Intrusion Detection Tool?

Discussion in 'Wireless Internet' started by Anonymous, Nov 9, 2013.

  1. Anonymous

    Anonymous Guest

    Does there exist a software application for Windows XP that
    provides intrusion detection for wireless client? I am looking only
    for something that is more or less a *complete* package, not
    something where I have to fish around and install separate packages
    from different sources. I want something fairly easy to install and
    Anonymous, Nov 9, 2013
    1. Advertisements

  2. Not exactly for a wireless "client" but might be what you need.
    Jeff Liebermann, Nov 12, 2013
    1. Advertisements

  3. Anonymous

    Anonymous Guest

    Anonymous, Nov 22, 2013
  4. Well, I must confess that I haven't tried Airsnare for many years.
    I'll give it a try, when I have time. Kinda busy right now.
    Groan. I hate it when that happens. Here's a report from 2011 that
    it works on Win 7 with WinPcap 4.12. See reviews.
    Serious Wi-Fi is an oxymoron.

    If you must roll your own, search for a "MAC address scanner".
    Hopefully, a program can be found that will produce an ordered list of
    MAC addresses that it finds on the network. Then, compare the list
    with a previously saved list or with a "white list" of known MAC
    addresses. If it finds a new and unknown MAC address, fire off an
    alarm. Probably can be written in almost any programming language.
    (Note: I'm a lousy programmer).

    Something like AngryIP:
    should work, but only if the rogue MAC address has successfully
    obtained an IP address. It seems to be a common characteristic of
    such programs. That's little like catching a burglar after they have
    already entered the house. Sniffing the network, like AirSnare is
    better, but scanning might be good enough. Dunno.

    Here's another that looks like it's worth a try:

    Nmap can also scan a range of IP addresses and produce the
    corresponding MAC addresses:
    nmap -sP
    I would provide a sample output, but it seems that my last adventure
    in network shims has broken WinPcap and/or Nmap. Sigh. See #9 belwo:

    For Linux, try arp-scan:

    In all cases, the mechanism is the same. Save the output and compare
    it with a "white list" of MAC addresses.
    Jeff Liebermann, Nov 23, 2013
  5. Nmap was radically out of date. No clue how it got down-reved so
    badly. Probably some program I installed that included WinPcap, that
    left WinPcap behind when I later uninstall the program. Argh.

    Sample output on my office network:

    C:\Nmap>nmap -sP
    Starting Nmap 4.01 ( ) at 2013-11-22
    20:40 Pacific Standard Time
    Host appears to be up.
    MAC Address: 00:22:75:D5:FE:40 (Unknown)
    Host appears to be up.
    Host appears to be up.
    MAC Address: 00:01:E6:3F:54:A6 (Hewlett-Packard Company)
    Host appears to be up.
    MAC Address: 00:0D:56:80:4F:51 (Dell Pcba Test)
    Host appears to be up.
    MAC Address: 00:18:DE:A2:05:27 (Unknown)
    Host appears to be up.
    MAC Address: 00:0E:08:DC:F8:42 (Sipura Technology)
    Host appears to be up.
    MAC Address: 00:18:F5:02:3A:59 (Unknown)
    Nmap finished: 256 IP addresses (7 hosts up) scanned in 4.922 seconds does not show a MAC address because Windoze doesn't
    support SYN scans on localhost. Grumble...
    Jeff Liebermann, Nov 23, 2013
  6. Anonymous

    miso Guest

    On 11/22/2013 8:47 PM, Jeff Liebermann wrote:

    Really, you need to do this on linux. I've had nothing but aggravation
    with winpcap, especially on 64 bit systems. Of course, I have had
    problems with the disty version of Kismet at times, so you do need to be
    prepared to compile it yourself. Wireshark on the other hand has always
    been solid on linux over the years.

    Note if you are looking for intruders, you need to look for mac
    spoofers. That is, they will try to look like one of your clients.
    Kismet can detect spoofing. I'm not positive how, but IIRC the program
    looks for significantly different signal strength level with the same mac.

    Most intruders will have weak signal strength and often be at the
    minimum data rate (1Mbps).

    I set up the timing on DDWRT for a short range. Not aggressively short
    since I didn't feel like experimenting to see what value finally break
    the service.

    See sensitivity range:
    miso, Nov 23, 2013
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.