Wireless intrusion - WPA and TKIP cracked with ease

Hi all,

I'm a noob to this forum, but I've been working in the IT industry for
10 years or so. I'm not particularly experienced with wireless, just
using it at home, but I'm learning fast.

So, I have a problem with one of my neighbours hacking my wireless
connestion and downloading massive amounts of data, using a spoofed MAC.
I have a belkin modem-router which is using WPA and TKIP/AES, and the
intruder just waltzes through the secutiry like it's not even there.
I've hidden the SSID, changed all the settings, and he just gets
straight back in. I've even disabled wireless client access on the
router and he STILL got in

I'm less bothered about stopping him now, and more bothered about
finding out who it is so that I can set the cops on him, because this is
costing me money and a lot of time. I've reverted to a non-wireless
router in the meantime since there is nothing more I can do with the
wireless.

Does anyone know of any counter-intrusion tools that I could use to
find out what he's doing, or even counter-hack his machine? I think it's
fairly well firewalled.

Thanks for any help!

Mikki x


------------------------------------------------------------------------
View this thread: http://www.wirelessforums.org/showthread.php?t=30267
http://www.wirelessforums.org

MikkiJayne <(E-Mail Removed)> wrote in
news:(E-Mail Removed):

<snip>

> So, I have a problem with one of my neighbours hacking my wireless
> connestion and downloading massive amounts of data, using a spoofed
> MAC. I have a belkin modem-router which is using WPA and TKIP/AES, and
> the intruder just waltzes through the secutiry like it's not even
> there.

Use a longer key. Get it here:

<https://www.grc.com/passwords.htm>

(Hi John!)

> I've hidden the SSID, changed all the settings, and he just gets
> straight back in. I've even disabled wireless client access on the
> router and he STILL got in

Just fix the key, OK?


--
Oops!... I did it again

MikkiJayne <(E-Mail Removed)> wrote:
> I have a belkin modem-router which is using WPA and TKIP/AES, and the
> intruder just waltzes through the secutiry like it's not even there.

Your key's way too short and guessable. WPA/PSK is essentially hackable
only by brute force guessing of the key.


> I've hidden the SSID

Don't do that. It just irritates other people legitimately trying to
find clear frequencies, and as you point out yourself it doesn't stop
anyone determined enough finding it.

Chris

Chris Davies writes:
> Your key's way too short and guessable. WPA/PSK is essentially hackable
> only by brute force guessing of the key.

Or the intruder managed to remotely install a trojan on his PC when he
earlier maybe used WEP or a simpler WPA password, or the router itself
is compromised.

To the OP: do AV, spyware and rootkit (google "Rootkit Revealer") scans.
Change the password on your router and make sure remote admin is
disabled. Check that the router is configured for only WPA, not WEP+WPA.

If the router has a monitor port (i.e. my Speedtouch manual says it can
be configured as such) then use Wireshark to filter out i.e. BitTorrent
traffic and spot any identifiable information such as POP3 usernames,
SMTP from: addresses, web cookies with names/usernames, or Windows
filesharing computer names.

The Police may be able to triangulate his location with uber-sensitive
directional equipment (note: this is just a guess from watching too many
TV licensing adverts). If they are using a high-power antenna, Ofcom
might also be interested from a Wireless Telegraphy Act perspective. I
don't know whether Ofcom or the Police or another service would have the
best hardware.

MikkiJayne <(E-Mail Removed)> hath wroth:

>I've been working in the IT industry for
>10 years or so.

If you've survived that long, and are still sane, permit me to
congratulate you.

>I'm not particularly experienced with wireless, just
>using it at home, but I'm learning fast.

High speed learning doesn't work. In order to understand something
well, you need to tear it apart, make a huge mess disecting the
contents, analyze the entrails, and put it back in working order. It's
all part of "Learn By Destroying(tm)."

>So, I have a problem with one of my neighbours hacking my wireless
>connestion and downloading massive amounts of data, using a spoofed MAC.

It takes more than just a spoofed MAC address. In addition, if they
have borrowed the MAC address of one of your machines, there well be
considerable packet corruption when BOTH machines try to connect.

>I have a belkin modem-router which is using WPA and TKIP/AES, and the
>intruder just waltzes through the secutiry like it's not even there.

Are you sure you work in IT? Belkin has more than one model, each
with their own collection of bugs and problems. If you like
generalized and theoretical discussions, I can do that, but if you
want specific answers for your specific problem, kindly disclose the
model number of ALL your wireless hardware. Extra credit for the
firmware versions (don't say "the latest"). Then, you get to dig
through the various security mailing lists to see if there are any
unpatched security holes in your unspecified router and firmware.

>I've hidden the SSID,

Waste of time. All that does is have your neighbors land on the
channel you're using because they can't see your access point. It
also breaks a few client connection managers. It might slow down a
hacker for about 30 seconds. Kismet and other utilities show hidden
SSID's.

>changed all the settings,

All of them or just some of them? Any particular settings that were
changed from the default?

>and he just gets straight back in.

Yep. Now, convince yourself (and me) that you actually have WPA-PSK
(or WPA-personal) setup correctly? That's not as easy as it sounds on
some of the more moronic user interfaces. For example, one ancient
version (I think it was Netgear's) had a nice list of encryption
protocols to select, but on a different page, had an encryption on/off
radio button. Users would select the correct protocol, and think they
are protected.

My guess(tm), based upon your description, that you actually have a
WEP key setup, which is easily cracked. Don't use WEP encryption.

Incidentally, WPA encryption is safe but only with long (20 char)
non-dictionary pass phrases. My guess(tm) is that you'rs is fairly
trivial and can therefore be cracked. See:
<http://www.wirelessdefence.org/Contents/Aircrack-ng_WinAircrack.htm>
<http://en.wikipedia.org/wiki/Aircrack-ng>

>I've even disabled wireless client access on the
>router and he STILL got in

That's not what it's called. It's something like "wireless
administration access" which controls whether a wireless client can
get to the web configuration interface. There's also a "remote admin"
setting that does the same thing for users coming in from the
internet. You should probably leave both of these off, at least until
the problem is identified.

>I'm less bothered about stopping him now, and more bothered about
>finding out who it is so that I can set the cops on him, because this is
>costing me money and a lot of time.

Are you sure you work in IT? Do you read the trade journals? How
many people have you seen busted for unlawful use of a computer via
wi-fi? There are a few but in general, unless you can prove that the
system was used to commit a more serious crime, the local D.A. doesn't
have a clue what to do with the case and generally refuses to
prosecute.

Also, please note that *YOU* are responsible for your own security. If
you know that your security is defective, and have not done due
dilligence (i.e. security scans) to verify your own security, you are
at least partly responsible for consequential damages. This has not
been tested in court and can be effectively argued by both sides.
However, it does represent a reason why the D.A. does not want to
prosecute.

If you really want to find the culprit, there are several things you
can do. One is to capture some of their traffic and try to identify
the culprit from the destinations or contents. The other is more
technical and requires a 2.4GHz directional antenna, and plenty of
understanding of RF propagation. If you know any of the local ham
radio operators, they might be able to help. If that's too much,
reduce your antenna size to that they need to have a strong signal to
connect. Walk around with your laptop running Kismet (or some sniffer
tha displays signal strength) until you find the general area.

>I've reverted to a non-wireless
>router in the meantime since there is nothing more I can do with the
>wireless.

Well, that's fine for now, but if you've given up, why ask for help?

>Does anyone know of any counter-intrusion tools that I could use to
>find out what he's doing, or even counter-hack his machine? I think it's
>fairly well firewalled.

Are you sure you work in IT? Counter-hacking is generally a bad idea
because of the legal complications. It's one thing for the culprit to
borrow your connection for whatever purpose. It's another for you to
destroy his machine or data by remote control.

To find out what he's doing, you use a sniffer such as Ethereal or
WireShark. Capture some traffic and look at it carefully. I also
have tools that use the router statistics to log destinations and
traffic, but I don't think they'll work on any Belkin hardware. You
can best install a sniffer probe with a seperate computer and a hub.
Install the hub (not a switch) between the modem and the router.
Connect the computer to the hub and sniff away. There are also plenty
of network traffic analyzers available.


--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Jeff Liebermann <(E-Mail Removed)> hath wroth:

>>I'm less bothered about stopping him now, and more bothered about
>>finding out who it is so that I can set the cops on him, because this is
>>costing me money and a lot of time.
>
>Are you sure you work in IT? Do you read the trade journals? How
>many people have you seen busted for unlawful use of a computer via
>wi-fi? There are a few but in general, unless you can prove that the
>system was used to commit a more serious crime, the local D.A. doesn't
>have a clue what to do with the case and generally refuses to
>prosecute.

Oops. I didn't notice that you were in the UK. Things might be
different on the other side of the pond. Looks like there are at
least some arrests for "leeching", but I couldn't find any actual
prosecutions.
<http://news.bbc.co.uk/2/hi/uk_news/england/london/6958429.stm>
<http://wirelessnomad.blogspot.com/2007/08/man-arrested-over-wi-fi-theft-in.html>
<http://www.out-law.com/page-7969>
<http://www.out-law.com/page-8405>

It would appear that in the UK, war driving is also illegal:
<http://www.out-law.com/page-5938>
Here's one conviction from 2 years ago.

<http://www.techworld.com/security/news/index.cfm?RSS&NewsID=9888>
"However, neither offense is considered sufficiently serious
for statistical analysis, so he could not say how many such
arrests had been made. Tellingly, the spokesman could not recall
any successful convictions for illegally using broadband
Internet connections."

Hmmm... doesn't look good for getting a conviction or restitution.

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558