Hacker Help...How do I trap one?

Good day everyone. I have a problem. I'd love some help. First, please, honor the T&C and don't get my thread killed. This is a very serious problem and it's on-going. I need some help.

(Talking about HOW to do what I am trying to prevent being done TO me is the T&C line as I read it)

I'll be the first to admit, it's a bit beyond 1st semester 101 courses on net sec. I can experiment for weeks while IN a hostile environment with ongoing attacks...but I'd sure like advice to short cut the trial and error of dozens of programs.

The problem:

My net's been VERY slow at times but then normal (20mbs down 1-2mbs up) at other times. This results in everything from dropped letters in typing from buffering lag to losing an entire thread post (that's happened twice now. 6000+ char threads which never got re-written thanks to this).

Now I've replaced my cabling. I have Cat-6 running from modem to a Cisco 4500 router (Classic Firmware...NOT Cloud Connect) I have Cat 6 running from the router to one computer next to it and VOIP. I then have a 50ft run of Cat 5e to bring my system online. All twisted and shielded. (I spent it so I didn't have to wonder about it and it's all new within the past couple days.)

I had another Linksys WRT-54gs sub-netting my backroom but that was pulled awhile ago when the troubles started, KISS first in diagnosis, right?



Now this could be one of those "It depends" moments in comp tech support but for two things.

First, my friend and neighbor across the way is experiencing the same symptoms for slowdown in the same patterns. Day and night make little difference and we both share odd hours running the whole clock. I have Cable while he has DSL.

Second, I have an Alfa antenna that is..lets be real, marketed was a war dialer and hacker antenna, among other things. I can do a wide range of things at a LONG RANGE. So, for instance, I saw a few days ago where a whole RACK of equipment came online somewhere very close to me. As in....hitting my signal meters JUST a bit below my OWN router across the house. These were up with default naming and consecutive numbers. (Even intelligent people can be real stupid sometimes). That tells me I just had someone ...in this 100% residential neighborhood of mostly rental homes .... go downright advanced with something and no good reason by seeing the nature of people THAT close to my house..

At around the same time, I came in late the other night to find my Alfa running (indicator light and net graph) like no one's business. I physically yanked the plug from the start that gave me.

I'm using WPA2/AES Sec on the router with a VERY long Alpha-Numeric, mixed case and symbol pass. Brute hacking is absurd. So is phishing or physical compromise since no one is left alone in the room the network equipment is for other reasons. Ditto with our own machines when someone is over.

And yet..... I'm back in dial-up days the same as someone else in close physical area on a totally different provider and nothing I've done here should leave anything open in an obvious or easily exploited way.

The Question:

Help! What s/w do I use or what would the best method be to trap myself a hacker long enough to trap information I can backtrack and confirm the source of this? I have a good feeling I know which house that rack come online with and it's a bunch of kids. Sometimes the worst thing with technology. I don't really care for getting them in trouble though. They can go hack God in Heaven for all I care...if I can make MY OWN equipment sour enough a prize to leave alone.

So, any ideas? Suggestions? Maybe others can benefit from whatever comes up here?

If needed span a port , fire up Wireshark and get some traces going.. see what you can see at a layer 1

Since this is in your house i doubt you have a distribution layer so everything is just home runs back to the core.
All your tracerts to your egress-edge devices look right?

If you are running a 4500 router then you dont need any help from anyone here as that is not a consumer grade router..

It's Netflix and torrents. All the hood is watching flix and downloading windows 8 and it is saturating the neighborhood router. Or the router that feeds it and so on.
You got a lot of things going on. You seem cabled up good but are worried about wireless. What is that actual ISP connection type? Cable, DSL, FiOS, ect.
If you want to get logs on intruders for your internal network, setup a honeypot. If you are trying to hack the neighbors then keep your alfa handy.

If you want to get logs on intruders for your internal network, setup a honeypot. If you are trying to hack the neighbors then keep your alfa handy.

You dont need a honeypot to get logs about an intrusion. With the grade router he has its pretty simple to enable the debugs, look at your interfaces , logs , wireshark and see that you have someone accessing your network.

Why complicate it when he has everything he needs right at layer 3?

reply to post by opethPA


Go for the kill. Preemptive aggression.

Originally posted by staple
reply to post by opethPA

 

Go for the kill. Preemptive aggression.

Good luck with all that..

The old practice of piggybacking on others people’s connections in mass. Someone is hacking into the routers around the area and funneling traffic through them via wifi.

All the routers in your area getting hammered at one time is bottlenecking the fiber backbones that feeds the DSLAM and cable head ends in your area.

That is what is causing the slowdowns for everyone, even the users that are not getting piggybacked on.

He could be torrent seeding, using the system as a rogue server base, or launching attacks on websites.

He is novice at what he is doing, and being blatant about it. It will get him hammered by the law pretty quickly.

How he got your wifi password is probably pretty easy. He detected your router in the area and set up a cloned signal on the same, or an adjacent channel. When your laptop tried to auto connect, it locked onto his signal and sent it the access information in an attempt to log in. after that, his system dumped your laptop, so it could actually connect to your router like normal, without you noticing anything.

To keep him out, it is relatively simple.
When you got deviant people on wifi in your area, you have to set up a strict mac address based allow list on your router. Most wireless routers support that function just because of that situation.

He could clone the mac address of your wireless net card in the laptop to get back in, but most won’t push it to that level.

And lock the autoconnect setting on the wireless devices to force them to only connect on the channel your router is set to if possible. That way, he is less likely to get your new access information.

I am pretty sure the local internet providers have already noticed the spike in usage and know what is going on. They are probably already are, or will be looking for where he is. With how blatant he is acting, it will be easy to find him. If you have some free time and a small directional antenna, you should be able to locate the house in question in just a few hours.

Once you find where he is, tell the local service providers, and he will get a visit from the cops pretty quickly.

I assume you have dropped your wifi connections and are just going wired to help eliminate things?
Which sub model of the 4500 are you running?


While the scenario the last dude went over is possible without more its hard to make that jump because something as simple as GBIC could have issues and cause an int to have problems which could impact service. Not saying thats whats happening to you but just saying the most logical explanation for network issues are usually exactly what you would think, something on the 7 layer model is not doing its part right. Of course a trace will really give you a better idea.

Wireshark is your friend, find out whats really happening .

On trapping him……..
Or getting a look at the data he is sending through your network………

With how blatant he is being, it will be simple. Set up a spare access port, or wireless router as an access port.

DO NOT directly connect it to the primary router.
DO Hook it to the router via an old non switched hub.

(primary router)…….(non switched hub)…..(wifi access port)

Set the wifi to some stupid name, with open access like a normal unknowing residential user will do. He will be stupid enough to find it and try to use it without thinking that it is a trap.

Hook a sniffing computer up to another port on the non switched hub.
Run a program like Network Active on the sniffing computer and watch what data he is sending and receiving.

You will be able to tell if he is doing peer to peer, running a clandestine server base, or attacking computer systems, or servers.

If you want to limit the amount of data he can push over your connection, you can use port throttling, or simply use a 10mbps non switched Ethernet hub. Since you have a 20mbps connection, That will hardware limit the bandwidth he can use to a portion of your primary connection bandwidth..

Note, that system can also be used for snooping on your nosey neighbors that keep trying to get into your wifi router.

So thats two posts now saying do some traces..
Btw if it hasn't been said..do some tracing..

www.wireshark.org...

Originally posted by opethPA
If you are running a 4500 router then you dont need any help from anyone here as that is not a consumer grade router..

Once thing you have to keep in mind is just because someone has a top level piece of equipment, doesn’t mean they know how to use it to it’s full capability. Owning a high tech thing doesn’t make someone an expert. Don’t assume that it does. Always start from brain dead simple level and work up. No mater what they say they own.

Talking about layer 1, layer 3, and layer 15000 right off the bat when they themselves has stated they are a bit beyond their knowledge base is not a good place to start.

That is why I gave an example of how to get access to the data in a simple way that will work on almost any system without having to figure out how to set up port mirroring, or other fancy functions on any piece of equipment.

KISS Keep It Simple Stupid.

You could also do it with a simple wireless card on a net connected computer, like his USB based alfa antenna connected to his router connected computer, and set it up as an open access port, then watch the data going through your computer with wireshark.(like you stated) But I don’t like that method. It funnels active hostile traffic through your computer, and makes your computer an active part of the connection. That makes your computer more vulnerable to attack. It is best to leave it as a branch to the data flow, that way you can connect and disconnect from the threat traffic at any time without the hostile threat knowing about it. And if the threat doesn’t know that your monitoring computer is even in the system, he can not launch an attack on it.

If you try to connect a simple wifi access point via Ethernet to the primary router, and use another computer that is connected to the router to monitor, you won’t see anything because it’s a switched router. You would have to know how to set up port mirroring (if the router supports it) to get a copy of the data to your monitoring computer. He may know how to do that, but I am not going to assume he does.

It is just easier to use a non switched hub in the system, again… KISS

I'm reading over everything and getting ready to drop back off and start with some of what you're both suggesting. I don't want to have to use MAC # security because it becomes a royal pain to us as much as family and others coming over. (This router has a guest mode I'd love to use...if not going through this stuff) In our case, it's the tablets and wi-fi phones (Off and disconnected while this has been going on the last couple days). The laptop I've connected with as needed to test and verify things aren't strictly wire based for the issue but then shutting Wi-Fi back down when I'm done. The laptop is also linux which opens me up for the full range of tools and 'toys' to work with in solving this problem. (TOO many, as it happens...which is why I came asking in the first place. lol)

On which one, it's the EA-4500 on 2.0.37 firmware. Cisco has their cloud connect garbage now and had forced pushed the update when first came home with this router so I tried it...but they can keep it and lose that garbage. For anyone who doesn't know what it is, it puts your settings and router config interface with Cisco and not local. You're literally going out to their servers and then BACK into your own router to access config. The reasoning is ease of use for Apps and other things the routers support now...while the downside doesn't take much thinking to appreciate if the connection goes down. A limited maintenance mode is allowed then.


Anyway... I'll see what I can do here. I've gotten a bit spoiled, I admit. A good % of this neighborhood stands empty from foreclosure and other things so it's a quiet place. I'm not used to having to do anything active and ongoing once I set security up on my local level. So much for complacency. Gets me every time.

Thank you both for your continued input and as always, I'll be back either with more questions or a description of what worked.

reply to post by Mr Tranny


Like everything else you have said so far I agree with your last post because its pretty damn logical . I also know Rabbit from a few other threads and seeing that i think he made his own patch cables I just assume he knows network basics.. I was suggesting to him that he should load wireshark and span ports if he wanted to that route..I would certainly help him .

Part of the problem is I really want to figure out which piece of layer 3 gear he is running.

Part of me doesn't automatically assume an attack either and nothing he said , without basic metrics, eliminates anything.

reply to post by Wrabbit2000


Cool , let us know what you find out..
Packet tracing is a good way to really get in depth info about whats happening from where on your network. It can be a lot of info at first so don't feel intimidated.

Not sure how familiar you are with some of the terms Mr. Tranny and I have used but here is a link to the fundamentals of the network model. en.wikipedia.org...

reply to post by staple


For reference, the Cable company has been laying fiber all over the city for almost 2 years now. Long enough so I was in networking 101 courses learning what their fiber trucks did and what was in them while they were out there and that WAS a good length of time ago.

Of course, that doesn't mean I'll ever see it at the house. They've said it's backbone and business. We've got a tie into their fiber at the college. It's jaw dropping. Talking about 100mbs transfer speeds is one thing. Actually downloading a gig file like it's a large PDF is ..well...just stunning. Oh, if only I could get them to run that last 100 yards, as they say.

(I thought about that aggressive approach but if I need to be here asking for help on this, I probably don't need to find out the hard way how limited my skill set actually is compared to someone who has spent too much time learning it. Script kiddie or not ..It's more time put into breaking systems than I've spent learning to counter it)

Originally posted by opethPA
Part of me doesn't automatically assume an attack either and nothing he said , without basic metrics, eliminates anything.

Yes, but there is enough information to start putting 2 and 2 together.

He had a large wifi presence move in just a short bit ago.
Someone hacked into his wifi connection because it was fully password protected.
And started sending data through it at around the same time the wifi presence appeared.
Another person that is probably not directly affected, and on another type of connection is also having the same slowdowns that started about the same time the other stuff did.

Things that can be concluded by that.
He is not the only one that has had his wifi hacked.
There is probably enough people in the area hacked and hogging the bandwidth that it is clogging the local backbone.
That is what is causing non affected customers to see a slowdown.

The question is, what the heck could a person in a residential neighborhood be doing that would generate that much date flow?

The number of possible answers is very limited.

With the amount of data he is pulling, if he was strictly downloading movies, he would quickly run out of stuff to download, and the data consumption would drop off.

So, you are left with a few basic answers that I already listed.
Torrent seeding
Running a clandestine server base.
Launching attacks on outside systems.

And one more that just came to mind.
Driving up view counts on specified pages, and other stuff to affect page, and video rankings for money. Views per dollar services that some places advertise.

Once you get access to the date coming through the system, then match it up with what is the most likely scenario.

There is one final possibility which would be the most unlikely. The people that own the computers that piggybacked on his network connection don’t know about it. Someone hacked into their computer system, or a number of computer systems in his area, and are using those computers with their wifi access to harness other network bandwidth in the area to launch mass attacks on outside systems. The appearance of a large presence he noted was the hackers turning on all the idle wifi access cards in the computers throughout the neighborhood.

Originally posted by Mr Tranny

Yes, but there is enough information to start putting 2 and 2 together.

Except without some metrics , debs, logs, traces you are just going on someones perception of the data at hand.
Hopefully its just an internal issue and something that is easy to rectify.

Forgot to post a link to network active……

www.networkactiv.com...

It will do packet by packet display.

Statistical mode where you can see what percentage of the traffic is going to what addresses, depending on incoming, outgoing, or total volume.

Graphical packet mode, where you can visually see which addresses are talking to each other.

And file mode, where it will save a raw copy of every file transferred on the network on to your hard drive for later study.

What I really like about it is the results are displayed in real time. You don’t have to stop capture to view the data.

Well, so far it's gone quiet again. I've got Wireshark up and NetSurveyor running through the Alfa to get a good long look at what comes online around me while I'm away. The Laptop and an old desktop both pose no risk of loss to anything of relevance so when I head to bed in a short time I'm leaving them both up with the Wireless and Router passwords restored to what they've been when compromised recently. The router is logging as well but I don't put near as much faith in it catching what I need to see. Frankly, Cisco isn't impressing me for their equipment. That's another thread though.

Now it's just waiting I suppose. I'm determined and patient though...and I'm pissed. When next they come calling, I'll see it and a great deal more than just the fact 'someone' snuck in. I'm hoping it's just kids screwing around or trying to bum torrent bandwidth. That's best case scenario anyway...and frankly, the likely one. I find it real hard to believe I see a half dozen routers come up with consecutive numbers after the Netgear SSID and have it much more than what I'm thinking at this point.

Still.... Fat chance I'll have luck explaining to a lawsuit that I wasn't the one to download whatever it is. My neighbor got a warning letter from AT&T about his downloading things he shouldn't have been, so all that is definitely still happening and makes any intrusion one I have to put an end to. I wish people would keep their electronic paws to themselves. Especially when we all live in the same neighborhood. I mean..geeze.. do people really think no one is going to eventually get curious and track it down? Oh Well..

I'm dying to see what I catch. I'll drop a note back when I have something more worth adding.

Awesome , let us know what you find rabbit..
Packet sniffers are a great way to really get into the inner workings of a your network even if you are not troubleshooting a specific problem.
I know you mentioned you use VOIP in your initial post you can even trace your calls through your network that way.. Wireshark makes VOIPSIP tracing very easy.


As for your gear..I see you said you have a EA-4500 which is actually a consumer grade router so some of the things , depending on firmware, I mentioned earlier may not be an option though something similar can be done.