Saturday 15 October 2011

Catching a Wi-Fi hacker

Let's use this technique to set a trap for anyone in the vicinity who may fancy exploring networks and leeching bandwidth that doesn't belong to them. You can also use this technique to monitor traffic on your own networks in general. We're going to use what's known as a honeypot – a PC or network that appears unprotected. They're designed to tempt hackers and malware to explore and infect them. In reality, they're heavily monitored.
Researchers use them to detect new strains of malware, and we're going to use a honeypot wireless network to catch bandwidth leeches. The technique involves setting up a wireless network without any protection and then monitoring it for unauthorised connections.
The network is physically isolated, but anyone joining it illegally won't know that. It just looks like a juicy connection waiting to be exploited.
To set up a simple wireless honeypot, you first need a spare wireless access point for potential hackers and freeloaders to attempt to access. This is plugged into an old network hub.
The hub is important because whatever traffic it receives on one port, it automatically retransmits on all the others. This doesn't happen in a network switch, which is why we need a hub. We can plug a PC running a traffic-monitoring program into another port on the hub, begin collecting data and wait for the fun to begin.
The monitoring program we'll use is Wireshark. This app is used by network security professionals the world over and is very easy to set up and use.
Setting the trap
Go to and download the latest Windows version. This is compatible with all supported versions of Windows from XP onwards. Installation is a simple matter of running the downloaded executable and accepting the defaults.
Unlike Linux, Windows doesn't have the ability to put its network card into 'promiscuous' mode automatically (whereby it will accept all traffic, thus allowing Wireshark to monitor whatever flows past). To enable this, part of the Wireshark installation procedure will install a library called WinPcap.
Once installed, run Wireshark and select your wired network interface card from the interface list. This begins a collection session. You should start to see traffic being sent every few seconds by the wireless access point as it monitors and discovers resources, and finds out what machine has which IP address. You'll also see traffic from the PC on which Wireshark is running.
On the monitoring PC, log into the wireless access point's web-based management page and set security to 'none'. If there's a function for returning it to its factory settings, run this to reset all passwords.
Now test your handiwork by joining the network wirelessly from another PC. On the joining computer, open a command line and enter the command ipconfig/all.
Find the wireless network card's details in the morass of information that appears. Make a note of its IP address. If you now click the source or destination columns in Wireshark to sort the incoming information, you can easily find the traffic being generated by this IP address.
The traffic reveals a surprising amount of detail, including the machine's name and its MAC address. If, while monitoring, you find other computers joining the network, their machine's Windows name, MAC address and current IP address will be recorded by Wireshark.
If you picked up another PC, the owner was obviously scanning the neighbourhood looking for new networks to join. Why not have a little fun by letting him know you're on to him?
Try changing the name of the network to his PC's name or some other piece of identifying information, and crank the security up to WPA2 so he won't be able to do anything about it. Doing so may scare him sufficiently to leave you well alone in future.