Have I Said Yes To Jasager?

[Pwnd2Pwnr]

Good evening, everyone. I have been monitoring my traffic and found something rather peculiar... all of the APs; besides one; has minimum to no packets being sent to me... but this one...

airodump-ng mon0

I have checked my logs and found no intrusion... I routinely check my areas APs... but that is outrageous... I think I have met a YES MAN... Ja...

Any ideas why this AP is going postal on me? It isn't causing me problems... yet... so I was thinking about some MDK... but I want to make sure I am being attacked before I make any hasty decisions.

[bobbyb1980]

Don't understand what exactly you're saying (airodump-ng mon0 will listen to all AP's), but if you think you have a wifi warrior on your grounds, go physically search for them, they can't be far.

[Pwnd2Pwnr]

I was checking around my area and found that this router is blasting me with packets... A SHIT LOAD... it sends more data than my router to my Alfa... lol... bet he likes my MAC... FR:EE:HU:GS:4Y:OU... in hexdecimal I do believe...

[Life like Opossum]

Too directly answer your question. No you did not say "Yes" to the yes man. It seems someone may be attempting something on your network. I would suggest blocking the MAC, should keep him off you (until he changes his MAC anyway).

[digip]

From that picture, I can't determine anything as an attack. You need to monitor your AP only, and then under it in airodump, you would see probes for your SSID (Make it unique) and if you see probes for your SSID, then yes, I would say someones is trying to connect. Most routers also have logging features. If yours does, enable the logs, and it will show you connections for inbound and outbound traffic.

As for jasegar, the yes man factor, is if 1, you we're deauthed from your access point by someone(which if is happening, disable auto reconnect on your OS) by default your OS would try to reconnect to the same SSID, for which if its setup to auto reconnect, you very well could be saying "yes" to the man and they could steal your WPA2 handshake if only doing deauths to watch you reconnect, or 1, impersonate your router to which it would only connect to them if your router was an open access point and not setup for WEP or WPA. If you setup your AP as WEP or WPA2, yoru OS is going to remember the connection settings, and should by default not connect to something setup differently than what it was set for. If your home AP is open, then yes, the jasegar effect would certainly be in play, and the only way you would know, is if you checked the actual gateway MAC address against your home router's(which they could still spoof anyway, so thats a 50/50 chance).

Also, how the hell did you manage to get the OS to use "FR:EE:HU:GS:4Y:OU"? MAC addresses only allow hex 0-9 and a-f, so that MAC address in itself, should not even be possible, on any hardware, router or NIC.

Edited October 11, 2012 by digip

[Pwnd2Pwnr]

Thanks for the knowledge, everyone! I "blacklisted" the MAC... I started several APs with spoofed macs to see if it is just a monitor mode. It would seem it was only me who was being attacked; I ran a netstat -ano and saw nothing unusual... I think I was successful in deauthing his MAC.

FREEHUGS is in Hex... I reread the post and deemed I was far from concise... but the hugs shows up a bit... sorry for misleading :X

As for the dingbat sending me all that data... I hope he likes honey! :P

[digip]

Do you have WPS enabled? They could be trying a reaver attack if it is. Make sure you have it turned off.

[murder_face]

I don't mean to hijack your thread Pwnd, but you got me wondering so I decided to look at some of the traffic in my area. I know who de:ad:00:00:be:ef belongs to, but the 5th station from the bottom(a8:16:b2:e0:c4:35) has me a little curious....

[Pwnd2Pwnr]

Digip: The funny part of the story is that I got my WEP 2WIRE out and wanted to see if anyone took notice ;)... this guy took my bait... he is running a WPA2/PSK. I monitored the traffic a bit more and noticed that he was not active last night; this morning, however, his traffic is spiked all over my WEP. I have a huge log of back-packets (get it? :) ) and am checking to see if there are multiple MACs just to be certain his n00b sauce is spread on, nice and thick (I am certain he has no clue I have streamed his traffic since the beginning of this thread). However, I would like to test a list I made, but it was corrupted during its' burning process to disc. A little pissed, given it was a very nice list to work with here locally. I had a 68-70 % success rate with in a small package... damn it to hell. I made it on Win 7 through WinRTgen... I don't know where to start on this here Linux box. Man, here goes; what is your guys' opinion for the best tool so I can regenerate a numerical list from BT5? Sorryz... thought I would ask :P

Murder: At -93... they are distant... but that may be an encrypted tunnel, perhaps a PPTP encrypted network. I don't know though; I only come to this conclusion because of the odd characters... hmmm... interesting to say the least. I went to a local Holiday Inn a couple days back with my PC because it was packed with cars; no idea what was going on in there... but over 50 laptops were in use... lol...

Edited October 12, 2012 by Pwnd2Pwnr

[digip]

If you have more than one router at home, setup an open network or WEP on the second one, and let him connect and try to hack in. Keep the second router off the internet, just hooked to one machine(if you have one to spare), setup something like lamp and a fake web page or captive portal, so every page he tries to get to, shows him a fake pre-made page, like a forwarder to your self hosted site, and just have goatse or nyan cat playing 24/7 for every site he tries to go to. I think pfsense lets you setup captive portals too, and can redirect all traffic to a self hosted page(generally meant for login access to the proxy to get internet access, or even paid access to the internet, ala Cafe wifi portals). Would be interesting to just see who cracks your WEP and what they try to do. Just be sure to keep tcpdump or wireshark running and logging to disk. If they've been consistently trying to get in, a WEP enabled router would probably be the first thing they go after and lure them in. Its your home network, so as far as I'm concerned, enter at ye own risk...

Hell, I'd have fun and just serve like a www index with some pics named like, "naked_sarah_palin.jpg" type stuff, and all the images would be pics of goatse, see how many things they try to download or click on. Sure they'll get the hint after a few of those to keep off the network, or just clone lemonparty.com and make every site show the same thing to them. Should keep them busy for a while. Especially if its not hooked to the internet or any other part of the home network.

[novatore]

So I think I understand the concept of jasager, but why would an excess of packets be indicative of one?

[murder_face]

Would this work if i set up an ad-hoc connection on a non priviledged account on my main PC? I have noticed a station named "WPATubez" on my airodump scans lately. My only problem is that I don't have a spare router. I have searched "WPATubez" and found a post talking about a sealed rubbermaid container on the roof of a BestBuy and an AP named WPATubez. Which leads me to believe that there is a pineapple or something near.

If you have more than one router at home, setup an open network or WEP on the second one, and let him connect and try to hack in. Keep the second router off the internet, just hooked to one machine(if you have one to spare), setup something like lamp and a fake web page or captive portal, so every page he tries to get to, shows him a fake pre-made page, like a forwarder to your self hosted site, and just have goatse or nyan cat playing 24/7 for every site he tries to go to. I think pfsense lets you setup captive portals too, and can redirect all traffic to a self hosted page(generally meant for login access to the proxy to get internet access, or even paid access to the internet, ala Cafe wifi portals). Would be interesting to just see who cracks your WEP and what they try to do. Just be sure to keep tcpdump or wireshark running and logging to disk. If they've been consistently trying to get in, a WEP enabled router would probably be the first thing they go after and lure them in. Its your home network, so as far as I'm concerned, enter at ye own risk...

Hell, I'd have fun and just serve like a www index with some pics named like, "naked_sarah_palin.jpg" type stuff, and all the images would be pics of goatse, see how many things they try to download or click on. Sure they'll get the hint after a few of those to keep off the network, or just clone lemonparty.com and make every site show the same thing to them. Should keep them busy for a while. Especially if its not hooked to the internet or any other part of the home network.

[digip]

ad-hoc mode is pc to pc more or less. You want to set up a soft AP if you only have a PC to work with. Darren I think did an episode on how to do it in WIndows 7, and for linux side, there are a number of tools to do it, like Karma and some others I can't think the name of. One of which I think is in the aircrack suite.

Edited October 13, 2012 by digip

[Pwnd2Pwnr]

LOLs.... love it... you guys may want to try this... but be cautious; I could be playing with fire. The vic may or may not be l337, that is my overall goal... this honey AP is soooo sweet. No pun intended :)

I will post pics of my servers when I get the chance... :P

Aircrack =/> the rest... is it aireplay-ng -0 100 -b 00:XX:XX:XX:XX:XX -e Vic SSID -w output mon0 ? I have been messing with the crack suite for a while (the 100 option is a little ridiculous, you may want to change the attack option before tacking 100 - just to be clear)

Edited October 13, 2012 by Pwnd2Pwnr

[Pwnd2Pwnr]

Would this work if i set up an ad-hoc connection on a non priviledged account on my main PC? I have noticed a station named "WPATubez" on my airodump scans lately. My only problem is that I don't have a spare router. I have searched "WPATubez" and found a post talking about a sealed rubbermaid container on the roof of a BestBuy and an AP named WPATubez. Which leads me to believe that there is a pineapple or something near.

WPATubez with a Z... OK... got it... checked out a thread that says something about Geeksquad... hmmm... sounds like a proxy tunnel to India that assists Best Buy Geek Squad remotely... Google WPATubez Essid... that will get something going for ya!

Edited October 13, 2012 by Pwnd2Pwnr

[digip]

Are you attacking someones SSID or defending your own? Is the traffic increase, for sure, coming to you, or are you just seeing someone else's router have a lot of traffic and thinking they were attacking yours? Because again, the original pic, does little to explain how you know they are attacking you. Is it Your SSID that you see a tone of data i/o on when you aren't using the wifi in your home?

[digip]

So I think I understand the concept of jasager, but why would an excess of packets be indicative of one?

Thats what I am trying to get at too, because I don't see how any of this has to do with Jasegar, unless its him doing it to others...

[Pwnd2Pwnr]

Thats what I am trying to get at too, because I don't see how any of this has to do with Jasegar, unless its him doing it to others...

I was just thinking it was a pineapple because of how many packets were being sent to me. I am what you would call moderately to severely broke :( ... wish I could say yes.

But, I digress, I figured the "attackers" AP was connected to me... but it wasn't.

[Pwnd2Pwnr]

Are you attacking someones SSID or defending your own? Is the traffic increase, for sure, coming to you, or are you just seeing someone else's router have a lot of traffic and thinking they were attacking yours? Because again, the original pic, does little to explain how you know they are attacking you. Is it Your SSID that you see a tone of data i/o on when you aren't using the wifi in your home?

The pic was a selection from the screen. I am seeing that I should have posted the entire pic. Not just select from within it.

The large number is the #/s column. It was shooting packets at me like there was no tomorrow. I would stop the dump; restart the dump; and it would spike the packet rate; the WEP above the WPA2 is the honeypot. My router wasn't even transmitting that much data and I am WAY closer than he/she is. It could have been a lot of meaningless traffic. But, the reason I started the entire WEP honeypot was because of slow connections. I figured someone kept deauth'n me or something of the sort. It could have been a bunch of garbage traffic; but when I can't stream at SD quality, someone must be doing something.

Occam's Razor:

Losing bandwidth. Made WEP honeypot. Saw spike of traffic. Came to you guys. Posted a not so informative pic because of ToS rules (wasn't sure if it was a violation of posting that stuff).

To be clear, I do not own a PIneapple, so I was unsure why that many packets were being sent. I figured someone was stealing my IVs. Probably did... but I kind of want that.

I do not know how the Pineapple sends out its packets. If anyone of you has an extra one sitting around, you can send it to me if you have no need or love for it :).

Hope ya guys have a good one. Rain in my forecast. Cold weather is upon us!

Edited October 13, 2012 by Pwnd2Pwnr

[digip]

The large number is the #/s column. It was shooting packets at me like there was no tomorrow. I would stop the dump; restart the dump; and it would spike the packet rate; the WEP above the WPA2 is the honeypot. My router wasn't even transmitting that much data and I am WAY closer than he/she is. It could have been a lot of meaningless traffic. But, the reason I started the entire WEP honeypot was because of slow connections. I figured someone kept deauth'n me or something of the sort. It could have been a bunch of garbage traffic; but when I can't stream at SD quality, someone must be doing something.

That makes more sense now and I can see your concern, and also why I would setup the honeypot WEP router to fuck with people ;) Check the softAP one too, might work with a VM and an extra USB Wifi NIC and a captive portal setup, just mess with the fucker whos trying to get into your system. In general, see if you can log that traffic thats gettign spicked with wireshark though, and see what the traffic looks like. I don't remember the code (you could run a deauth yourself to test and capture for comparison) for there are hex codes in frames I beleive that signify a deauth. Darren might even know or someone else, could post a wireshark filter to look just for deuahth packets, and see if thats what the person is doing.

Once you know for sure, then come some fun, if you've got say a GPS and a laptop with wifi, I'd walk the neighborhood and try to get a fixture on the signal and triangulate the approximate home its coming from, then if you know for sure where its at, give a knock on the door and ask them to stop. They might not know what to say, but if I could trace it back to the direct home, I'm one of those people that have no problem knocking on the door to confront someone. With your prior records, that might not be a good situation though..lol, but at a minimum, get a fixed location on the target, and leave them a nice note in the mailbox about what they are doing, let them know if they continue, you'll press charges or something. Scare them off, see if it stops. Sounds to me though, like they may be trying a reaver attack though, because if it were deauths, you'd be getting booted off constantly. And if it were only to get a WPA handshake, that only takes a few deauths and repeat a few times before they would have it. With WEP, they would be generating a ton of traffic to try and get the IV's to spike so they can crack the key, which is trivial and can be done in less then 3-6 minutes, but WPA2, if you are seeing a lot of traffic, its most likely a reaver attack or MDk3 beacon flooding. The other thing is, could also just be some idiot with crappy wifi equipment thats on the same channel as you and he uses same SSID(but that could be fixed in just changing yoru SSID and see if they come back at you).

Edited October 13, 2012 by digip