Sign in to follow this  
Followers 0
wilo300zx

Effective Windows LAN Monitoring Software

10 posts in this topic

Hello,

I am a student studying and working for a company who provides wireless broadband solutions to clients.

We have a current situation where we would like to monitor network traffic at a client level to resolve where data traffic is being used. We have reason to suspect that there is unauthorized activity on the network via WIFI.

I have in placed several procedures to counter this problem:

MAC filtering

WEP encyption

Changed the Broadcast Channel, SSID and password login within the router

Does anyone know of a simple network monitoring software like CommView or NetWork Probe 2 to record what machine/mac address's at what time downloaded/uploaded how much data.

I need to check to see if the excessive download quotas are coming within the LAN or outside (i.e unauthorized access)

I also have legal and full access to the LAN and all accounts/pc's within.

Please advise if this information is unclear.

Thanks in advanced

Wilo

0

Share this post


Link to post
Share on other sites

I don't have an answer to you question, but is there a reason why your using wep?

0

Share this post


Link to post
Share on other sites

Not exactly what you are looking for but I think both Airtraf and Airsnair could help you out. Airtraf will record bytes per IP address, I cannot remember if it can lookup the MAC address directly or not. Airsnare, if you don't know will alert when an unauthorized MAC address is on your wireless network and show each MAC address with the associated IP address..

Wireshark will also report data transfers stats per MAC.

Airtraf: http://airtraf.sourceforge.net/ Airtraf is for Linux though.

Airsnare: http://home.comcast.net/~jay.deboer/airsnare/

It would be a good idea to note what MAC addresses belong to what IP. If an intruder spoofs a friendly MAC address Airsnare is useless. It is possible to detect MAC spoofing by analyzing the sequence numbers. (only if a session has been hijacked). Snort may pick up on this not sure though.

You could just switch to WPA or use 802.1x with WEP if your AP supports it.

Hope that helps.

Edited by vvuiverine
0

Share this post


Link to post
Share on other sites

bit_rot:

I don't have an answer to you question, but is there a reason why your using wep?

This issue has been addressed. I did not create the original LAN nor the security measures that were in placed. My wireless knowledge is limited but i would have known to not use a WEP key that was the residents phone number, nor would i leave the default password on the router. *Bashes head against the wall*

I have changed this to WPA 2 with a alpha numeric and symbol pass phrase. Disabled SSID broadcast. Enabled MAC filtering, upgraded the firm ware on the router, changed the login pwd to a alpha numeric and symbol pass phrase also. Also changed the channel in which the AP broadcasts and lowered its transmission strength without losing coverage of the residence.

vvuiverine:

I have heard of AirSnare but never used it. I have used AirSnort and others to show the seriousness of wireless security and to take appropriate measures.

So airsnare and wireshack sound like my best options.

Also, the owner of the residence informs me that security was in placed about a month ago, but now has been taken down. Is it safe to assume that this would be a kiddie script attack? A real hacker would leave no evidence that he had been there. Correct me if im wrong.

When you mention analyzing the sequence numbers, does this have to be done on the fly? As in when the attack is in place, or can i record the traffic in a log and access it later? I know in windows you can manual set the mac address to a NIC. Assuming this is also possible on Linux.

I think i need to read up more on insecure.org and preform some situation test to improve my knowledge.

and yes, you have been helpful, thank you

do you go onto IRC much, i use to be a regular, but have been tied up with work and haven't been on in ages

0

Share this post


Link to post
Share on other sites
vvuiverine:

I have heard of AirSnare but never used it. I have used AirSnort and others to show the seriousness of wireless security and to take appropriate measures.

So airsnare and wireshack sound like my best options.

Also, the owner of the residence informs me that security was in placed about a month ago, but now has been taken down. Is it safe to assume that this would be a kiddie script attack? A real hacker would leave no evidence that he had been there. Correct me if im wrong.

When you mention analyzing the sequence numbers, does this have to be done on the fly? As in when the attack is in place, or can i record the traffic in a log and access it later? I know in windows you can manual set the mac address to a NIC. Assuming this is also possible on Linux.

The sequence numbers can be analyzed from a Wireshark capture. There is a very good chance that it may be followed up by an ACK storm as well.

If you try to use both Wireshark and Airsnare on the same machine you will run into trouble. Each uses a different version of Winpcap (unless Airsnare has been updated). You may want to try an old version tethereal with Airesnare. You can just capture into a pcap file and load the results into Ethereal, offline for analysis. Some old versions of Ethereal that use the same version of Winpcap as Airsnare have severe buffer overflows in the dissector which allow remote code execution.

If your company has $$$$ to spend there are some cool wireless IDS systems. These are very expensive though.

0

Share this post


Link to post
Share on other sites
try network magic with the speed meter pro addon. it will also email you reports of network activity and which computers are online at what time and how much bandwidth they are using.

I managed to snag a copy of network magic and works veyr well also, however i was unable to find a copy of the 'speed meter pro addon' on their website. Any hits on Google also lead me to other 3rd party software not related to Network Magic. Could you specify where you got the add on?

The sequence numbers can be analyzed from a Wireshark capture. There is a very good chance that it may be followed up by an ACK storm as well.

If you try to use both Wireshark and Airsnare on the same machine you will run into trouble. Each uses a different version of Winpcap (unless Airsnare has been updated). You may want to try an old version tethereal with Airesnare. You can just capture into a pcap file and load the results into Ethereal, offline for analysis. Some old versions of Ethereal that use the same version of Winpcap as Airsnare have severe buffer overflows in the dissector which allow remote code execution.

If your company has $$$$ to spend there are some cool wireless IDS systems. These are very expensive though.

vvuiverine

Thanks for your help so far, it has proven to be very helpful. As for the ACK storm, i dont think the intruder would bother, ACK storm would make too much noise. Besides SPI firewalls blocks ACK flooding anyway, doesn't it?

As for Airsnare and wireshack, works a dream. This is exactly the kind of software i was after. Great logging capacity as well as packet sniffing.

However it seems that we have walked into a Sh!t storm.. Upon discovering that the wireless network had been compromised. It also appears that the firm ware on the router itself, may have been hacked. When logged into the router, rather then be redirected to a 'admin' or 'start' shtml page. The user is confronted with the following page:

Router Login

Upon thinking this may run/execute something, we ran this on a isolated PC and discovered that it redirected to 192.168.100.5/cgi

Cgi would suggest that the firmware may be hacked?

Upon discovering this, i have prompted the residents IT "expert" to check for viruses, back doors, processes and registry settings, anything abnormal, to be checked to try and determine what is happening. I have not heard about the results.

I have considered to check the existing firmware's checksum with the exact same firmware version distributed with 'out-of-the-box' routers. I know very little about rlogin and router firmware so this would be the only thing i could check? Correct me if this would not work.

With the existing router, can we introduce any hack that can prevent the router from been brute forced, or have dynamic user name and password, making it harder to crack?

The customer is persistent to leave the hardware where it is. So unfortunately no A level routers or IDS systems

Any other idea about hardening this network? Anything i have left out?

B

0

Share this post


Link to post
Share on other sites
try network magic with the speed meter pro addon. it will also email you reports of network activity and which computers are online at what time and how much bandwidth they are using.

Thanks, i was looking on their hosting directory not the program itself.

Anyone support the idea of doing a check sum against the possibly hacked firmware when compared to the original firmware checksum?

0

Share this post


Link to post
Share on other sites

I like you idea of the checksum but unfortunately if you are compairing it to the original checksum it will most likely not match due to patching and changes since the install. But if there havent been then away you go :) Good start. You also can go check out the Foundstone Forensic Tool Kit it's friggin awesome. Everyone should carry that in their pocket. Also if you want to constantly monitor apps for possible crap use Foundstone FileWatch hella kewl.

Also what do you mean about the no IDS due to placement is there no room at the router to stick a tiny machine with remote capabilities to just sniff the wireless?

Edited by craygee
0

Share this post


Link to post
Share on other sites

If your company has $$$$ to spend there are some cool wireless IDS systems. These are very expensive though.

Yes most commercial IDS' are expensive (EDIT: now that I actually look at them...HOW DO PEOPLE AFFORD THIS???), however a small business could use something like Snort for free. Sourcefire has put a lot of work into Snort and every year more and more businesses employ Snort as their primary intrusion detection system. The best part, you can even install it on certain home routers!

With the existing router, can we introduce any hack that can prevent the router from been brute forced, or have dynamic user name and password, making it harder to crack?

The customer is persistent to leave the hardware where it is. So unfortunately no A level routers or IDS systems

If the boss man wants to leave the hardware in place, software is the way to go, it just depends now on whether you want an active (IDS/IPS) defense or a passive one (network sniffer/packet logger). Snort is probably your best option right now because it offers you the benefit of choosing between those two types of defenses, and allows for changing back and forth, whenever you need. One thing I will say though, is that if you choose to use Snort actively (as an IDS/IPS) be prepared to read up on how the software works ahead of time.

Edited by TheFunk
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0