.

Requesting help with attack response...

<<

sonofzell

Newbie
Newbie

Posts: 2

Joined: Fri Mar 30, 2012 6:38 am

Post Fri Mar 30, 2012 7:53 am

Requesting help with attack response...

Greetings everyone!

I am seeking assistance in understanding and responding to what I believe to be a security breach in my home wireless LAN.  While I am an experienced end-user, my networking experience has been largely limited to small LANs and web servers.

To preface the symptoms I will describe, it may be relevant to state that there is a certain individual who is relatively tech-savvy (although no hacker), who has motive to access personal information of mine.

So, here's my layman's description of what has happened:  Beginning approximately two weeks ago, I suddenly and inexplicably starting having difficulty with wireless connections to my FiOS network in my home.  Specifically, clients would establish connections to the network, but were unable to access the internet and other network devices.  I also noted a significant decrease in signal strength, and encountered frequent disconnects that I had not before.

Assuming there was an error or misconfiguration with my hardware, I have spent hours on end resetting all of my network devices to default and rebuilding the LAN, with no improvement in performance.  I have FiOS service in my home, so my primary gateway is the Verizon-provided piece-of-crap Actiontec modem/router.  It has a static IP provided by Verizon, and is set to dish out IP addresses within the range of 192.168.1.100-192.168.1.200.  Because the Actiontec wireless signal is laughable, I installed an Apple AirPort Extreme dual-band N in front of the FiOS router.  I set up the AirPort to broadcast the wireless connection to the network, and disabled its DHCP server so that the FiOS router was the only device leasing IP's.  I statically assigned the Airport the address 192.168.1.2 (the FiOS router is set to the factory-default 192.168.1.1).

My LAN consists of a Windows 7 Professional desktop that is always powered on, two Windows notebooks (Win7Pro & WinXP Pro), two Linux Notebooks (Ubuntu 10.04 LTS), a NAS (WD MyBook World), 6 iOS devices (3 iPod touch, 2 iPhone, 1 iPad2), and three AirPort Express units.  Obviously, my 3 Verizon FiOS set-top boxes also connect as LAN clients.  The Win7 Desktop, FiOS STP's, and the NAS are connected to the FiOS router via ethernet/coax; all other devices access the network wirelessly.  The only port configuration that was altered was a forward on Port22 to my NAS for remote SFTP connections.

Of all things, it was an iOS game that my daughter was playing that brought the issue to my attention.  I had agreed to let her purchase the app, but had great difficulty connecting to the iTunes store on her iPod touch (a very common issue for all of our iOS devices in the past 2 weeks).  After rebooting the iPod several times, I opened the WiFi properties and noticed that her connection to my network was suspicious.  The device had been assigned an IP address beginning with 169.254…, and was using a different subnet (255.255.0.0, whereas my DHCP assigns 255.255.255.0).  Additionally, there were no DNS servers assigned, and obviously, she was not able to connect to the internet at all.

After this discovery, I took a closer look at all clients on the network, and found that half of them had these bizarre IP assignments.

In response, I reconfigured my AirPort Extreme with new WLAN settings, including a new SSID and password.  I also disabled broadcasting of the SSID.  I changed the settings on all of the clients and reset / reconfigured the AirPort Express units.  Immediately after making these changes, all connectivity problems vanished!  All clients connected to the WLAN immediately, with very strong signals and no disconnects.  Internet access is fast and consistent all around.

Now, for the suspicious part…  After reconfiguring the WLAN, I noticed that a network with the same SSID I had been previously using is still broadcasting!  I have scoured my home from top-to-bottom, and can not imagine ANY device that should be broadcasting this network.  My theory (and I have NO idea how plausible this is) is that someone within range of my home is broadcasting their own WLAN using the same SSID I had been using, essentially "mocking" my AP.  As my  connectivity problems indicate, I think clients would occasionally connect to the rouge WLAN instead of the legitimate one, and at times "bounce" between the two, causing the inconsistent connections and internet loss.  I should note that the SSID I had been using was very unique, so I am convinced that if someone else is broadcasting the same, it is NOT coincidental.

As of 07:00 today (3/30/12), the "rogue" WLAN is still broadcasting, and I have the following questions that I am hoping someone in this forum may be able to help me answer:
1. Since my former SSID was broadcast, I see how someone could obtain and replicate it, however the password used was very strong, unique to the WLAN, and not shared (not even my wife or kids knew it, as I set up their iOS devices for them).  If someone did set up a "phishing" WLAN, would it possible to assign IPs to my devices even though they all had passwords set?  Could / would the fake WLAN accept client connections without having matching passwords?
2. What is the most reliable method of locating the device(s) that are still broadcasting the fake WLAN?  If this truly is a malicious attack, I assume it won't be long before the attacker realizes he/she no longer has wireless clients.
3. What, if any, personal information could have been compromised on my home LAN?  I'm really not concerned about packet captures on the wireless clients, since they are primarily used for casual browsing / email, etc., however I do use my work (WinXP) and personal (Ubuntu) notebooks for confidential communication and banking.  Neither of these notebooks are powered on when not in use.  The "always-on" windows desktop is only used for homework, itunes, facebook, etc.
4. Keeping in mind that I am NO hacker, is there an easy way for me to learn anything about the fake WLAN and it's owner's intentions?  I considered connecting to it with one of my notebooks and running AirCrack or Wireshark, but in all honestly, I wouldn't know the first thing about what to look at in the captured data.

Okay, so now I'm "that guy" who submits a novel for his first post in the forum - lol, but I'm really hoping someone can share some insight on this for me, and as I mentioned, I doubt the broadcast will continue once the admin realizes there are no more connections to it.

Thank you in advance for any advice you can offer, and for enduring my verbose description!!!

Cheers,
Kirk
<<

venom77

User avatar

Hero Member
Hero Member

Posts: 1905

Joined: Mon Dec 11, 2006 3:23 pm

Post Fri Mar 30, 2012 8:41 am

Re: Requesting help with attack response...

Wow, that was a lot to read :-)

First, welcome to EH-Net.

Ironically, I was recently talking to someone that had similar (not quite the same, but similar) issues. They also have an AirPort Extreme and, within the past couple weeks, started having many problems with their wireless connections. My suggest was to reset the device to default factory settings and see if that fixed it (I haven't heard back yet).

Seeing as how that's what you did, and it fixed your first problem, maybe there's something buggy going on with that device.

The 169.* address you're seeing is called an Automatic Private IP Address (APIPA) and is typically assigned when no static or dynamic IP address is available. Usually as is the case when you try to connect two computers directly to each other without configuring network settings.

You can use a tool such as Kismet, Ekahau, or I'm sure there's a utility for iPhone to help you locate the the device broadcasting the old SSID (assuming it's not one of your devices). You can easily get the MAC address and compare to your stuff if you think it is for some reason but it sounds as though you only have the one access point. Or just power down all of your devices except a laptop to see if it's still broadcasting.

You could try and connect to it and see what happens. Maybe it's configured to hand out 169.* IP addresses. If that's the case, you'll see that it connects quickly. If not, it'll take some time, think about it, and then assign the 169.* IP when it can't get one. If it assigns it to you, you could attempt to run Nmap and scan the local range to see if anything replies (may or may not).

I think those would be the first two things to find out, then you can go forward with your other questions. Certainly, if it is someone trying to intercept your communications, if you can't browse to a website or connect to anything, then you can't really pass credentials across. They could, possibly, attack your systems once they are connected though.

Or, it could all just be a bug with your Apple AirPort Express ;-)

Hope that's helpful, it's too early for a long post.
<<

hayabusa

User avatar

Hero Member
Hero Member

Posts: 1662

Joined: Mon Jan 29, 2007 2:59 pm

Post Fri Mar 30, 2012 8:49 am

Re: Requesting help with attack response...

What timing.  I was typing much the same thing as BillV, and must've hit send right as he did.  Mine didn't come across, as I also had a new Personal Message notice, here, at the same time, and I lost it,

But I'm 100% in agreement with BillV's response, and it's almost exactly the reply I was preparing.

Let us know what you find, sonofzell.
~ hayabusa ~ 

"All men can see these tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved." - Sun Tzu, 'The Art of War'


OSCE, OSCP , GPEN, C|EH
<<

sonofzell

Newbie
Newbie

Posts: 2

Joined: Fri Mar 30, 2012 6:38 am

Post Fri Mar 30, 2012 9:49 am

Re: Requesting help with attack response...

I can't thank you enough, guys - this definitely gives me a little more clarity on the issue!!

I'm in the office now, chomping at the bit to get home and take a crack at this again.

Again, thanks for taking the time to read / respond!  I will let you know what I find.

Best,
Kirk

Return to Wireless

Who is online

Users browsing this forum: No registered users and 1 guest

.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software