On 07/04/2010 10:59 AM, Hroðgar Skjöldung wrote: > Hej! -- sorry for the long email/story -- > I was suspicious that someone was breaking into my wifi, it was subtile like > hijack was throttling in unison with my internet usage. It also looks like > he/she is using a homebrew VPN going to unregistered IPs. Unfortunately, I am > using a d-link di-524. Since I am monitoring activity via the 'router', > stuff like tcpdump is almost useless ( unless there is a technique I am > not aware of ) ...I will get a linux based wifi router soon. > > If you are familiar with the DLink routers could you provide suggestions? > Script kiddies can crack WAP/WEP are there alternatives? > > 1) I have MAC filters on, 2) I have added domain IP filters, 3) I have > been changing the pass wrd, 4)I have hidden the SSID > The more experienced will know that most of this is useless. There > is no gain control on this router! > > > Finally, It turns out that I was right, there is someone on my wifi, but what > now? What does one do in Canada/Québec? Do I call the CRTC, my ISP , write > an FU2 attack...? Any techniques on triangulating wifi clients? I have a > wispy, parabolic dish, and a baseball bat. Just a joke, I dont like base > ball ;) ;) > > BTW: Also, my mac finds the VPN and adds it to my routes!(?) > ??route broadcasting on a hijack? any suggestions from the security gurus ? > > Mange tak,takk fyri > Hroth > > PS. Does anyone know if this is correct? My DLink MACs both seem to be the > same address, assigned to "Alpha Networks Inc." >
Are you sure the VPN is not the router calling home? I have seen this behaviour before... I mean if all you see is a VPN and occasional slowdowns, I would not assume this is a cracker necessarily. Do you see their IP in ping sweeps? What if you blackhole the VPN endpoint IP? If you want to TCPdump, you could put a computer in bridged mode between router and internet. You can use kismet to look at your wifi and see what clients it detects. Make sure your router firmware is at latest version, some have holes in HTTP access that allow remote entrance. You can often turn off wifi access to the router admin page... If you change your WPA password then sniff for wireless traffic on your MAC and your channel etc, you should see the bruteforce attacks, if it is WEP you should see disassociation requests and associated traffic. Aircrack-ng has a bunch of tools that would help here. Airodump will give you a nice huge pcap file to look at in wireshark etc. Jeremy _______________________________________________ mlug mailing list [email protected] https://listes.koumbit.net/cgi-bin/mailman/listinfo/mlug-listserv.mlug.ca
