Possible wlan intrusion

[Qchem]

This is on a friends home network, so I apologise in advance for any vague details.

 

The network consists of 5 clients, all connecting to an old apple airport ('b` standard), which is also connected to an adsl modem/router. Checking his logs recently he's noticed an odd increase in the amount of data uploaded - about 2.7 GB in the space of a day. He is 99% sure that this traffic didn't come from his machine. He knows the neighbours also have a wireless network (he occassionally sees their router), and their are two late teenage boys in the family who he suspects may have compromised his network (protected by 64-bit WEP encryption). Today he's changing the WEP key but ideally we need to find out if this truely is some hi-jacking or just an error in the router log.

 

Having thought about it I came to the conclusion that we could probably use snort to detect where all these large transfers occur, and my knowledge of snort (and TCP/IP packets) is very limited. So, the questions are:

 

Is snort the right tool for the job?

 

Would the machine running snort need to be between the router and WAP, or can it just spy on the entire network from any location?

 

What should I be looking for in the snort logs to indicate large uploading of files?

 

Is there a way to get snort to redirect the "bad" packets or simply kill them somehow?

 

Thanks in advance guys!!

[Michel]

Can't really help you with the detecting ..except with tools loke iptraf maybe. I think you can add your own "rules" to iptraf. prelude IDS is another IDS. With my wmall knowledge about this, I think you need to put a sensor (the ids can have sensors on multiple locatioosn which collect data to process). If you can't put a sensor on the router I would suggest putting it before the router. Anywa, I can be wrong. But I suppose you should put the sensor where you cant to collect infor from ...

 

I suppose the best would vbe to leave the wep-key the same for some time, so they don't suspect anything ... but it seems that happened. I suppose if your system uses iptables or something, you could log suspiciuous mac-address or connections that happen betwee, some hours I think or so.

 

But I suppose you know 64-bit isn't secure (at all?). At least you should use 128 bit. And even then a key can be broken in an hour or less I think. I don't know if he/she has it already .. but allowing only certain mac-addresses can also help and disabling ssid broadcast.

 

If security may take some more time to set up initially. I would suppose a vpn ... an ssh-tunnel. There are opensource programs for this which can make it easier I believe?

 

If you really want wep, you can use a radius-server like freeradius with peap or something like that and let a wingle wep-key be assigned to each individual user and let the wep-key automatically change every 5 minutes or so. I read this in an article earlier. It was interesting.

 

Anyway, I'm no security-expert ... but hope it helps some ...

 

If they are connected with the hotspot maybe using "nmap" on the local network can help. You could even try to detect vurnerabilities won ttheir computers if there are other people on the network ...

[Qchem]

I've found that the combination of ntop and ethereal is much simpler than snort - which is probably overkill for a situation like this.

 

My friend has decided to bite the bullet and go for some newer hardware with 128-bit wep and wpa, he's also considering implamenting vpn.

 

Thanks for the reply.

[iphitus]

mac filtering would do a bit to help too

[papaschtroumpf]

mac filtering would do a bit to help too

<{POST_SNAPBACK}>

 

I want to address a few misconceptions:

 

Cracking WEP requires a very large number of packets, if the traffic on your network is light, it will take weeks to gather enough packets to crack the key, not an hour like someone mentions. Of course. in the case of neighbours' kids, they had enough time to gather plenty of packets.

 

MAC filtering is a very weak form of protection since most wireless clients will let you change your MAC address. It will only catch the case where the intruders are being sloppy. Again maybe that's the case with teenager that downloaded a couple of tools of the Internet.

 

Disabling SSID broadcast does very little also. The access point sends a beacon several times per second and advertizes its network name (SSID): all this does is preven t a casual "wardriver" from findinf out the name of your network. The problem is, whenever a station associates with the access point, it has to specify the name of the network, so all you have to do is wait for a station to associate. Finally most stations will "probe" fpr access point on their current ESSID, in wich case the stations will be broadcasting the SSID for everyone to hear.

 

 

If you're serious about security, you want a ta minimum WPA-PSK with TKIP encryption. It is the simplest of the secure solutions. It ensures that each station gets a different key, so different stations can't understand other stations' traffic (with WEP, everyone uses the same key) also TKIP basically changes the "WEP" key for every packet being sent out, making it much much harder to crack.

If you want to be paranoid, find hardware that will support the AES encryption standard.

 

And of course, first thing first, make sure you changes the default password in your router/access point. One of my neighbours is still using the factory default despite my warning him about that fact already.

[Michel]

I'm everything but an expert in this, but I believe you can force a network to broadcast packets I think ... not sure though. Ofcourse, if this is possible do you make your cracking-attemtp visible? Anyway, don't use wep unless it's your only choice. If you use wpa with 128-bit encryption(this should be the minimum anyway I think) or/and a strong password (also necessary ...), there was also a way to crack it I believe. Don't know how long it takes however.

[papaschtroumpf]

I'm everything but an expert in this, but I believe you can force a network to broadcast packets I think ... not sure though. Ofcourse, if this is possible do you make your cracking-attemtp visible? Anyway, don't use wep unless it's your only choice. If you use wpa with 128-bit encryption(this should be the minimum anyway I think) or/and a strong password (also necessary ...), there was also a way to crack it I believe. Don't know how long it takes however.

<{POST_SNAPBACK}>

 

WEP can be craked regardless of the password given enough packet captured.

 

I don't know of any ways to force a network to broadcast encrypted packets without being yourself an encrypted station (i.e. knowing the WEP key already) so I'd love to learn how.

 

The only known issue with WPA is if you use WPA-PSK (Pre-Shared Key as opposed to using a radius server) and if you use a weak password: it has been demonstrated that a dictionnary attack can be mounted pretty effectively. As long as your password is immune to a dictionnary attack, you are fine. Note that the dictionnary attack is used in the authentication phase, so it doesn't matter what encryption you use with WPA (TKIP or AES)