Jump to content


Photo
- - - - -

Effective Windows LAN Monitoring Software


  • Please log in to reply
11 replies to this topic

#1 wilo300zx

wilo300zx

    DDP Fan club member

  • Members
  • 43 posts
  • Location:Australia

Posted 12 May 2008 - 06:17 PM

Hello,

I am a student studying and working for a company who provides wireless broadband solutions to clients.
We have a current situation where we would like to monitor network traffic at a client level to resolve where data traffic is being used. We have reason to suspect that there is unauthorized activity on the network via WIFI.

I have in placed several procedures to counter this problem:
MAC filtering
WEP encyption
Changed the Broadcast Channel, SSID and password login within the router

Does anyone know of a simple network monitoring software like CommView or NetWork Probe 2 to record what machine/mac address's at what time downloaded/uploaded how much data.

I need to check to see if the excessive download quotas are coming within the LAN or outside (i.e unauthorized access)

I also have legal and full access to the LAN and all accounts/pc's within.

Please advise if this information is unclear.

Thanks in advanced

Wilo

#2 bit_rot

bit_rot

    DDP Fan club member

  • Members
  • 46 posts
  • Location:CA

Posted 12 May 2008 - 08:41 PM

I don't have an answer to you question, but is there a reason why your using wep?

#3 vvuiverine

vvuiverine

    Gibson Hacker

  • Members
  • 95 posts

Posted 13 May 2008 - 04:21 AM

Not exactly what you are looking for but I think both Airtraf and Airsnair could help you out. Airtraf will record bytes per IP address, I cannot remember if it can lookup the MAC address directly or not. Airsnare, if you don't know will alert when an unauthorized MAC address is on your wireless network and show each MAC address with the associated IP address..

Wireshark will also report data transfers stats per MAC.

Airtraf: http://airtraf.sourceforge.net/ Airtraf is for Linux though.
Airsnare: http://home.comcast....eboer/airsnare/

It would be a good idea to note what MAC addresses belong to what IP. If an intruder spoofs a friendly MAC address Airsnare is useless. It is possible to detect MAC spoofing by analyzing the sequence numbers. (only if a session has been hijacked). Snort may pick up on this not sure though.

You could just switch to WPA or use 802.1x with WEP if your AP supports it.


Hope that helps.

Edited by vvuiverine, 13 May 2008 - 07:41 AM.


#4 wilo300zx

wilo300zx

    DDP Fan club member

  • Members
  • 43 posts
  • Location:Australia

Posted 14 May 2008 - 07:32 PM

bit_rot:

I don't have an answer to you question, but is there a reason why your using wep?


This issue has been addressed. I did not create the original LAN nor the security measures that were in placed. My wireless knowledge is limited but i would have known to not use a WEP key that was the residents phone number, nor would i leave the default password on the router. *Bashes head against the wall*

I have changed this to WPA 2 with a alpha numeric and symbol pass phrase. Disabled SSID broadcast. Enabled MAC filtering, upgraded the firm ware on the router, changed the login pwd to a alpha numeric and symbol pass phrase also. Also changed the channel in which the AP broadcasts and lowered its transmission strength without losing coverage of the residence.


vvuiverine:
I have heard of AirSnare but never used it. I have used AirSnort and others to show the seriousness of wireless security and to take appropriate measures.
So airsnare and wireshack sound like my best options.

Also, the owner of the residence informs me that security was in placed about a month ago, but now has been taken down. Is it safe to assume that this would be a kiddie script attack? A real hacker would leave no evidence that he had been there. Correct me if im wrong.

When you mention analyzing the sequence numbers, does this have to be done on the fly? As in when the attack is in place, or can i record the traffic in a log and access it later? I know in windows you can manual set the mac address to a NIC. Assuming this is also possible on Linux.

I think i need to read up more on insecure.org and preform some situation test to improve my knowledge.

and yes, you have been helpful, thank you

do you go onto IRC much, i use to be a regular, but have been tied up with work and haven't been on in ages

#5 LUCKY_FUCKIN_CHARMS

LUCKY_FUCKIN_CHARMS

    TCP/IP....PI/MP

  • Members
  • 1,493 posts
  • Gender:Male
  • Location:Las Vegas

Posted 14 May 2008 - 09:11 PM

try network magic with the speed meter pro addon. it will also email you reports of network activity and which computers are online at what time and how much bandwidth they are using.

#6 vvuiverine

vvuiverine

    Gibson Hacker

  • Members
  • 95 posts

Posted 15 May 2008 - 03:00 AM

vvuiverine:
I have heard of AirSnare but never used it. I have used AirSnort and others to show the seriousness of wireless security and to take appropriate measures.
So airsnare and wireshack sound like my best options.

Also, the owner of the residence informs me that security was in placed about a month ago, but now has been taken down. Is it safe to assume that this would be a kiddie script attack? A real hacker would leave no evidence that he had been there. Correct me if im wrong.

When you mention analyzing the sequence numbers, does this have to be done on the fly? As in when the attack is in place, or can i record the traffic in a log and access it later? I know in windows you can manual set the mac address to a NIC. Assuming this is also possible on Linux.



The sequence numbers can be analyzed from a Wireshark capture. There is a very good chance that it may be followed up by an ACK storm as well.

If you try to use both Wireshark and Airsnare on the same machine you will run into trouble. Each uses a different version of Winpcap (unless Airsnare has been updated). You may want to try an old version tethereal with Airesnare. You can just capture into a pcap file and load the results into Ethereal, offline for analysis. Some old versions of Ethereal that use the same version of Winpcap as Airsnare have severe buffer overflows in the dissector which allow remote code execution.

If your company has $$$$ to spend there are some cool wireless IDS systems. These are very expensive though.

#7 wilo300zx

wilo300zx

    DDP Fan club member

  • Members
  • 43 posts
  • Location:Australia

Posted 16 May 2008 - 12:54 AM

try network magic with the speed meter pro addon. it will also email you reports of network activity and which computers are online at what time and how much bandwidth they are using.



I managed to snag a copy of network magic and works veyr well also, however i was unable to find a copy of the 'speed meter pro addon' on their website. Any hits on Google also lead me to other 3rd party software not related to Network Magic. Could you specify where you got the add on?

The sequence numbers can be analyzed from a Wireshark capture. There is a very good chance that it may be followed up by an ACK storm as well.

If you try to use both Wireshark and Airsnare on the same machine you will run into trouble. Each uses a different version of Winpcap (unless Airsnare has been updated). You may want to try an old version tethereal with Airesnare. You can just capture into a pcap file and load the results into Ethereal, offline for analysis. Some old versions of Ethereal that use the same version of Winpcap as Airsnare have severe buffer overflows in the dissector which allow remote code execution.

If your company has $$$$ to spend there are some cool wireless IDS systems. These are very expensive though.


vvuiverine
Thanks for your help so far, it has proven to be very helpful. As for the ACK storm, i dont think the intruder would bother, ACK storm would make too much noise. Besides SPI firewalls blocks ACK flooding anyway, doesn't it?

As for Airsnare and wireshack, works a dream. This is exactly the kind of software i was after. Great logging capacity as well as packet sniffing.


However it seems that we have walked into a Sh!t storm.. Upon discovering that the wireless network had been compromised. It also appears that the firm ware on the router itself, may have been hacked. When logged into the router, rather then be redirected to a 'admin' or 'start' shtml page. The user is confronted with the following page:
Router Login
Upon thinking this may run/execute something, we ran this on a isolated PC and discovered that it redirected to 192.168.100.5/cgi
Cgi would suggest that the firmware may be hacked?

Upon discovering this, i have prompted the residents IT "expert" to check for viruses, back doors, processes and registry settings, anything abnormal, to be checked to try and determine what is happening. I have not heard about the results.

I have considered to check the existing firmware's checksum with the exact same firmware version distributed with 'out-of-the-box' routers. I know very little about rlogin and router firmware so this would be the only thing i could check? Correct me if this would not work.

With the existing router, can we introduce any hack that can prevent the router from been brute forced, or have dynamic user name and password, making it harder to crack?
The customer is persistent to leave the hardware where it is. So unfortunately no A level routers or IDS systems


Any other idea about hardening this network? Anything i have left out?
B

#8 LUCKY_FUCKIN_CHARMS

LUCKY_FUCKIN_CHARMS

    TCP/IP....PI/MP

  • Members
  • 1,493 posts
  • Gender:Male
  • Location:Las Vegas

Posted 16 May 2008 - 01:39 AM

try network magic with the speed meter pro addon. it will also email you reports of network activity and which computers are online at what time and how much bandwidth they are using.



I managed to snag a copy of network magic and works veyr well also, however i was unable to find a copy of the 'speed meter pro addon' on their website. Any hits on Google also lead me to other 3rd party software not related to Network Magic. Could you specify where you got the add on?

The sequence numbers can be analyzed from a Wireshark capture. There is a very good chance that it may be followed up by an ACK storm as well.

If you try to use both Wireshark and Airsnare on the same machine you will run into trouble. Each uses a different version of Winpcap (unless Airsnare has been updated). You may want to try an old version tethereal with Airesnare. You can just capture into a pcap file and load the results into Ethereal, offline for analysis. Some old versions of Ethereal that use the same version of Winpcap as Airsnare have severe buffer overflows in the dissector which allow remote code execution.

If your company has $$ to spend there are some cool wireless IDS systems. These are very expensive though.


vvuiverine
Thanks for your help so far, it has proven to be very helpful. As for the ACK storm, i dont think the intruder would bother, ACK storm would make too much noise. Besides SPI firewalls blocks ACK flooding anyway, doesn't it?

As for Airsnare and wireshack, works a dream. This is exactly the kind of software i was after. Great logging capacity as well as packet sniffing.


However it seems that we have walked into a Sh!t storm.. Upon discovering that the wireless network had been compromised. It also appears that the firm ware on the router itself, may have been hacked. When logged into the router, rather then be redirected to a 'admin' or 'start' shtml page. The user is confronted with the following page:
Router Login
Upon thinking this may run/execute something, we ran this on a isolated PC and discovered that it redirected to 192.168.100.5/cgi
Cgi would suggest that the firmware may be hacked?

Upon discovering this, i have prompted the residents IT "expert" to check for viruses, back doors, processes and registry settings, anything abnormal, to be checked to try and determine what is happening. I have not heard about the results.

I have considered to check the existing firmware's checksum with the exact same firmware version distributed with 'out-of-the-box' routers. I know very little about rlogin and router firmware so this would be the only thing i could check? Correct me if this would not work.

With the existing router, can we introduce any hack that can prevent the router from been brute forced, or have dynamic user name and password, making it harder to crack?
The customer is persistent to leave the hardware where it is. So unfortunately no A level routers or IDS systems


Any other idea about hardening this network? Anything i have left out?
B

when youre running network magic you can click on the "tools" menu dropdown and then click on add ons and download addons. this will link you right to the info and download page.

#9 wilo300zx

wilo300zx

    DDP Fan club member

  • Members
  • 43 posts
  • Location:Australia

Posted 16 May 2008 - 03:27 AM

try network magic with the speed meter pro addon. it will also email you reports of network activity and which computers are online at what time and how much bandwidth they are using.


Thanks, i was looking on their hosting directory not the program itself.


Anyone support the idea of doing a check sum against the possibly hacked firmware when compared to the original firmware checksum?

#10 craygee

craygee

    DDP Fan club member

  • Members
  • 50 posts
  • Location:From that place with all the stuff, near that one thing!

Posted 16 May 2008 - 11:12 PM

I like you idea of the checksum but unfortunately if you are compairing it to the original checksum it will most likely not match due to patching and changes since the install. But if there havent been then away you go :) Good start. You also can go check out the Foundstone Forensic Tool Kit it's friggin awesome. Everyone should carry that in their pocket. Also if you want to constantly monitor apps for possible crap use Foundstone FileWatch hella kewl.

Also what do you mean about the no IDS due to placement is there no room at the router to stick a tiny machine with remote capabilities to just sniff the wireless?

Edited by craygee, 16 May 2008 - 11:19 PM.


#11 xiaokaige

xiaokaige

    Will I break 10 posts?

  • Members
  • 3 posts
  • Gender:Male

Posted 03 April 2012 - 09:26 PM

I know a software can monitor your LAN, But you need to install agend software in that computers.
You can download it at: http://www.lan-monitoring.com,http://www.mysuperspy.com

#12 TheFunk

TheFunk

    SUP3R 31337

  • Binrev Financier
  • 187 posts
  • Country:
  • Gender:Male

Posted 27 May 2012 - 10:38 PM

If your company has $$$$ to spend there are some cool wireless IDS systems. These are very expensive though.

Yes most commercial IDS' are expensive (EDIT: now that I actually look at them...HOW DO PEOPLE AFFORD THIS???), however a small business could use something like Snort for free. Sourcefire has put a lot of work into Snort and every year more and more businesses employ Snort as their primary intrusion detection system. The best part, you can even install it on certain home routers!

With the existing router, can we introduce any hack that can prevent the router from been brute forced, or have dynamic user name and password, making it harder to crack?
The customer is persistent to leave the hardware where it is. So unfortunately no A level routers or IDS systems


If the boss man wants to leave the hardware in place, software is the way to go, it just depends now on whether you want an active (IDS/IPS) defense or a passive one (network sniffer/packet logger). Snort is probably your best option right now because it offers you the benefit of choosing between those two types of defenses, and allows for changing back and forth, whenever you need. One thing I will say though, is that if you choose to use Snort actively (as an IDS/IPS) be prepared to read up on how the software works ahead of time.

Edited by TheFunk, 27 May 2012 - 10:40 PM.





BinRev is hosted by the great people at Lunarpages!