RE: How to track down a wireless hacker

From: ep (captgoodnight@hotmail.com)
Date: Wed Nov 07 2007 - 17:31:22 EST


A honeypot/honeycookie tangent will catch something but then again it might
not be the same intruder...Though it does read like ya got the mac address.

It might be as simple and lucky if it's a kiddie and they setup emech. You
can catch the config info and log into the irc channel, start a
conversation....But usually those types are in other countries...Reads like
ya working with a local intruder who isn't interested in adding to a 'rootz'
list.

So setup a duplicate of the previously vulnerable wireless configuration and
from a secure linux laptop (only thing on the segment) simply every 15
minutes pass some unique clear text working credentials to a internet facing
service you can monitor, like a ftp server or pop3 account. Wait for the
connection/authentication and log the ip, then get law enforcement and the
what I think will be a local ISP involved. Treat those credentials or
whatever method you use for a cookie as something only tied to the
intruder/s. Heck, bait the service with some false interesting info and see
if they try to use it, or spread it to other peoples, track those
connections, see if it's a web of peoples. Make it a security project...

A wrt54g kismet drone and some logging will go a long ways to.

If you take this challenge :) I suggest http://www.honeynet.org/, there's
some legal gotchas in honeypot/honeycookie play.

Just 2 cents, have fun

cg

-----Original Message-----
From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com] On
Behalf Of Nicholas Chapel
Sent: Wednesday, November 07, 2007 11:36 AM
To: jond
Cc: pen-test@securityfocus.com
Subject: Re: How to track down a wireless hacker

On 11/6/07, jond <x@jond.com> wrote:
> However they also asked me if it's possible to track down the attacker
> if this happened again. From what I know, it's not possible is it?

It's *possible*, but that's not saying much. My understanding is that it
would basically involve tracking the physical signal. Which is far, far
more effort than is practical given that you've got every client station
transmitting on the same channel.

> If the attacker didn't change their MAC address, and say the companies
> lawyers could get some sort of court order to intel, dell, etc to
> release which MAC address went to which computer and who bought said
> computer. Does the manufacture even keep that info?

I would be absolutely astounded if they did have that record. And since
it's trivial to change the software MAC address, any 'evidence'
would be sketchy at best.

> If the attacker did change their MAC address, the real MAC address
> will never transverse the wire(AIR) right, or is it still in the
> packet somewhere?

That's correct, the MAC would never make it into the packets.

> Any other thoughts or ideas to track someone down?

Look for suspicious types sitting around with a laptop and an antenna?
 Otherwise, good luck. Personally, I'd recommend locking down the WLAN and
just ensuring that it isn't likely to be compromised again.
It seems like what the client is asking would just be a snipe hunt.

I figure the best shot you have is if the intruder is *really dumb*, and
accessed or transmitted information over the network that would be
personally identifying. Of course you need a packet capture for that, and
at this point unless your client is so into catching this guy that they're
willing to have you set up a honeypot and pray that he decides to connect
again, it seems to me like you're pretty much SOL.

--Nick

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:12 EDT