Do you know who’s using your WiFi? Or how to check?

This may sound like a stupid question, but in reality most people don’t. I work in IT support, the customers I support all work from home, or on the road. Many have no idea even what devices are connected to their network, let alone how to set encryption.

My goal for this post is to show you some easy ways to map your network, to ensure only devices you want are using your network. Rogue devices can negativity impact your network in a variety of ways. An attacker could steal your passwords or files, a poorly functioning device could cause internet speeds to drop to a crawl, or even disconnect your computers from the net.

That said, it is easy to monitor your network, and at a very minimum you should audit network usage twice a month (I do it almost daily, because it really only takes seconds to check).

The quickest way to get an idea of who or what is connected on your network is a ping scan, there is an app built specifically for network mapping and even some troubleshooting on android called ‘Fing’ it will report all live ip addresses, along with the manufacturer of the devices network card. Once you have the list of connected/live devices, Fing will let you troubleshoot each device. Some of the things I do with Fing are; port scanning, connecting to windows shared drives, ftp. here is a link to Fing in the play store.

image

Here is a shot of Fing in action

Some of us that are hyper focused on the security of our networks, even go so far as building lightweight intrusion detection systems, but I would not expect that an average person would take the time to learn how to set one up, or even pay the huge prices charged by others to do it. Simply scanning your network is a great step in protecting your digital privacy, if you notice connected devices that shouldn’t be there, you can adjust settings within your routers configuration to block the device.

I will write a follow-up post, with some windows, and Linux tools that are user friendly, and give similar function to Fing on android. I would also like to note that Fing is also available on iOS, but it has been awhile since I used it as I avoid my iPad like the plague.

If you have concerns or questions, feel free to hit me up on Twitter @DarkLordZim or email DarkLordZim@gmail.com

Getting wireshark working on xubuntu

Okay, so re-installing Xubuntu this week, I spent a lot of time crawling the interwebs to find a solution to a problem I had solved a long time ago, but lost the instructions, so I wanted to blog it.

In Xubuntu when you install wireshark, and run it as admin (bad idea) it will work, for about 10k packets or 5minutes whichever comes first then blow up and need to be force closed. the solution is to modify the settings to allow you to run packet captures as your current user and not need root access to capture.

there is a post on the wireshark blog about it, but there are some problems with the commands, and they don’t work. But I found my solution over at here.

essentially once you have wireshark installed, you will need to run the following commands, then logout, and back in for it to work.

$ sudo su - root
# sudo apt-get install libcap2-bin
# groupadd wireshark
# usermod -a -G wireshark <your-user-name>
# chmod 750 /usr/bin/dumpcap
# chgrp wireshark /usr/bin/dumpcap
# setcap 'CAP_NET_RAW+eip CAP_NET_ADMIN+eip' /usr/bin/dumpcap

Wireless hacking on android

With the power of the tablets coming out now, and the open platform that Linux provides, there is a great opportunity for hacking from an easily hidden, Trojan style device with lots of power to allow us to do many different wireless attacks.

Possible attacks:
1. ARP spoofing
2. Ssl stripping
3. Session hijacking
4. Vuln scanning
5. Port and service scams

These are just a few features available in a tool called

Dsploit

. Using the application you can select all kinds of attack vectors, you can capture packets in a pcap dump for reading in Whitehall later.

It works well in a small networks and labs, but my next task is to blow up a public network and see what I’m able to find. If the located information is enough, I will approach face to face with data, and options on how to fix their problems.

Other WiFi tools in my toolbox include, droidsheep, ding (network scanner), connectbot, and sshdroid.

I will be writing a follow up on how to use the tools, and talk about the other tools.

Profiling a network, before you attack

My heart grows sad everyday when I see yet another news blurb about how some new skiddie crew just PWNED some network and wanted their 15 minutes of e-fame. Many of these attacks are executed sloppily which is why, before long, most of these crews end up in front of a jury. Getting their just rewards, if you will.

Last time, I spoke about the need to keep things secret in this industry. Some people think that is as simple as “I wanna post this secret, so I’ll do it from an alter-ego” there is still a major problem with that; OTHER PEOPLE KNOW YOU KNOW THE SECRET, and therefore your leak is still traceable back to you. even if nobody knew about your alter-ego, simply by leaking data you get cross-contamination.

Wow.. off topic already. Back to the point at hand. When you start on an attack (in your lab, or by legal means) it is throughly unwise to simply just start attacking with every known vector in your tool-belt hoping to compromise a system from the very start. Being a ninja, is all about stealth, and attacking the weakest, MOST damaging weakness, One strike to take down a titan.

Your first goal, should be to gather information, or “listen” for those who can’t seem to understand what i’m talking about. If you make noise on a network, you run the risk of alerting someone to your presence and having them start patching holes, before you ever even have a chance to use it.

It makes me sick, when I’m setting up attacks, and some Skiddie connects to my fake AP, and all my filters and logs are flooded with garbage. TURN OFF YOUR APPLICATIONS, today almost ALL your software makes calls to the Internet. When you’re attacking, or even listening. do you really think your Dropbox sync is helping? no, its sending and receiving more packets and filling up your logs with data you just have to filter out later. Twitter? BE SILENT FOOL! some of us are watching you.

When I’m gathering intel, I don’t even have music playing, you need your senses to be aware of your surroundings. you’d be surprised what you hear. In a coffee shop, where I was setting up an attack with a fake “Free Public Wifi” I overheard some customers talking to each other and it went something like this:
Customer1: “What network are you using?
Customer2: “This ‘Free Public Wifi’, its an open network, and its working pretty quick”

Any idea what we just learned? that there are 2 people using my Fake AP, and any number of other customers that overheard them, will likely log on soon too. If I had headphones on, I would not have heard that and yes, I might have noticed more traffic, but I can now listen for more information. For instance, since these two customers are friends and talking to each other, listen for Names, or relationship connections that you might be able to exploit. Don’t just dive into attacking, because its not going to get you all the information you will need down the road.

Something to try, would be to MITM one (or more) of the connections, and spy on their streams. Again, here I see people get anxious and start major attacks once they have a confirmed phish on the line. Keep in mind, much like with fishing, you need to get the hook set, so your prey doesn’t just flop off the line. In the case of Phishing, its no different. If you disrupt their internet connection, or make things work poorly, they will likely just look for a different network that doesn’t have problems. so KEEP YOUR LINES CLEAR so you can monitor the flow of data.

Finally, once you’re certain that the phish has taken your bait, SET THE HOOK and REEL them in. With hacking, and network security, the biggest phish are worth waiting for, you can be sure you’re not wasting your effort to catch a ‘minnow’ and actually catch the Great White.

Thank you for reading my ranting about you bastards polluting my networks with your noise. I hope this helps you to think before acting, and as always, ALL actions have consiquences, make sure you can HANDLE the phish you’re trying to catch, and that it wont EAT you when you pull it out of the water.

-That is all

Curiosity can be your friend

When it comes to hacking, and network security, most holes are found by accident. It’s important to pro actively scan your network for problems so that you are not caught by surprise later. With computer and network security you have to make sure you have permission to do the scanning, or you could find yourself in a world of hurt. It is illegal to access data that is not yours and you don’t have permission to access. I’m writing this post for personal networking purposes, so that you can protect your own networks, not so that you can do harm to another person.

At work, I’m not on the LAN team, nor am I ‘officially’ part of the network security team, but I have permission from both teams to help test our public wireless network since they know I enjoy hacking and network security. They are short-staffed and do not have the manpower or time to manage every aspect of such a large wireless network, 100% of the time. I have personally found a few other security holes on our wireless network, and helped to secure it because I have found banking data, and other account information floating around for anyone to see, and now those things are closed and secured again the way they should be.

Today I found a problem, that caused me to alert the LAN team immediately without even taking the time to get multiple tests, and extra proof, since they know I know what I’m talking about, having proof of concept is enough for them to take me seriously. Today I was using rediscover (which I’ve posted about before) and found a few MAC addresses that were by non standard manufactures (at least our company standard.) Since it was a manufacture I don’t normally see, it drew my curiosity and I decided to nmap the host. I found normal ports running like windows file sharing (smb) and Remote Desktop, but nmap was also able to give me the user ID, and operating system.

The first point of alarm is that all peer communication is supposed to be turned off on our public network, and I should not even be able to tell a host is live, let alone see what services are running. To make sure I was seeing a true report of services, I fired up my RDP client, and was presented with a windows login screen. Since this is a security issue of itself, so I did a user lookup, and went to the internal IT group who supports this user. My friend who supports him, noticed that he was using a hard-wired connection to the LAN, which means that he was connected both to the corporate LAN (with all the sensitive data, AND the wide open wireless network) so if an attacker was able to compromise this users machine, they would have access to a treasure trove of intellectual Property.

The moral of the story is this; Constantly check your network for its security, and ONLY use one connection at a time. If you are using a wired connection, disable your wireless, because otherwise you open your LAN to attack, and if you are using wireless, don’t plug into a LAN.