is this a wi-fi break-in attempt?

Discussion in 'Home Networking' started by Mike Scott, Mar 14, 2012.

  1. Mike Scott

    Mike Scott Guest

    Can anyone shed light please? My WAP logs messages like those below,
    showing repeated deauthentication and reauthentication events. It
    sinterval between events was so short it made the wireless link totally
    unusable. It "went away" when I switched channel.

    Now they've restarted on the new channel, but seem wider spaced, and
    there are periods when nothing untoward appears at all.

    It /could/ be a sign of someone attempting to break in (and learning as
    (s)he goes). Is there any other plausible explanation?

    And if it is a break-in attempt, how can I best get a handle on the culprit?

    Thanks for any thoughts.


    Mar 8 13:19:10 wlan0: A wireless client is associated - 00:1C:C0:74:95:67
    Mar 8 13:19:10 wlan0: WPA-AES PSK authentication in progress...
    Mar 8 13:19:10 wlan0: Open and authenticated
    Mar 8 15:15:35 wlan0: A wireless client is deauthenticated -
    00:1C:C0:74:95:67
    Mar 8 15:15:40 wlan0: A wireless client is associated - 00:1C:C0:74:95:67
    Mar 8 15:15:40 wlan0: WPA-AES PSK authentication in progress...
    Mar 8 15:15:40 wlan0: Open and authenticated
    Mar 8 15:15:47 wlan0: A wireless client is deauthenticated -
    00:1C:C0:74:95:67
    Mar 8 15:15:53 wlan0: A wireless client is associated - 00:1C:C0:74:95:67
    Mar 8 15:15:53 wlan0: WPA-AES PSK authentication in progress...
    Mar 8 15:15:53 wlan0: Open and authenticated
    Mar 8 15:16:00 wlan0: A wireless client is deauthenticated -
    00:1C:C0:74:95:67
    Mar 8 15:16:03 wlan0: A wireless client is associated - 00:1C:C0:74:95:67
    Mar 8 15:16:03 wlan0: WPA-AES PSK authentication in progress...
    Mar 8 15:16:04 wlan0: Open and authenticated
    Mar 8 15:16:11 wlan0: A wireless client is deauthenticated -
    00:1C:C0:74:95:67
    Mar 8 15:16:17 wlan0: A wireless client is associated - 00:1C:C0:74:95:67
    Mar 8 15:16:17 wlan0: A wireless client is associated - 00:1C:C0:74:95:67
    Mar 8 15:16:17 wlan0: A wireless client is associated - 00:1C:C0:74:95:67
    Mar 8 15:16:17 wlan0: WPA-AES PSK authentication in progress...
    Mar 8 15:16:17 wlan0: WPA-AES PSK authentication in progress...
    Mar 8 15:16:17 wlan0: WPA-AES PSK authentication in progress...
    Mar 8 15:16:17 wlan0: Authentication failled! (4-2:
    ERROR_NONEEQUL_REPLAYCOUNTER)
    Mar 8 15:16:17 wlan0: Authentication failled! (4-2:
    ERROR_NONEEQUL_REPLAYCOUNTER)
    Mar 8 15:16:17 wlan0: A expired STA is resumed - 00:1C:C0:74:95:67
    Mar 8 15:16:18 wlan0: Open and authenticated
    Mar 8 15:16:24 wlan0: A wireless client is deauthenticated -
    00:1C:C0:74:95:67
    Mar 8 15:16:29 wlan0: A wireless client is associated - 00:1C:C0:74:95:67
    Mar 8 15:16:29 wlan0: WPA-AES PSK authentication in progress...
    Mar 8 15:16:29 wlan0: Open and authenticated
    Mar 8 15:28:32 wlan0: A wireless client is deauthenticated -
    00:1C:C0:74:95:67
    Mar 8 15:28:37 wlan0: A wireless client is associated - 00:1C:C0:74:95:67
     
    Mike Scott, Mar 14, 2012
    #1
    1. Advertisements

  2. Mike Scott

    Dave Saville Guest

    Hardly a break in if it is actually getting authenticated. It is
    coming from a bit of Intel ket if that's any help. Is it always the
    same MAC?
     
    Dave Saville, Mar 15, 2012
    #2
    1. Advertisements

  3. Mike Scott

    Mike Scott Guest

    Sorry, I could have been clearer. The MAC belongs to a proper local
    laptop, connected by wi-fi. Breakins typically have a machine that
    spoofs a de-authenticate event, which forces a genuine client to
    re-authenticate itself. (That's what seems to be in the WAP logs.) The
    attacker can then record the authentication packets, take them away and
    crunch them to crack the wifi password. (It won't work here - AES plus a
    long, long, random password means he can try till the proverbial freezes.)

    I'm assuming it's a cracker of some sort - The irritation is not a risk
    that he'll break in, but that we've had a complete DOS as a side-effect
    of a poor attacking system setup, and also that it's kind-of not nice to
    think a neighbour is up to this sort of thing. I want to find him.....


    OTOH there may be a perfectly legit explanation, which is why I asked.
     
    Mike Scott, Mar 15, 2012
    #3
  4. Mike Scott

    Rob Morley Guest

    That's what I was going to suggest.
    Could it be a problem with DHCP that's causing the laptop to keep
    retrying, or an intermittent hardware/driver fault?
     
    Rob Morley, Mar 15, 2012
    #4
  5. Try to leave the laptop off for 24 hours or how ever long you can and
    see if the log file shows it still trying to gain access. If it is then
    MAC spoofing or similar is most likely going on from outside.
     
    GlowingBlueMist, Mar 16, 2012
    #5
  6. Mike Scott

    Mike Scott Guest

    On 16/03/2012 02:54, GlowingBlueMist wrote:
    .....
    It's a lower level than that. Anyway, dhcp is running fine.
    No; this attack can only occur when there's an existing connection.
    Otherwise there's nothing to disrupt.

    It doesn't happen for days on end - then it will happen all day every
    few minutes. So I'm pretty sure it's nothing in the kit here.
     
    Mike Scott, Mar 16, 2012
    #6
  7. Mike Scott

    Rob Morley Guest

    This appears to be a deauthentication attack - if there's nothing
    connected then there's nothing to attack. ISTM that if it were a case
    of MAC spoofing the laptop then either the reconnection attempts
    wouldn't authenticate (because the spoofer had duplicated the laptop's
    MAC but hadn't cracked its encryption) or the connection would appear
    OK at the router but behaviour at the laptop would be indeterminate
    (because the spoofer had duplicated its MAC and cracked its encryption,
    which apparently hasn't happened).
     
    Rob Morley, Mar 16, 2012
    #7
  8. Mike Scott

    Mike Scott Guest

    And won't. The password is generated by a script, and is long, random
    and uses the entire allowed character set (squiggles and all).

    But I do see things like:

    Feb 24 00:49:00 wlan0: WPA-AES PSK authentication in progress...
    Feb 24 00:49:00 wlan0: Open and authenticated
    Feb 24 00:49:17 wlan0: A wireless client is deauthenticated -
    00:1C:C0:74:95:67
    Feb 24 00:49:23 wlan0: A wireless client is associated - 00:1C:C0:74:95:67
    Feb 24 00:49:23 wlan0: A wireless client is associated - 00:1C:C0:74:95:67
    Feb 24 00:49:23 wlan0: WPA-AES PSK authentication in progress...
    Feb 24 00:49:23 wlan0: WPA-AES PSK authentication in progress...
    Feb 24 00:49:23 wlan0: Authentication failled! (4-2:
    ERROR_NONEEQUL_REPLAYCOUNTER)
    Feb 24 00:49:23 wlan0: Open and authenticated
    Feb 24 00:49:23 wlan0: A expired STA is resumed - 00:1C:C0:74:95:67
    Feb 24 00:49:31 wlan0: A wireless client is deauthenticated -
    00:1C:C0:74:95:67
    (etc, etc)

    I'm not clear what the exact significance of the apparent double entries
    and the ERROR_NONEEQUL_REPLAYCOUNTER entry is. Suggests some interplay
    between two different clients using the same MAC perhaps.

    I've remembered I have a spare WAP (an old Belkin); maybe I'll rig up
    something to chat to that, even rig up a dummy network for them to break
    into. Even use WEP, and make it easy for them :) I can't see any
    better way forward. But it still won't tell me anything about their kit.
     
    Mike Scott, Mar 16, 2012
    #8
  9. Mike Scott

    Rob Morley Guest

    The ERROR_NONEEQUL_REPLAYCOUNTER suggests a spoofer might be capturing
    and replaying packets, but that will get them nowhere because WPA is
    protected against that.
    An open(ish) access point is a good idea, especially if it's just a
    script kiddy (which I think they mostly are). Run Firesheep to sniff
    their login sessions to popular insecure websites, if they're foolish
    enough to access them, and you stand a chance of figuring out who they
    are. Of course that's assuming they're just looking for internet access,
    rather than attacking something on your LAN. If the latter you'll want
    to run some sort of honeypot to see what they're up to.
     
    Rob Morley, Mar 16, 2012
    #9
  10. Mike Scott

    James Egan Guest


    Does it only happen with the mac of the laptop? If it was an attack
    wouldn't they just choose another connected device if the laptop was
    off?


    Jim
     
    James Egan, Mar 19, 2012
    #10
  11. Mike Scott

    Mike Scott Guest

    No. Observed with his machine and my own laptop.
    I rarely use my laptop, and then normally use a wired connection. I've
    only noticed it this week in connection with mine - but then I'd made a
    point of "going wireless" and subsequently checking the logs.

    It might still be something innocuous. I don't know if heavy
    interference (eg video sender, wireless phone) might have this effect.
     
    Mike Scott, Mar 20, 2012
    #11
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.