endellion.me.uk My Rogue Wireless Access Point
Maybe this could class as a Wireless Honeypot?
It is quite some time ago now that we got a wireless router so that some computers could be on the internet/lan downstairs without naffing up the majorly old coving on the ceiling by hacking wires through it. In fact, it is such a long time ago that we were the only point in scanning distance. Now there are twelve (when the sun shines and the wind comes from the east).
The above image shows the few that can be seen in a dank corner of the living room with the wind coming from the west. There used to be a lot more unsecured ones -- the message about security is finally percolating through?
In the mean time we have gone wired for the most part -- the coving lost against the gigabit lan... There seems to be something about WPA that makes it impossible to have six or more wireless devices on a network together without massive interference. There are two or three left now, and it works almost flawlessly for these. None of your endless "Disassociated because WPA retry failed" stuff anymore, filling all the logs.
Well, not quite. There is GRANT. I am not sure who GRANT is. I am happy to assume that the computer GRANT is owned by a guy called Grant, but of course he/she might very well have named their computer after the source of funding for it...? Grant tries to get onto our LAN. He's been doing this for a long time now. I have no idea what his plans are once he gets on, so I am trying to keep him off. Personally I have had no joy with WPA cracking software, but I am quite prepared to believe that Grant is a super 1337 who has access to resources I can't even dream of. This means I change the PSK every so often, so that he can't get the 40 billion packets or whatever it takes to have a crack.
The reason I know that the computer is called GRANT is because I was on one of the neighbourhood's unsecured networks at one point and noticed that he was there too (I noted his MAC address), and his computer was happy to divulge a few things about itself. Like that it is running Windows, and is hoping to join the "WORKGROUP" workgroup. He's definitely rogue, and the unsecured Netgear AP is not his, because that belongs to someone who has an Apple Mac. Who is also a silly sod for leaving his router configuration page with default passwords, so that I could have a look. There was a certain temptation to change this that and the other, but that would have been stupid in the long run as it is stupidly handy to be able to look at things from a different IP address every now and again. Plus he's on Bulldog so it has reasonable speeds.
And there is 00:14:a5:a8:6e:c7. This one is more sinister than Grant. Beyond the fact that this is a Gemtek MAC (but one of mine registers as that too but it isn't), I don't know very much about 6e:c7. I think it is a Mac, but I can't remember why I thought that. This person must have aircrack running as a cron job. He starts at midnight, finishes at about 7 am. Every day. If Grant might be super 1337, this one has the potential of being uber 1337. I've seen him on the Netgear AP as well, but his computer is not very talkative. Shadowy.
But all the same, curiosity got the better of me. When joining our ISP, we were sent this Thompson Speedtouch type modem/router/access point, which has been on the shelf for a while. It's a nightmare to configure, it has no logging to speak of and it has ports open to the outside world which are a pain to close. Worst of all, whilst it comes preconfigured with WPA, you can only stay connected to it if all security is off. Hence it's presence on the shelf.
I came across this software called "ZoneCD" (http://www.publicip.net/, more info about it on the Wiki) which makes setting up a wireless access point a snap. I connected Thor to the Speedtouch with a crooked IP so that he is not going to talk on this network, then created a Virtual Machine bridged on one side to the Speedtouch and on the other to the upstream router, so as to minimize any impact on the LAN, which is on the downstream router. Loading and configuring ZoneCD as an open access point was stupidly easy. It comes complete with it's own DHCP server, a web proxy and content filter. As I have no wish for anyone to be downloading pornographic material with my IP address attached to it, I enabled this.
Then I attempted a connect with my laptop and found it was fully working. Just like that, out of the box. Wonderful. I probed the LAN and found it to be out of reach. Good. Laptop off, all sniffers going full pelt, and off to bed.
Day One
Right after I went to bed, the owner of a SonyEricsson P990i comes along to search for teen porn. He is not even caught by the content filter, since he doesn't get past the login portal. Perhaps he is spooked by the login button. There's no authentication or anything, but he obviously thinks there might be, and he goes away again. I hadn't even properly considered all the trash walking by with the phancy phones... despite being proud owner of selfsuch devices.
Half an hour later GRANT comes begging for an IP address. He must have been on the unsecured Netgear beforehand, because he is asking for 192.168.0.23, which is in their range. ZoneCD tells him to make do with 10.10.10.103, which he meekly accepts.
He does a DNS for mapquest, gets the time from windows, registers his WORKGROUP and becomes master browser for it, sends a tcp packet to 1.3.4.9 (weird huh) and then proceeds to absolutely FLOOD the poor ZoneCD with UDP packets.
An hour later he sends HTTP requests which reveals all: the man is running LimeWire, version 4.12.11 no less. I am not sure what rules ZoneCD adheres to, but all his UDP and TCP packets remain unresponded to. It is supposed to prevent P2P, and it must have done. A little while later, Grant gives up, no doubt dissatisfied with the downloadspeeds he is getting here. As in, nothing. Poor unsecured Netgear owner, he has nothing to stop Grant going wild with the Lime Wire.
Half past twelve. Grant is ready to give it another go, but is again frustrated by ZoneCD's kosherization of the Internet. I am quite liking my ZoneCD so far.
From the DNS queries that are generated by GRANT, I can tell that I was well wrong about his presumed computer skills, as surely no hacker in their right mind would use LimeWire (or windoze for that matter)?
As for 6e:c7, as I have come to think of him, he was way more cautious. Well I say 'he' -- that was clearly wrong. The only interaction with 6e:c7 was very early on, when I was still finishing the setup so that I nearly missed it. 6e:c7 came to ask for IP 192.168.0.4, but was given 10.10.10.101, and 4 seconds later released the IP. The only info I got from that was that the host name was 'hayley'.
Why do people name their computers after themselves? Weird really, if you think about. You don't do that with your dog or fridge, but you think of a computer as an extension of yourself? What do you do if you have two?
Day Two
Decidedly uneventful. But hey, I can wait. Good things come to those who wait, apparently (though having waited half my life now I am not sure if that is even true... :-))
Host 'MWAK' asks for 192.168.1.3, but gets 10.10.10.101. Does a Netbios registration then releases DHCP within the space of 13 seconds at eight pm sharp. They do the same again at five to eight in the morning. And at half past nine 'Designer49,' who has no preconceived notions about the IP they want to be given, release before they even get one. Shame there isn't more info in DHCP packets.
Hmm. I shall have to go round the neighbourhood with my handheld wireless sniffer to see if maybe the location of the access point needs looking at. I should imagine nearer the front window might not be a bad idea, but that would involve getting a longer network cable which I have totally run out of having wired up the gigabit lan (had to borrow cable for that to be honest).
Day Twelve
Lots of interesting people have dropped by. Very expensive equipment has hooked up. An amazing amount of info is given out unwittingly.
Someone with an impressive laptop has come along to tell me the basic setup of their network at work, as well as where this place of work is. What with its incessant attempts at reconnecting with mapped network drives, hard coded dns and dhcp servers... The only "safety" feature his office's IT management has built in is the fact that his name is not associated with either his computer name or any of the protocols. I wonder if all this info can be used somehow.
And these Apple Mac things have an awful way of probing UDP 192 every other second, just in case a masterful airport base station is listening and ready to command the underling. Also they clamour for apple.com and get very impatient if they can't offload the current itunes selection to the overlords. There's so much updating to do and so little time... Shame I don't allow executables to be transferred. But I have his name, and his home page on the apple website. Hah.
Be sure to return soon for more instalments!