Locking WiFi

Kr0nZ

gariac
Some of these user agent hacks in the past have been over wifi. If you think the wifi I'd hacked, junk the router and run DDWRT. Besides, the only suitable place for a Netgear router is in the garbage dump. Wait no, take it to recycling.

Again you would still need to connect to the wifi, you cant just hack the router admin panel via wifi without first obtaining the wifi password and connecting to the network.

gariac
If you have ONE PC on the network, it will still have a lot of legitimate chatter. Well if you call Adobe phoning home legit. While I agree Wireshark will see everything, for a person that never ran it, the task will probably be difficult. The only reason I suggested Zonealarm is Wireshark has already been suggested, but still hasn't been used yet.

Again as I said.. you just tell wireshark to ignore that ONE PC, thats what wireshark's filter rules are for.

Something like this:

(!(ip_ == 192.168.1.111)) && !(ip.dst == 192.168.1.111)

Will ignore all traffic coming from or going to that one pc


Anyway, I prefer to know where the problem actually is before trying to fix the problem. No point trying to fix someone cracking your wifi password or router, if that's not where the problem is.

edit on 7/12/13 by Kr0nZ because: (no reason given)

A procedure of course that would negate detecting any spyware on his machine that is trying to phone home.

Better to do a more complete analysis. Further. I see no reason not to grind up a Netgear router.

gariac

Kr0nZ

gariac
Some of these user agent hacks in the past have been over wifi. If you think the wifi I'd hacked, junk the router and run DDWRT. Besides, the only suitable place for a Netgear router is in the garbage dump. Wait no, take it to recycling.

Again you would still need to connect to the wifi, you cant just hack the router admin panel via wifi without first obtaining the wifi password and connecting to the network.

gariac
If you have ONE PC on the network, it will still have a lot of legitimate chatter. Well if you call Adobe phoning home legit. While I agree Wireshark will see everything, for a person that never ran it, the task will probably be difficult. The only reason I suggested Zonealarm is Wireshark has already been suggested, but still hasn't been used yet.

Again as I said.. you just tell wireshark to ignore that ONE PC, thats what wireshark's filter rules are for.

Something like this:

(!(ip_ == 192.168.1.111)) && !(ip.dst == 192.168.1.111)

Will ignore all traffic coming from or going to that one pc


Anyway, I prefer to know where the problem actually is before trying to fix the problem. No point trying to fix someone cracking your wifi password or router, if that's not where the problem is.

edit on 7/12/13 by Kr0nZ because: (no reason given)

A procedure of course that would negate detecting any spyware on his machine that is trying to phone home.

Better to do a more complete analysis. Further. I see no reason not to grind up a Netgear router.

Well Ops main concern was a neighbour hacking his wifi, once you can rule that out, you can then focus on what PC on the network is causing the problem.


You wouldn't tighten up all the pipes in your house, just to realize you left the bathtub running.
As I said, find where the problem is first before you start fixing random things.

Thanks for the great input. So, I can now thank you for letting me know my Netgear is crap, and that is ok. I do think the easiest solution is the DDWRT router you recommended. I have a program that shows who is on my wifi and gives me their mac address and IP address is found on netgear's admin page so someone is on my system somehow. I am having doubts it is a neighbor now as I took my kindle out and tested my range, and it just seems unlikely it could be a neighbor 5 to 10 acres away from me.

I really hate this techy stuff, but I am learning much from this discussion. What clued me in was I would get knocked off the internet and when I finally downloaded the program that showed me what mac addresses were on my system, I could tell that one (the same one over and over) suddenly on my wifi!

This is when I changed passwords, set up better firewall, and they got around it in a day. I would get knocked off line and sure enough, they would be back. So now, when I go to bed, I unplug my modem. I just started unplugging my modem every darn time they would show up. Oddly, since updating my firmware, and unplugging it is happening much less frequently.

I had an odd thought, that one of you can probably tell me is off base, but could my smart meter be interfering with my wifi signal and doing this? I have no idea how to find out the mac address on my smart meter.

Thanks again for all the members help.

reply to post by UnifiedSerenity


Wifi goes for miles with the right antenna. It used to take some skill, that is you had to build the antenna, but now they are easily bought. You can even get usb adapters with standard N connectors, so no funny adapters are required.

For asymmetric communications, that is between a stock wifi router and a high gain wifi system, I would put the limit at 10 miles.

alfa tube u

high gain antennas

Using high gain antennas, the record is 310km. That was done by a vendor. At Defcon, the record was 125 miles.

I'm doubting you are being hacked. The information provided in this thread is great, btw, and as I'm about to set up a new router, I'll be paying attention to what has been said here. It seems to me you have implemented many of the suggestions and are quite capable of following the directions here, so you're not at all inexperienced. You have a "normal" router without any fancy extensions to antennas and such, so this tells me the range is not really that great. A normal WiFi router can broadcast a couple hundred feet, not miles. In my case, for example, my neighbor's signal is one bar, which would barely connect at all. Yes, you can modify a router with fancy antennas and such to make it cover a wider area, as the previous poster points out, but you haven't done that, have you? I'm guessing you have an out-of-the-box router with no hardware mods to make it stronger,, in which case the idea that "it can go ten miles!" does not apply.

And you live in the country, not in a city apartment house where you normally have the choice of dozens of unsecured routers. That means that in all likelihood you can see the house from which you are being hacked--if you are. So the bottom line here is that there are very few places around you from which you CAN be hacked, and within that subset, very few people who have the knowledge and capability to circumvent all the barriers you have already put into place. What are the chances that someone like that lives near enough to you to hack you?

Is it possible? Of course, but we're not talking possibility here, but probability. The universe of people who can do this, compared to the general population is very low. Statistically, it's unlikely. But that begs the question. It could still be happening. The problem is that you are still in the technical realm attempting to counter a possible attack with countermeasures. One other way to handle this is social engineering.

Your attacker, if he exists, is not very far away from you. I have had WiFi over a decade and used many different routers during that time. My house is in a neighborhood of half-acre parcels with an empty field in front. At no time have I ever detected more than three other connections. Most people these days at least use WEP, which is automatic in newer installations.

So visit your neighbors and ask them what they have in the way of WiFi and computer connections. You're just getting started and not sure which way to go, so you are soliciting their opinions and expertise. Is there anyone there who can help you? If one of your neighbors says, "Say, my son is REALLY GOOD at this stuff. Let's have you talk with him!" then you've probably nailed your perp. If everyone says, "I don't have a computer" or "Beats me how this stuff works. The guy came out and installed it for me." then perhaps you can give up on the idea you are being hacked.

reply to post by schuyler


You didn't read my post carefully. You can do 10 miles range on an asymmetric setup. That is a plain router on one end and a high gain setup on the other end. The high gain antenna improves reception and transmission. This is especially true if the high gain antenna is directional.

Don't use a phone or tablet as a measurement device for wifi range. Some phones are pure crap on wifi , like the iphone.

reply to post by schuyler


Your comments are sensible, and I have decided more than likely it is not a neighbor, but something is happening because I see a mac address on my wifi that does not have permission. I know when it happens because I get knocked off-line and sure enough there it is.

So, something is causing it, but I am not sure if it's something of a proxy attack using my system for some purpose like a zombie or whatever. I think I just need to get that other system talked about and things should improve. It seems updating my hardware did help as I have not been knocked off today.

Thanks for the input.

reply to post by UnifiedSerenity

I see a mac address on my wifi that does not have permission.

What does this mean? Define permission?

If you have changed the password and you see a device on the wifi that is not owned by you, your router has a back door that is being exploited.

I forgot to ask if you turned off UPNP. If not, turn it off. Then go to Steve Gibson's website and make sure it is actually off since some routers have firmware written so badly that when you turn of UPNP, it is still on.
UPNP test

And don't use WPS to set up passwords. Use
GRC password generator
and painfully enter the passwords in all your devices.

In the 10 days you have spent agonizing over this, you could have already had a new router with DDWRT installed. Then if someone is on your system, you really have problems. But you can go to full isolation mode. That means the most the hacker could do is steal some wifi. They won't be able to get into your lan and thus desktop PC. Of course neither can you, but not a lot of people use their wifi for anything more than just internet service.

hmmmm,

alot of information is in this thread. if after all this and someone is still easily breaking in or onto your network. either, your router is suspect; or there is more to the story. generally a wifi router properly setup
with wp2 is actually pretty hard to break into.

most routers have logs, and dhcp tables, you may want to start there. what you need to do is match every device you have including phones etc, anything with Mac to IP. and I mean every device; xbox, anything thats wifi enabled. match it up with whats in the router tables and logs. if you have anything left. lookup its
mac address here:
www.coffer.com...

to see what kind of device it is.....

gariac
reply to post by schuyler

 

You didn't read my post carefully. You can do 10 miles range on an asymmetric setup. That is a plain router on one end and a high gain setup on the other end. The high gain antenna improves reception and transmission. This is especially true if the high gain antenna is directional.

Actually, I did, and if you read mine carefully you would have noticed that the entire theme there is based on probability, not possibility. It's an important distinction because many things that are possible, technically, have a very low probability of happening. In order for your "ten mile hack" to occur, everything has to be perfect from a physical and a technical point of view, plus you have to have the expertise and will to do it. In essence, it is theory versus practice. Have you, for example, actually physically done what you say can be done? Have you ever hooked up a high gain antenna and hacked into a node ten miles away? Can you give chapter and verse of exactly how this was done?

When you have a situation like this where you are suspicious you've been hacked, then it seems to me the best approach is to deal with the most likely scenarios first. You only have so much time. That means your nearby neighbors are more likely to be the culprits--if there are any. My approach as outlined above is the quickest way to narrow this down.

But this whole idea of spoofed MAC addresses is a bit tenuous anyway. A MAC address is encoded in hardware. The first three components are from the manufacturer. Identify those three components and you have identified the builder of the device (and would be a clue in this situation.) The last three amount to a serial number. Bear in mind that these are hard-coded. Now we know already that you can specify which MAC addresses have access to your network. In theory, no addresses other than those you specify can get in.

Enter MAC address spoofing, which means that someone hacks your MAC addresses and pretends his device has the proper MAC address to use your system. (How clever!) But if this is the case, why would you see "foreign" MAC addresses on your system? You can be disguised, or not disguised, but you can't have it both ways.

Now we can argue this back and forth, but this bears on the problem at hand. And answering every objection with yet a new possibility amounts to building as straw man. In order to explain how this is happening you need to resort to ever more convoluted answers to explain something that is nowhere near proven in the first place. In other words, you're spending way too much time and energy trying to fit a low-probability answer into the scenario. Occam's Razor would suggest that the simplest explanation is most likely. The "ten mile hack" scenario represents an awful lot of work against a protected system far away when, if such a thing existed, there would be many unencrypted systems within that ten mile radius that would be far easier to piggy back upon. In other words, if you have a ten mile range, hacking into a system that uses encryption and MAC address verification and is actively "fighting the hack" doesn't make sense just to obtain Internet access.

You needn't deal with the esoteric issues unless you have exhausted the more likely scenarios, which has not been done here.

reply to post by schuyler


Take a good look at the equipment I mentioned in an earlier post. That is your first clue that I have more than a passing interest in long distance wifi. You will note I specified a single band usb dongle. They work much better with weak signals.

Of course I am not going to admit borrowing wifi, but I didn't pull the 10 mies range out of my arse. I use altitude to my advantage, minimizing the Fresnel zones. So altitude and a directional antenna is all it takes.

OP.
RF signals mostly work on line of site. So, place a sheet of metal just behind your router so that it blocks the most likely neighbours line of site to your router.
If you know how to do it safely then Earth that sheet of metal.
If that doesnt stop them then block another neighbour.

gariac
reply to post by schuyler

 

Take a good look at the equipment I mentioned in an earlier post. That is your first clue that I have more than a passing interest in long distance wifi. You will note I specified a single band usb dongle. They work much better with weak signals.

Of course I am not going to admit borrowing wifi, but I didn't pull the 10 mies range out of my arse. I use altitude to my advantage, minimizing the Fresnel zones. So altitude and a directional antenna is all it takes.

You're enamored with your own skills, but it's like staring at your belly button. This still begs the question. Is she being hacked, really? If she is, what is the MOST LIKELY source of that hack? How many people in a twenty mile radius from her home (since we don't know from which direction it's coming) are capable of pulling off this hack? Given a twenty mile radius where there are many target choices, likely including people who are nowhere near as knowledgeable as our OP, why would this person pick on this one site? Who says there is even a possible height advantage? You added a variable there.

My real objection here is that you take an unlikely series of events and promote it to the likely cause. In the universe of possible causes, the "ten mile hack" has to be one of the least probable out there. Assuming she is being hacked, MUCH more probable is a nearby neighbor with normal equipment. It makes much more sense to investigate and eliminate this possibility before moving outward toward less likely probabilities, leaving your "ten mile hack" scenario for dead last.

Your approach wastes time and diverts the investigation. It's like saying we know the NSA listens to phone calls. You are having trouble with your phone, getting dropped calls and so forth, THEREFORE it MUST be the NSA! It's a giant leap to an unlikely conclusion and not at all worth pursuing unless all more likely avenues are first exhausted.

You're enamored with your own skills, but it's like staring at your belly button.

reply to post by schuyler


Rather than insult me, you should read all my posts. I already gave the simple, quick and dirty answer: use DDWRT.

A router is a critical piece of infrastructure. It is in a position to sniff every bit of internet traffic. Given the revelations of the poor quality of proprietary router firmware, every home users should be running DDWRT or an equivalent open source router firmware. I mention DDWRT because you can buy it COTS (commercial off the shelf) in some Buffalo routers. I even suggested which router to buy.

Now regarding long distance wifi, this is a decade old hacking trick. going back to the cantenna. But it makes no difference if an intruder is 10 miles away or 10 feet away. An intrusion is an intrusion. So your comment is irrelevant.

gariac

Now regarding long distance wifi, this is a decade old hacking trick. going back to the cantenna. But it makes no difference if an intruder is 10 miles away or 10 feet away. An intrusion is an intrusion. So your comment is irrelevant.

As an investigator or detective, your approach makes no sense. That's not the way to clear cases. If you've got a missing persons case in California, you don't start digging for bones on Colorado. That's essentially the kind of thing you are suggesting, which just throws the investigation off-track. You are digging in the wrong place just because it's possible. That's the approach that is irrelevant.

when it comes to these sorts of 'forensic' investigations. generally you start with all the simple stuff first,
all the basics as you will... because, no matter how "possible" a long range hack is, its usually unlikely
because its beyond the skill or knowledge of most people.

generally, i find its something basic. suspect router, infected PC, etc.... password written down and someone who has access to the house gets it etc....

so, i always rule how all the basic stuff first before moving on to more exotic stuff.

-GhostInShell

Ghostinshell
when it comes to these sorts of 'forensic' investigations. generally you start with all the simple stuff first,
all the basics as you will... because, no matter how "possible" a long range hack is, its usually unlikely
because its beyond the skill or knowledge of most people.

generally, i find its something basic. suspect router, infected PC, etc.... password written down and someone who has access to the house gets it etc....

so, i always rule how all the basic stuff first before moving on to more exotic stuff.

-GhostInShell

Clearly nobody is reading my older posts. I only brought up the long range hacking much later in the thread.

Again, and I hate to have to keep repeating myself but a few people er um might have issues with short term memory, I have suggested to run DDWRT. I'm not alone in this. Plenty of security experts suggest running open source software on routers.

Again, just for the record and the benefit of those with short term memory issues, it makes no difference if the intruder is in the next house or ten miles away. The solution is the same.

I suspect this stuff is snake oil, but it couldn't hurt:
Focus Factor

reply to post by UnifiedSerenity



My husband is red team so I thougth Id have some super cool thing to tell you by asking him. He looked at me like I was stupid and said " get rid of that netgear 'crap' " and went back to eating salsa and chips.

So there you go... pretty much what others said!

I find it unlikely that someone is cracking your WPA2 password, especially since you changed it several times. Believe it or not, it only takes a few packets of data to be captured to carry out an attack on the password, but this is all done offline using a program to churn through thousands or millions of potential passwords until a match is found. This can take a long time and the time it takes goes up exponentially with the length of the password. So, unless they are using some kind of experimental supercomputer, I would say that they are not gaining access by cracking your password.

However, there is a technology called WPS which was invented to "simplify" the connection process. One particular mode uses an 8 digit numeric password as the security mechanism, and if someone guesses it, the router will literally send them the WPA2 password. Disable everything in your router's settings that has to do with WPS, if possible.

But, in all honesty, I would really consider the possibility that your router might just be crapping out on you. All of the attacks that I know of against WPA2 are done primarily offline and wouldn't cause everyone in the house to get disconnected over and over. There is the possibility that someone is using deauthentication packets to knock you off, but if their purpose for this was to gain access to your network this would only need to be done a few times max. Your devices would reconnect automatically and send the router their encrypted credentials, the attacker would "sniff" this and thus have what they need to do an offline attack. There would be no other reason to continually knock you off your router other than to be annoying.

Since your only other evidence of an attack is the router's "connected devices" page, you could try a couple things to test this. First, just to test how well the page works and how responsive it is, you could try having a device connect to the WiFi and see how long it takes for it to appear on the page. Then turn it off and see how long it takes to appear "offline". The next time you see the alleged attacker's MAC address appear, unscrew the router's antenna if possible or wrap the antenna in a few layers of aluminum foil (or the whole router if it doesn't have a visible antenna). That should knock anyone off who is connecting via WiFi. Just don't unplug or reboot the router. Check to see if the MAC address in question disappears or appears as "offline". If it is still there, try unplugging the connection to the DSL and wait for the same thing. This should hopefully tell you if they are connecting via WiFi or through your internet connection.

Oh, and just so you know, DD-WRT isn't a particular type of router, it is just software that can be installed on a multitude of home routers. Chances are your router supports it and it is completely free (but NOT supported by the router's hardware vendor, plus it can be a little tricky to install). Go to the DD-WRT website and check their router database to see if yours is on the list.

I hope you figure out what is going on. Happy hacking