Jump to content

Tracing The Wireless Attacker

billyblaxsta

By billyblaxsta
in Security

 Share

Recommended Posts

billyblaxsta Newbie

billyblaxsta

Posted
Posted

Imagine that Alex is sitting in a cafe or library or train and is ARPspoofing or transmitting any kind of "negative" packets (such as deauthentication packets).

If the network administrator noticed that the MAC of the router has changed or that clients were being deauthenticated from the AP then could he successfully trace the source of the packets? And, if so, how?

Thanks - I have been curious about this for a while!

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted (edited)

Its possible, but not easily unless the numnuts doing the deauths was sitting in the vicinity. If it were someone outside the building and not sitting right near the victims, you would need some tools to triangulate the source, such as spectrum analyzers and a way to map the MAC address, like kismet and a GPS - http://wirelessdefence.org/Contents/Kismet%20Wireless%20Mapping.htm

http://searchsecurity.techtarget.com/feature/Hunting-for-rogue-wireless-devices

Edited by digip
Link to comment
Share on other sites
billyblaxsta Newbie

billyblaxsta

Posted
  • Author
Posted

Its possible, but not easily unless the numnuts doing the deauths was sitting in the vicinity. If it were someone outside the building and not sitting right near the victims, you would need some tools to triangulate the source, such as spectrum analyzers and a way to map the MAC address, like kismet and a GPS - http://wirelessdefence.org/Contents/Kismet%20Wireless%20Mapping.htm

http://searchsecurity.techtarget.com/feature/Hunting-for-rogue-wireless-devices

Thanks for the links - the searchsecurity looks most interesting. However, it seems to be referring to "rogue APs". If you were using Jasager or similar then indeed you would be a rogue AP.

But what if you were a client just sending out arpspoofing packets and not trying to be an AP?

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted

Well, I imagine you could look in wireshark to see who is flooding arp packets on the network. This person would be impersonating the router and end devices who would normally answer the arp reply. If you know the routers MAC but see messages saying "tell x.x.x.x. who has x.x.x.x" constantly and its mac saying this is always the same but not the router or any known workstation, that is your culprit.

When a normal arp goes out, a workstation tries to reach a specific IP. If it doesn't know the MAC address, it sends a broadcast arp, which hits every station on the lan, forwarded by the router to all end devices. The end device will reply with its IP and MAC and the router will send this back to the requester. If however only 1 device is answering for everyone, then that device is more than likely the arp spoofer, since each device will answer for itself, someone else answering for everyone is the spoofer.

You can run "arp -a" in windows to see what is in your own table. If the gateway listed has a different mac address than what the router is supposed to have, that is the spoofing attackers MAC address. For this reason alone, I add static arp entries in my desktop machine, so nothing can spoof it. You can do the same thing on all workstations, *nix or windows based. For windows Vista and later, you have to use the NETSH command. In XP, 2000 and 2003, you use the arp -s command.

Link to comment
Share on other sites
billyblaxsta Newbie

billyblaxsta

Posted
  • Author
Posted

Well, I imagine you could look in wireshark to see who is flooding arp packets on the network. This person would be impersonating the router and end devices who would normally answer the arp reply. If you know the routers MAC but see messages saying "tell x.x.x.x. who has x.x.x.x" constantly and its mac saying this is always the same but not the router or any known workstation, that is your culprit.

When a normal arp goes out, a workstation tries to reach a specific IP. If it doesn't know the MAC address, it sends a broadcast arp, which hits every station on the lan, forwarded by the router to all end devices. The end device will reply with its IP and MAC and the router will send this back to the requester. If however only 1 device is answering for everyone, then that device is more than likely the arp spoofer, since each device will answer for itself, someone else answering for everyone is the spoofer.

You can run "arp -a" in windows to see what is in your own table. If the gateway listed has a different mac address than what the router is supposed to have, that is the spoofing attackers MAC address. For this reason alone, I add static arp entries in my desktop machine, so nothing can spoof it. You can do the same thing on all workstations, *nix or windows based. For windows Vista and later, you have to use the NETSH command. In XP, 2000 and 2003, you use the arp -s command.

Thanks for the information. So let's say that the sysadmin says: "I see that 192.168.1.100 at MAC address 00:21:34:8C:7A:DD is pretending to be the router. I know he is somewhere in the building but I can see 50 people using their laptops."

How could the sysadmin find the person?

Link to comment
Share on other sites
digip Newbie

digip

Posted
Posted (edited)

Thanks for the information. So let's say that the sysadmin says: "I see that 192.168.1.100 at MAC address 00:21:34:8C:7A:DD is pretending to be the router. I know he is somewhere in the building but I can see 50 people using their laptops."

How could the sysadmin find the person?

I don't have the answer on how you woudl walk up to any specific person and tell them to stop arpspoofing, but I imagine it depends on the type of network in use, wired only or wifi only, or even a hybrid mesh of wired and wireless. Security of th enetwork is one of the reasons we use authentication, so even if the user managed to authenticate as someone else, if we can determine what user they circumvented, we can shut that user account down, and in part stop the attack.

But lets say for instance its an active directory type of network, windows domain driven. The admin should be able to remote into the machines by IP if they are authenticated on the domain as workstations or laptops setup by the IT department. The attacker would need to be associated and authenticated on the network to begin with before being able to arpspoof so I am assuming they are authenticated in some manner. If it is a corporate network, then more than likely the admin can also RDP into any machine(which they set up, not foreign devices taken into account) and monitor what the user is doing, potentially locking the session of the person running the spoof. This solely depends on the key factors of 1, being an AD domain(or other directory service like Novell, etc), 2, the machine doing the spoofing being company property, and 3, the admin having the ability to remote into any workstation or server on the network, which they should, depending on their level of access. If the machine is a rouge device, the best you can do at that point is block the MAC address of the rouge device, then implement a better policy for your network authentication so the attacker can't get on it the first place. (Using the event viewer on the domain controller, its possible to check an audit of successful logins, which will also show the IP associated with it)

If its at a place like a cafe, and its all wireless with an open access point, you can block and deny the users MAC address, (until they spoof their mac itself and try to come back) but at least you can start there. Using something like a spectrum analyzer to check signals of devices correlated to MAC addresses, as well as something like Kismet and a GPS, you can do a survey of the area, and triangulate the approximate location of end devices. Not a simple task, but it can be done. You can also flood the attackers MAC with deauth packets knocking them off the network, but an admin of some sort would have to be actively monitoring the situation and being proactive against the attack.(there are also IDS systems that can do some of this for you or alert you of the rougue device). For securing this wireless network, the admin should instead make it a WPA2 AES encrypted network, then force users to give the admin their MAC address and add them to a white list for access(internet cafe's would probably not have anyone on hand to do or understand this, so they generally just leave their shit open). If they want an automated setup for authentication, or to charge users for access, then they can do so with a payment gateway/firewall combo that makes them buy airtime, and you coudl theoretically correlate the end users mac to the purchaser and then cut the purchasers airtime. More likely the cafe would have just set up an open wifi with no security, but its not impossible to track down someone if you have the time and resources. Better to prevent unauthorized access beforehand though. ;)

Strictly wired ethernet becomes a bit harder to locate the end user when it can span over a WAN or many buildings on the same lan segment, but if you can trace the IP back from the switch port you can both disconnect the end user and then determine where that cable runs to, even if it were dynamically set via DHCP. There are security features built into high end switches and such that can monitor the MAC address associated with the switch port (sticky bits). If it changes, the switch is smart enough to deny access until the first valid known mac address is seen again. This can be spoofed if the attacker makes their MAC address report as the aloud device, but generally a good place to start if you have the right equipment. The port on the switch it sits on for the lan would still show the IP tied to the specific port, by which you could then physically remove the ethernet and drop them from the network. In a small office or home router setup, this would be trivial, since you more than likely are only going to have a few cables to disconnect and check against to find the culprit(although, I would hope in your own home, you know who is using your wired network).

Then there are tools you can install on workstations to prevent and monitor for arp spoofing attacks(IronGeek even wrote such a tool I believe). Manually setting static entries for the gateway is always a good idea on servers and workstations, but not exactly realistic to walk around to every machine to do this. You could roll out a policy that automates this setup on your corporate network for you with some scripting fu, since each workstation would know its own mac address and can be told the gateways address via dhcp, you could set up a script to add a static entry upon getting an address from DHCP. That is of course if you didn't also have a rouge DHCP server on your network, which in itself would make for a fun attack to try and track down.

Edited by digip
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...