My wifi got hax0red!

airzone on 30/05/2014 - 14:26

I turned on my TV last night and went to watch something off my DLNA server. And funnily enough, I see this strange new media server show up… Something called ChrisXXXX-PC (where XXXX is the last name of one of my neighbours, and their first name just so happens to be Chris….).

Righteo then.

I then checked out the DHCP leases on my router, and sure enough there a new entry… ChrisXXXX-PC on xxx.xxx.xxx.119 with their mac address. I then ping my broadcast address and use arp -a and find out that he is on the network although not directly responding to pings.

I suspect he has used reaver to break through my wifi extender's security (and I did have wps turned on for some silly reason) as my main router has it disabled. But as we know, WPS security is not always securely implemented and can respond even when disabled depending on the router model.

So I have set up a routing rule to drop all traffic from xxx.xxx.xxx.119, and have also set his mac address to a reserved address (with a rule to drop all traffic again). Ideally this will prevent him from using my internet, even if he is on wifi. I have changed my router & extender admin passwords and disabled WPS on the extender. I have not changed the WPA2 password as I want to test how the network responds to a reaver attack with WPS disabled (and I will do that tonight) as it's ineffective to change the WPS2 PSK until I know that he can't discover it through a WPS crack again. If the network doesn't respond to WPS hacks, then I will changed the WPA2 PSK and that's it. Otherwise I will have to replace equipment.

I have also changed my SSID to "HiChrisXXXX" as a deterrent (and will tell him to bugger off when I see him next).

To be honest, I think the guy just thought he was awesome and downloaded a GUI reaver front-end and got it to work and is simply being opportunistic. I mean seriously, he is using a PC with the default Windows hostname generated during the setup process… I bet his user ID is ChrisXXXX and he has no password.

Although I have unlimited bandwidth, principle is at stake here. I was slightly taken back at how easy it is to get into as I am normally security conscious. And what if someone (chris or otherwise) decides to use my internet to download kiddy porn? Or honeypot torrents?

Question is: from those more IT security capable than myself, is this a reasonably suitable remediation plan?

And also what have other people done in this situation?

Computing

Comments

  • ProjectZero on 30/05/2014 - 14:31
    +1

    Couldn't you just revoke him to kick him out of your network temporarily, then change the WPA2 PSK so as to stop him from reconnect, THEN add his MAC address to the deny list in your router network?

    Once he is in the deny list, he shouldn't be able to access your router even if he knows the password, that is, until he figures out a way to clone your mac address.

    • airzone on 30/05/2014 - 15:00

      I have his mac address on the blacklist of my router already, but the extender cannot support it.

  • coin saver on 30/05/2014 - 14:33
    +5

    i have often wondered why neighbors dont share unlimited internet cost

    • snappy1234 on 30/05/2014 - 14:51
      +5

      i have often wondered why neighbors dont share unlimited internet cost

      C.P or similar- who wants the law knocking ?

      • ProjectZero on 30/05/2014 - 14:56

        Not to mention the bandwidth…

        • Sage on 30/05/2014 - 16:22
          +1

          yeah bandwidth would be my reason if I considered sharing.
          as it stands we can't have everyone in our house alone using it heavily without it slowing down or becoming unresponsive.

      • [Deactivated] on 31/05/2014 - 23:55

        Even then they do search your computers…

    • timmypete on 30/05/2014 - 14:55
      +4

      I once had a stream of cat5 running to the neighbor's house.

      • airzone on 30/05/2014 - 15:02
        +11

        With the right configuration and a clear understanding of roles and responsibilities then it's fine. But stealing your neighbours wifi is most certainly not fine.

        • coin saver on 01/06/2014 - 10:20
          +3

          i was seeing a group of ozbagaining pensioners in a retirement village when i made my comment.. say 5 units sharing dodo unlimited @ $40 saving could be $160 or more if they use carriers like telstra

      • morini on 02/06/2014 - 15:07
        +2

        Back in the days of dialup, I found a roommate's modem cord running out of his room into the wall socket (it wasn't part of the agreement). He used to do his BBSing in the middle of the night, sneaking out to plug it in and unplugged it when finished.

        A pair of scissors took care of the problem.

    • highdealer on 31/05/2014 - 21:29
      +3

      Hell, i don't even want to share internet with my brother let alone the neighbors. He torrent stuffs day and nights.

      • surethang on 01/06/2014 - 22:36
        +7

        In fairness to your brother…

        "There's a lot of porn piling up on the Internet. It doesn't download itself!", House MD

  • flyingtrapeze on 30/05/2014 - 14:34

    is it TKIP or AES? make sure is on AES not TKIP

    • airzone on 30/05/2014 - 14:55

      AES. I don't think the WPA2 is being hacked directly, but WPS is pretty easy to break on routers with insecure implementations.

  • StewBalls on 30/05/2014 - 15:08
    +46

    At first glance I read the subject as My wife got hax0red!…was thinking, daym that's harsh!

  • HAL on 30/05/2014 - 15:35
    +2

    Rather than implicitly filtering for MACs you don't want, why not reverse your approach? (you could easily spoof a new MAC)

    Set up access based on MACs you want.

    • Sage on 30/05/2014 - 16:23

      yeah good idea.
      plus I doubt he only owns one device capable of using the net.

  • BuyoTheCat on 30/05/2014 - 15:39
    +3

    haX0r him back!

    I usually offer my neighbour my wifi if they just move in. But most people are happy tethering their 3/4g for a few days while they get connected.

  • chuneeperformance on 30/05/2014 - 15:45

    IPSec

  • Malarkey on 30/05/2014 - 15:45
    +9

    My neighbour (in a set of units) got into mine a few weeks ago, his two room mates thought he was a dick and moved out and took the internet connection with them. A few days after I noticedsome extra DHCP listings on the router with obvious names like Mikes-iPad, Mikes-laptop etc. I took down all the details, mac address etc.

    Next time I heard his front door open I just walked out and told him to piss off. He was a bit taken back and apologised. I told him that all he had to do was come and ask and it wouldn't of been a problem I would of handed him the password.

    But yeah he was a dick for doing it and apparently doesn't do to well when confronted.

    tl;dr Mikes a dick

  • ranma on 30/05/2014 - 16:27
    +2

    I'm at work and I'm afraid to google it, what's a honeypot torrent?

    • Murrayb123 on 31/05/2014 - 23:25
      +2

      a torrent set up for the sole purpose of catching infringers. So a company may put up a torrent for latestAAAmovie.avi and harvest all the IP addresses

      • thatonethere on 01/06/2014 - 10:02
        +7

        Then what happens is that groups of people feed spoofed IP addresses into the torrent swarm making the data much harder to use for copyright enforcement.

        Source: at work we get these accusations made against printers etc from overseas lawyers…

  • victorwilson on 30/05/2014 - 16:35

    I think the OP used honeypot as a verb

    EDIT: sorry, clicked the wrong "reply" button, I was supposed to reply to ranma's comment.

  • p1 ama on 30/05/2014 - 16:48
    +2

    from those more IT security capable than myself, is this a reasonably suitable remediation plan?

    Not really, all you've managed to do is blacklist a single guy's MAC address. There's nothing stopping him from getting a new NIC and doing the same thing again…etc.

    The problem here is not that your neighbour stole your WiFi (well that's a problem, but not the main one), the main problem is the root cause of all that - your WiFi is not secure, if you have WPS disabled and you are still getting hacked with Reaver, time to buy a new WiFi router/AP.

    • [Deactivated] on 01/06/2014 - 23:37
      +1

      He knows your routers IP and subnet. He could use your PC name and MAC address if he wanted to, it's called spoofing. I don't know how that would work though. Or who knows get his own WiFi router with the same SSID and password and put it next to your house so you connect to him and he harvests all your passwords.

  • JediJan on 31/05/2014 - 12:43
    +1

    As someone who relies on our wifi (we just switched from Virgin to Vodafone recently) I have always wondered about being "hax0red" … we are fairly ignorant of the ways and wherefores of computer or wifi hacking. We have Norton 360 working it's little heart out, although my (Yahoo) email address somehow succumbed by sending out some spam over a year ago to all my contacts (Yes, weightloss information to son's teachers…). Took some "Yahoo" steps, changed password, etc. and seems to be okay now though.

    Would someone suggest, to someone as basically computer wifi illiterate, as to what methods … in real simple terms and instructions (a link would be nice) as to what steps we could take to safeguard our wifi?

    I have always assumed that the password was required for someone to use our s'megabits; apparently not so. Any help for us out here?

    The writer is obviously way ahead of most of us in safeguarding his wifi, but still managed to get "hax0red" so there doesn't appear much hope for the rest of us. I sometimes get a message saying another computer is using my "address" but I have assumed (perhaps incorrectly) my son's iPad is what has been causing this.

    Thank you if you can help. If not, thank you for reading.

    Cheers

    • Randxyz123 on 31/05/2014 - 13:40
      +1

      I take it because you have >"just switched from Virgin to Vodafone recently" that you are using a portable wifi device which means the range is unlikely to extend past your house so you are unlikely to be "hax0red" that being said it can happen to anyone. Having said that you can do things such as

      • Change the default device password
      • monitor your internet usage month to month and if you use more than usual you can take steps.

      If you want to be more secure you can set up routing rules though it depends on the router how much you can do with this. This basically means that if you are trying to address the network from a different ip or MAC address (i.e not your computer) then it will be kicked off.

      • JediJan on 31/05/2014 - 14:33

        Thank you for your answer. Yes; portable wifi. Virgin in this area has become rather congested, too busy and slow…. Vodafone, 4G is faster, only a 12GB plan, connected only a week, so far so good. Our old HP laptop does pick up strong signals from other wifi's nearby, so assume others do the same with ours. They are all password protected (lock sign) so I don't know how anyone can access ours really… but as happened to the more knowledgeable writer I wonder.

        Usage seems to be fairly accurate, apparently majority when teen son uses it for YouTube, but would like to ensure it is only our usage, not others. Don't know how to change our password or make it more secure. We turn it off when not In use and take it with us when we go away.

        Routing rules? Could we set it up to specify what computers, laptops and iPads have use? The iPad wouldn't connect until we entered the password so I assumed our wifi was secure.

  • minniethemoocher on 31/05/2014 - 13:12

    Maybe if he does it again you can hack into his PC and leave him a kind message. Looks like you will have to keep an eye on the devices logged into your wifi from now on, most people don't so I bet he was counting on that. Luckily the cops know that a lot of people who download illegal content know that it's often from hacked wifi but that's a headache you really don't need.

  • [Deactivated] on 31/05/2014 - 13:57

    Isn't the best solution just to confront him about it in person?

    • airzone on 31/05/2014 - 14:42
      +1

      Yes, but if he found a hole, I want to plug it up before someone else uses it for nefarious purposes.

      • CI on 01/06/2014 - 10:45

        Good thinking

  • Tcm9669 on 31/05/2014 - 18:37
    +3

    With home routers, and no proper devices sometimes it's hard to properly secure your router. BUT as someone said above, BEST practice is always to ALLOW WHAT YOU WANT and DENY EVERYTHING ELSE.

    Use AES WPA2, In your password use long words with symbols and numbers. Even tho WPA has not been hacked yet, brute forcing is always an option with a weak password.

    Funny thing to do is, check for shared drives and folders on his PC :) leave some files on there.. use NET MSG, Remote shutdown (especially if he has no password) idk.. have some fun?! He is on your network afterall.

  • Aneurism on 31/05/2014 - 21:29
    +1

    Why bother being passive aggressive with the SSID. Just knock on his door and ask him face to face what is going on directly. There could be some legitimate reasons why it could have happened. Eg. his laptop might have been remotely hacked by someone else.

    • surethang on 01/06/2014 - 22:51

      Yep, or a third disgruntled neighbour has set him up for a fall. Long shot, but possible.

  • infinite on 31/05/2014 - 21:50
    -2

    It's amazing how smart some people think they are, till they get punched in the face.

  • futaris on 01/06/2014 - 00:06

    Just set up your Wi-Fi router to only allow access to a vpn on a specific ip/port, and make every one of your machines connect to the vpn

    • HAL on 01/06/2014 - 02:26
      +6

      Curious as to why you would set up a VPN in your own home network for local devices.

      Seems like you are creating unnecessary overhead.

  • futaris on 01/06/2014 - 09:22

    Everything on the same subnet will be able to communicate with each other.

    If you want to get out to the internet, then connect to your external vpn.

    Easiest solution, unless you want to set up authentication using openwrt or similar.

    http://wiki.openwrt.org/doc/uci/wireless/encryption#configur…

  • niknah on 01/06/2014 - 11:21

    Happened to me too. I had a crappy tp-link wifi router. The wifi was working fine with WPA2, AES. I could login to it with my ssid/password.

    But for some strange reason, the wifi settings never saved. And the wifi looked like it was turned off when it was really on.

    The device connecting to it had a bogus hardware address. And they were careful not to use much bandwidth, I didn't notice anything for months.

    I reset the settings and reloaded the firmware. Haven't seen that device since.

    • [Deactivated] on 01/06/2014 - 12:33

      Sharing is caring.

  • somecasualgamer on 01/06/2014 - 15:08
    +8

    Surprised no one has suggested kittens: http://www.ex-parrot.com/pete/upside-down-ternet.html

  • zooter on 01/06/2014 - 15:39

    so, using AUTO mode (WPA or WPA2) in D-link modem is good enough or not? (with a pretty strong password)

    • Tcm9669 on 02/06/2014 - 08:36

      Not sure what auto mode is in your case.. But auto mode usually means default settings.. Meaning, easy to hack.

  • Aradial on 01/06/2014 - 20:16
    -1

    I think the easiest thing to do would be to check if your router allows to you choose not to broadcast your SSID.

    If so, change the SSID to something obscure, and manually setup a connection on your computer to connect to it even when it is not broadcasting.

    That way, unless someone knows the SSID, they cant connect to it.

    Also, change the connection to WPA2 if not already and change the password.

    • ESEMCE on 02/06/2014 - 10:20

      Not so.. if the neighbor has the knowledge to use Reaver to hack WPS, he'll have the knowledge to reveal a hidden SSID. It's not very difficult and not a very good security measure.

      • samfisher5986 on 03/06/2014 - 11:24

        Revealing an SSID means you are targeting someone. The average hack is just doing it because they can see it.

        Hiding your SSID's is a great way to improve security.

  • netsurfer on 02/06/2014 - 00:10
    +1

    WPA2-RADIUS is more secure than WPA2-PSK (WPA2-Personal). However, it involves setting up a radius server. Also, some devices may not be able to support that configuration.

  • Pip Y on 02/06/2014 - 07:53

    knock on his door and face to face
    - he won't do it again once he knows you know ;)

  • frinik on 02/06/2014 - 19:06

    What ever happen to physical violence?
    Do you have any big mates that look like bikies?
    Get them to knock on the door with a baseball bat :P

  • Cheeper on 02/06/2014 - 22:13

    Isn't it a recognised crime to use or steal another internet access these days?
    Just do a print screen of the proof and flash it at the perpetrator and tell them next time they will be talking to a magistrate.. :-)

    Had a little smart ar5e around here that tapped into ours once… just cooked up a difficult to d/c wpa2 p/w and he has never been back.

    Would making your ssid invisible also help in keeping intruders away?

    • ESEMCE on 03/06/2014 - 08:23
      +1

      No, Hidden SSID's are one of the weakest "security" measures!

    • MasterScythe on 23/06/2014 - 09:09
      +1

      scubacoles is right and wrong.

      The answer is 'yes' it would help keep intruders away, because it'll more often be overlooked on a wardrive or by kids with smartphones.

      However he is right, that it doesnt make it any more secure once its found.

  • MasterScythe on 23/06/2014 - 09:11

    I have a secondary ASUS router which supports Isolation. It also supports a 'guest' wifi setup.

    I have it set to OPEN and throttled to 1% speed.
    I live near a public transport stop, so i'm sure tons of people appreciate it.

    I log all the data, so far nothing 'seedy' is going on.

    • wako on 17/08/2014 - 04:00

      Interesting… Do you find any useful sites that others are browsing whilst waiting for a bus or is it all FB..

  • [Deactivated] on 26/06/2014 - 17:06

    Are you sure it wasn't yourself?

    I know that when you choose to setup a bridged network on a virtual machine, that you will generate a new DHCP lease with a name that looks like the default windows names such as WINS-23578921.

    Hiding the SSID is useless as it is trivial to find it again with simple tools.

    At the moment, I don't really know your setup, but I'm just throwing this in for you to think about.

    • airzone on 26/06/2014 - 18:19

      The default name for a PC these days is based on the user name you type in… In this case it was ChrisXXXX-PC and the user account was Chris XXXX. And since there is someone 2 floors below with the same name, it was a pretty easy conclusion to draw.

Login or Join to leave a comment
Login Join