A Broadband and ADSL forum. BroadbanterBanter

Welcome to BroadbanterBanter.

You are currently viewing as a guest which gives you limited access to view most discussions and other FREE features. By joining our free community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload your own photos and access many other special features. Registration is fast, simple and absolutely free so please, join our community today.

Go Back   Home » BroadbanterBanter forum » Newsgroup Discussions » uk.comp.home-networking (UK home networking)
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

uk.comp.home-networking (UK home networking) (uk.comp.home-networking) Discussion of all aspects of computer networking in the home, regardless of the platforms, software, topologies and protocols used. Examples of topics include recommendations for hardware or suppliers (e.g. NICs and cabling), protocols, servers, and specific network software. Advertising is not allowed.

is this a wi-fi break-in attempt?



 
 
Thread Tools Display Modes
  #1  
Old March 14th 12, 08:31 PM posted to uk.comp.home-networking
Mike Scott
external usenet poster
 
Posts: 14
Default is this a wi-fi break-in attempt?

Can anyone shed light please? My WAP logs messages like those below,
showing repeated deauthentication and reauthentication events. It
sinterval between events was so short it made the wireless link totally
unusable. It "went away" when I switched channel.

Now they've restarted on the new channel, but seem wider spaced, and
there are periods when nothing untoward appears at all.

It /could/ be a sign of someone attempting to break in (and learning as
(s)he goes). Is there any other plausible explanation?

And if it is a break-in attempt, how can I best get a handle on the culprit?

Thanks for any thoughts.


Mar 8 13:19:10 wlan0: A wireless client is associated - 00:1C:C0:74:95:67
Mar 8 13:19:10 wlan0: WPA-AES PSK authentication in progress...
Mar 8 13:19:10 wlan0: Open and authenticated
Mar 8 15:15:35 wlan0: A wireless client is deauthenticated -
00:1C:C0:74:95:67
Mar 8 15:15:40 wlan0: A wireless client is associated - 00:1C:C0:74:95:67
Mar 8 15:15:40 wlan0: WPA-AES PSK authentication in progress...
Mar 8 15:15:40 wlan0: Open and authenticated
Mar 8 15:15:47 wlan0: A wireless client is deauthenticated -
00:1C:C0:74:95:67
Mar 8 15:15:53 wlan0: A wireless client is associated - 00:1C:C0:74:95:67
Mar 8 15:15:53 wlan0: WPA-AES PSK authentication in progress...
Mar 8 15:15:53 wlan0: Open and authenticated
Mar 8 15:16:00 wlan0: A wireless client is deauthenticated -
00:1C:C0:74:95:67
Mar 8 15:16:03 wlan0: A wireless client is associated - 00:1C:C0:74:95:67
Mar 8 15:16:03 wlan0: WPA-AES PSK authentication in progress...
Mar 8 15:16:04 wlan0: Open and authenticated
Mar 8 15:16:11 wlan0: A wireless client is deauthenticated -
00:1C:C0:74:95:67
Mar 8 15:16:17 wlan0: A wireless client is associated - 00:1C:C0:74:95:67
Mar 8 15:16:17 wlan0: A wireless client is associated - 00:1C:C0:74:95:67
Mar 8 15:16:17 wlan0: A wireless client is associated - 00:1C:C0:74:95:67
Mar 8 15:16:17 wlan0: WPA-AES PSK authentication in progress...
Mar 8 15:16:17 wlan0: WPA-AES PSK authentication in progress...
Mar 8 15:16:17 wlan0: WPA-AES PSK authentication in progress...
Mar 8 15:16:17 wlan0: Authentication failled! (4-2:
ERROR_NONEEQUL_REPLAYCOUNTER)
Mar 8 15:16:17 wlan0: Authentication failled! (4-2:
ERROR_NONEEQUL_REPLAYCOUNTER)
Mar 8 15:16:17 wlan0: A expired STA is resumed - 00:1C:C0:74:95:67
Mar 8 15:16:18 wlan0: Open and authenticated
Mar 8 15:16:24 wlan0: A wireless client is deauthenticated -
00:1C:C0:74:95:67
Mar 8 15:16:29 wlan0: A wireless client is associated - 00:1C:C0:74:95:67
Mar 8 15:16:29 wlan0: WPA-AES PSK authentication in progress...
Mar 8 15:16:29 wlan0: Open and authenticated
Mar 8 15:28:32 wlan0: A wireless client is deauthenticated -
00:1C:C0:74:95:67
Mar 8 15:28:37 wlan0: A wireless client is associated - 00:1C:C0:74:95:67

--
Mike Scott (unet2 at [deletethis] scottsonline.org.uk)
Harlow Essex England
  #2  
Old March 15th 12, 10:06 AM posted to uk.comp.home-networking
Dave Saville
external usenet poster
 
Posts: 138
Default is this a wi-fi break-in attempt?

On Wed, 14 Mar 2012 20:31:37 UTC, Mike Scott
wrote:

Can anyone shed light please? My WAP logs messages like those below,
showing repeated deauthentication and reauthentication events. It
sinterval between events was so short it made the wireless link totally
unusable. It "went away" when I switched channel.

Now they've restarted on the new channel, but seem wider spaced, and
there are periods when nothing untoward appears at all.

It /could/ be a sign of someone attempting to break in (and learning as
(s)he goes). Is there any other plausible explanation?

And if it is a break-in attempt, how can I best get a handle on the culprit?

Thanks for any thoughts.


Mar 8 13:19:10 wlan0: A wireless client is associated - 00:1C:C0:74:95:67
Mar 8 13:19:10 wlan0: WPA-AES PSK authentication in progress...
Mar 8 13:19:10 wlan0: Open and authenticated


Hardly a break in if it is actually getting authenticated. It is
coming from a bit of Intel ket if that's any help. Is it always the
same MAC?

--
Regards
Dave Saville
  #3  
Old March 15th 12, 02:30 PM posted to uk.comp.home-networking
Mike Scott
external usenet poster
 
Posts: 14
Default is this a wi-fi break-in attempt?

On 15/03/12 10:06, Dave Saville wrote:
On Wed, 14 Mar 2012 20:31:37 UTC, Mike Scott
wrote:

Can anyone shed light please? My WAP logs messages like those below,
showing repeated deauthentication and reauthentication events. It
sinterval between events was so short it made the wireless link totally
unusable. It "went away" when I switched channel.

Now they've restarted on the new channel, but seem wider spaced, and
there are periods when nothing untoward appears at all.

It /could/ be a sign of someone attempting to break in (and learning as
(s)he goes). Is there any other plausible explanation?

And if it is a break-in attempt, how can I best get a handle on the culprit?

Thanks for any thoughts.


Mar 8 13:19:10 wlan0: A wireless client is associated - 00:1C:C0:74:95:67
Mar 8 13:19:10 wlan0: WPA-AES PSK authentication in progress...
Mar 8 13:19:10 wlan0: Open and authenticated


Hardly a break in if it is actually getting authenticated. It is
coming from a bit of Intel ket if that's any help. Is it always the
same MAC?


Sorry, I could have been clearer. The MAC belongs to a proper local
laptop, connected by wi-fi. Breakins typically have a machine that
spoofs a de-authenticate event, which forces a genuine client to
re-authenticate itself. (That's what seems to be in the WAP logs.) The
attacker can then record the authentication packets, take them away and
crunch them to crack the wifi password. (It won't work here - AES plus a
long, long, random password means he can try till the proverbial freezes.)

I'm assuming it's a cracker of some sort - The irritation is not a risk
that he'll break in, but that we've had a complete DOS as a side-effect
of a poor attacking system setup, and also that it's kind-of not nice to
think a neighbour is up to this sort of thing. I want to find him.....


OTOH there may be a perfectly legit explanation, which is why I asked.


--
Mike Scott (unet2 at [deletethis] scottsonline.org.uk)
Harlow Essex England
  #4  
Old March 15th 12, 03:20 PM posted to uk.comp.home-networking
Rob Morley
external usenet poster
 
Posts: 1,379
Default is this a wi-fi break-in attempt?

On Thu, 15 Mar 2012 14:30:15 +0000
Mike Scott wrote:

Sorry, I could have been clearer. The MAC belongs to a proper local
laptop, connected by wi-fi. Breakins typically have a machine that
spoofs a de-authenticate event, which forces a genuine client to
re-authenticate itself. (That's what seems to be in the WAP logs.)
The attacker can then record the authentication packets, take them
away and crunch them to crack the wifi password.


That's what I was going to suggest.

I'm assuming it's a cracker of some sort - The irritation is not a
risk that he'll break in, but that we've had a complete DOS as a
side-effect of a poor attacking system setup, and also that it's
kind-of not nice to think a neighbour is up to this sort of thing. I
want to find him.....


OTOH there may be a perfectly legit explanation, which is why I asked.

Could it be a problem with DHCP that's causing the laptop to keep
retrying, or an intermittent hardware/driver fault?

  #5  
Old March 16th 12, 02:54 AM posted to uk.comp.home-networking
GlowingBlueMist
external usenet poster
 
Posts: 6
Default is this a wi-fi break-in attempt?

On 3/15/2012 10:20 AM, Rob Morley wrote:
On Thu, 15 Mar 2012 14:30:15 +0000
Mike wrote:

Sorry, I could have been clearer. The MAC belongs to a proper local
laptop, connected by wi-fi. Breakins typically have a machine that
spoofs a de-authenticate event, which forces a genuine client to
re-authenticate itself. (That's what seems to be in the WAP logs.)
The attacker can then record the authentication packets, take them
away and crunch them to crack the wifi password.


That's what I was going to suggest.

I'm assuming it's a cracker of some sort - The irritation is not a
risk that he'll break in, but that we've had a complete DOS as a
side-effect of a poor attacking system setup, and also that it's
kind-of not nice to think a neighbour is up to this sort of thing. I
want to find him.....


OTOH there may be a perfectly legit explanation, which is why I asked.

Could it be a problem with DHCP that's causing the laptop to keep
retrying, or an intermittent hardware/driver fault?


Try to leave the laptop off for 24 hours or how ever long you can and
see if the log file shows it still trying to gain access. If it is then
MAC spoofing or similar is most likely going on from outside.
  #6  
Old March 16th 12, 07:58 AM posted to uk.comp.home-networking
Mike Scott
external usenet poster
 
Posts: 14
Default is this a wi-fi break-in attempt?

On 16/03/2012 02:54, GlowingBlueMist wrote:
.....
OTOH there may be a perfectly legit explanation, which is why I asked.

Could it be a problem with DHCP that's causing the laptop to keep
retrying, or an intermittent hardware/driver fault?


It's a lower level than that. Anyway, dhcp is running fine.



Try to leave the laptop off for 24 hours or how ever long you can and
see if the log file shows it still trying to gain access. If it is then
MAC spoofing or similar is most likely going on from outside.


No; this attack can only occur when there's an existing connection.
Otherwise there's nothing to disrupt.

It doesn't happen for days on end - then it will happen all day every
few minutes. So I'm pretty sure it's nothing in the kit here.


--
Mike Scott (unet2 at [deletethis] scottsonline.org.uk)
Harlow Essex England
  #7  
Old March 16th 12, 03:10 PM posted to uk.comp.home-networking
Rob Morley
external usenet poster
 
Posts: 1,379
Default is this a wi-fi break-in attempt?

On Thu, 15 Mar 2012 21:54:17 -0500
GlowingBlueMist wrote:

Try to leave the laptop off for 24 hours or how ever long you can and
see if the log file shows it still trying to gain access. If it is
then MAC spoofing or similar is most likely going on from outside.


This appears to be a deauthentication attack - if there's nothing
connected then there's nothing to attack. ISTM that if it were a case
of MAC spoofing the laptop then either the reconnection attempts
wouldn't authenticate (because the spoofer had duplicated the laptop's
MAC but hadn't cracked its encryption) or the connection would appear
OK at the router but behaviour at the laptop would be indeterminate
(because the spoofer had duplicated its MAC and cracked its encryption,
which apparently hasn't happened).

  #8  
Old March 16th 12, 04:23 PM posted to uk.comp.home-networking
Mike Scott
external usenet poster
 
Posts: 14
Default is this a wi-fi break-in attempt?

On 16/03/12 15:10, Rob Morley wrote:
On Thu, 15 Mar 2012 21:54:17 -0500
wrote:

Try to leave the laptop off for 24 hours or how ever long you can and
see if the log file shows it still trying to gain access. If it is
then MAC spoofing or similar is most likely going on from outside.


This appears to be a deauthentication attack - if there's nothing
connected then there's nothing to attack. ISTM that if it were a case
of MAC spoofing the laptop then either the reconnection attempts
wouldn't authenticate (because the spoofer had duplicated the laptop's
MAC but hadn't cracked its encryption) or the connection would appear
OK at the router but behaviour at the laptop would be indeterminate
(because the spoofer had duplicated its MAC and cracked its encryption,
which apparently hasn't happened).


And won't. The password is generated by a script, and is long, random
and uses the entire allowed character set (squiggles and all).

But I do see things like:

Feb 24 00:49:00 wlan0: WPA-AES PSK authentication in progress...
Feb 24 00:49:00 wlan0: Open and authenticated
Feb 24 00:49:17 wlan0: A wireless client is deauthenticated -
00:1C:C0:74:95:67
Feb 24 00:49:23 wlan0: A wireless client is associated - 00:1C:C0:74:95:67
Feb 24 00:49:23 wlan0: A wireless client is associated - 00:1C:C0:74:95:67
Feb 24 00:49:23 wlan0: WPA-AES PSK authentication in progress...
Feb 24 00:49:23 wlan0: WPA-AES PSK authentication in progress...
Feb 24 00:49:23 wlan0: Authentication failled! (4-2:
ERROR_NONEEQUL_REPLAYCOUNTER)
Feb 24 00:49:23 wlan0: Open and authenticated
Feb 24 00:49:23 wlan0: A expired STA is resumed - 00:1C:C0:74:95:67
Feb 24 00:49:31 wlan0: A wireless client is deauthenticated -
00:1C:C0:74:95:67
(etc, etc)

I'm not clear what the exact significance of the apparent double entries
and the ERROR_NONEEQUL_REPLAYCOUNTER entry is. Suggests some interplay
between two different clients using the same MAC perhaps.

I've remembered I have a spare WAP (an old Belkin); maybe I'll rig up
something to chat to that, even rig up a dummy network for them to break
into. Even use WEP, and make it easy for them :-) I can't see any
better way forward. But it still won't tell me anything about their kit.


--
Mike Scott (unet2 at [deletethis] scottsonline.org.uk)
Harlow Essex England
  #9  
Old March 16th 12, 05:50 PM posted to uk.comp.home-networking
Rob Morley
external usenet poster
 
Posts: 1,379
Default is this a wi-fi break-in attempt?

On Fri, 16 Mar 2012 16:23:35 +0000
Mike Scott wrote:

I'm not clear what the exact significance of the apparent double
entries and the ERROR_NONEEQUL_REPLAYCOUNTER entry is. Suggests some
interplay between two different clients using the same MAC perhaps.

The ERROR_NONEEQUL_REPLAYCOUNTER suggests a spoofer might be capturing
and replaying packets, but that will get them nowhere because WPA is
protected against that.

I've remembered I have a spare WAP (an old Belkin); maybe I'll rig up
something to chat to that, even rig up a dummy network for them to
break into. Even use WEP, and make it easy for them :-) I can't see
any better way forward. But it still won't tell me anything about
their kit.

An open(ish) access point is a good idea, especially if it's just a
script kiddy (which I think they mostly are). Run Firesheep to sniff
their login sessions to popular insecure websites, if they're foolish
enough to access them, and you stand a chance of figuring out who they
are. Of course that's assuming they're just looking for internet access,
rather than attacking something on your LAN. If the latter you'll want
to run some sort of honeypot to see what they're up to.

  #10  
Old March 19th 12, 04:00 PM posted to uk.comp.home-networking
James Egan
external usenet poster
 
Posts: 152
Default is this a wi-fi break-in attempt?


On Fri, 16 Mar 2012 07:58:26 +0000, Mike Scott
wrote:

No; this attack can only occur when there's an existing connection.
Otherwise there's nothing to disrupt.

It doesn't happen for days on end - then it will happen all day every
few minutes. So I'm pretty sure it's nothing in the kit here.



Does it only happen with the mac of the laptop? If it was an attack
wouldn't they just choose another connected device if the laptop was
off?


Jim
 




Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Latest attempt at Ban on Downloading Sla#s uk.telecom.broadband (UK broadband) 7 February 16th 08 12:01 PM
Netgear DG834 VPN and firewalls (Post Attempt 3) Let me Think uk.telecom.broadband (UK broadband) 2 October 8th 05 08:36 PM
NetgearDG834 VPN and Firewalls (second post attempt) Let me Think uk.telecom.broadband (UK broadband) 0 October 8th 05 01:02 PM
Alerted of intrusion attempt? Harry Bloomfield uk.telecom.broadband (UK broadband) 5 February 23rd 04 12:25 PM


All times are GMT +1. The time now is 01:29 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.Content Relevant URLs by vBSEO 2.4.0
Copyright 2004-2019 BroadbanterBanter.
The comments are property of their posters.