required clues as otherwise further progress would have been made.

3. so far, so called experts whose help was taken have not been able to come up with an answer.

It is not clear also how exactly a third party could have sent an email with the owner's IP address.
<<

jimbob

Post Fri Sep 26, 2008 3:39 am

Re: Hacking through wi-fi networks

It is not clear also how exactly a third party could have sent an email with the owner's IP address.

  • The source address could have been forged
  • The email could have been sent from the computer on that IP address in question without the owners knowledge
  • An improperly secured wireless network could have been used
  • Inadequate physical access could let someone turn up and plug in a laptop
  • The mail could have been sent by the IP address' owner
  • The IP address could be running a proxy server or mail relay
  • Malware on the PC could allow remote access

There are others, but I wanted to illustrate how without any other evidence there are a lot of possibilities. If you only have the email headers as evidence you investigation will be limited. If the situation is serious enough the computer attached to the IP address from the email could be seized and examined for evidence.

Jimbob
Last edited by jimbob on Sat Sep 27, 2008 3:54 pm, edited 1 time in total.
<<

br945

Newbie
Newbie

Posts: 4

Joined: Thu Sep 25, 2008 11:01 am

Post Fri Sep 26, 2008 12:32 pm

Re: Hacking through wi-fi networks

jimbob wrote:
It is not clear also how exactly a third party could have sent an email with the owner's IP address.

  • The source address could have been forged
  • The email could have been sent from the computer on that IP address in question without the owners knowledge
  • An improperly secured wireless network could have been used
  • Inadequate physical access could let someone turn up and plug in a laptop
  • The mail could have been sent by the IP address' owner
  • The IP address could be running a proxy server or mail relay
  • Malware on the PC could allow remote access

There are others, but I wanted to illustrate how without any other evidence there are a lot of possibilities. If you only have the email headers as evidence you investigation will be limited. If the situation is serious enough the computer[s] attached to the IP address from the email could be seized and examined for evidence.

Jimbob


all you say is true. the PC attached to the IP is clean.
thats' why the investigation is floundering.
<<

$w33p3R

Newbie
Newbie

Posts: 30

Joined: Fri Aug 08, 2008 10:39 pm

Post Fri Sep 26, 2008 5:56 pm

Re: Hacking through wi-fi networks

br945 wrote:It is not clear also how exactly a third party could have sent an email with the owner's IP address.


It is very clear how the attacker sent an e-mail with the owner's IP address.

1. Hacker get's connection to owner's wifi (wireless)
2. Hacker receive's internal IP address through DHCP (ex: 192.168.1.102)
3. Hacker send's email
4. E-mail comes from the owner's external ISP provided IP address

That is just how things work.  Another example.

You have a small home network with 3 computers on it.  Your router is set to assign IP's through DHCP.

Computer 1: 192.168.0.1
Computer 2: 192.168.0.2
Computer 3: 192.168.0.3

All of these computer's only have (1) external IP address.  Unless of course you have purchased (3) static IP's from your ISP.

I don't know if I have missed something, but I am sure hoping this is not baffling the experts that have investigated this.
MCP, CEH
<<

br945

Newbie
Newbie

Posts: 4

Joined: Thu Sep 25, 2008 11:01 am

Post Sat Sep 27, 2008 12:21 am

Re: Hacking through wi-fi networks

$w33p3R wrote:
br945 wrote:It is not clear also how exactly a third party could have sent an email with the owner's IP address.


It is very clear how the attacker sent an e-mail with the owner's IP address.

1. Hacker get's connection to owner's wifi (wireless)
2. Hacker receive's internal IP address through DHCP (ex: 192.168.1.102)
3. Hacker send's email
4. E-mail comes from the owner's external ISP provided IP address

That is just how things work.  Another example.

You have a small home network with 3 computers on it.  Your router is set to assign IP's through DHCP.

Computer 1: 192.168.0.1
Computer 2: 192.168.0.2
Computer 3: 192.168.0.3

All of these computer's only have (1) external IP address.  Unless of course you have purchased (3) static IP's from your ISP.

I don't know if I have missed something, but I am sure hoping this is not baffling the experts that have investigated this.


Thanks. first it is already established that the Person to whom the IP relates did not send it nor was his specific computer was used. there is no network its a free standing pc.

issue is HOW TO ESTABLISH from which actual PC or which location and by whom was the hacking done whereby the email headers showed the IP address of the PC of tthe innocent wi-fi user.

the fake email is from a yahoo.com address.

apparently the experts available have not been able to make any progress.

P.S. I wonder, when messages on yahoo.com email address are downloaded, do the yahoo servers still have the messages or everything is transferred to the user's pc?
Last edited by br945 on Sat Sep 27, 2008 12:27 am, edited 1 time in total.
<<

Ketchup

User avatar

Hero Member
Hero Member

Posts: 1021

Joined: Fri Jul 04, 2008 7:44 pm

Location: Philadelphia, PA

Post Sat Sep 27, 2008 1:56 am

Re: Hacking through wi-fi networks

I don't believe there is a reliable way to determine from which PC this email was sent.  MAC addresses can be forged, even if you manage to determine what it is.  The IP address is obvious, and won't tell you anything. 

One thing you can examine is the windows firewall logs.  Windows boxes tend to broadcast a lot, and much of this traffic gets logged by the windows firewall.    Any logging information available, whether on the firewall or the AP will help.  Still, hackers usually aren't stupid enough to use real IPs or MAC addresses.

When we deal with cases like this one, we try to obtain access to the computer of the suspect.  You can then do an analysis on the suspect's pc to find fragments of the sent email. 

If you use POP3 to download messages from Yahoo, you can configure your email client to either remove the messages or leave a copy on the server.  If you are viewing the messages through webmail, then they stay on the server unless deleted. 
~~~~~~~~~~~~~~
Ketchup
<<

$w33p3R

Newbie
Newbie

Posts: 30

Joined: Fri Aug 08, 2008 10:39 pm

Post Sat Sep 27, 2008 9:12 am

Re: Hacking through wi-fi networks

br945 wrote:
issue is HOW TO ESTABLISH from which actual PC or which location and by whom was the hacking done whereby the email headers showed the IP address of the PC of tthe innocent wi-fi user.


You are never going to know.  When people run their wireless unsecure or they use easy to get keys, this is what happens.  They are inviting everyone to share their wireless connection.  There are 5 bone heads on my block that run their wireless wide open.  They best be glad I am an "ethical" hacker or I would be sniffing their username/passwords, credit card info and no telling what else.

Any info they might be able to find in the logs is most likely bogus info, e.g., MAC Address, Computer Name, etc. that joined the wireless network.  It all boils down to if they believe the person that is saying "I didn't send the email".
MCP, CEH

Return to Forensics

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software