getting rid of wifi network intruder

[rogerdv]

A friend of mine manages a small network covering part of the city, around a couple of dozens of APs. Lately, we are having an intruder that uses a very annoying method to get in: clones the MAC of some of our APs near him. That creates a big mess in the network and the connection drops for some people (including me). How can we permanently get rid of him and maybe give him a lesson? Is there any way to physically damage the intruder AP or attack his PC?

 

[lagokc]

http://www.ex-parrot.com/pete/upside-down-ternet.html

 

[dave_the_nerd]

Do you use password authentication? (Like hotels and Starbucks, etc.)

Or does MAC cloning work around that because he's cloning an AP MAC and not a client MAC? (Never tried it.)

 

[JackMDS]

Hard to give you any answer without knowing how logon is done and what security measures are used.

 

[lagokc]

I suppose you could use iptables to forward all traffic from his IP address to a site you've set up that says something like "You are connecting through *fake name* network. Please download client for optimum service."

You can pretty much use your imagination with what sort of executable you use as the "client".

 

[rogerdv]

Sorry for missing crucial info. The network uses WEP, and the guy is cloning an AP MAC, actually he clones one of several APs and chooses a random ip. Seems to know very well our network, has the password, also knows what PC is the internet gateway. In the network, everything is running under windows, I installed a Linux server for them but they never used it and it is still at my home doing nothing.

 

[AnonymouseUser]

WEP has been insecure since 2001. Start using WPA2 and disable WPS (if applicable).

And change the password.

 

[JackMDS]

WEP has been insecure since 2001. Start using WPA2 and disable WPS (if applicable).

And change the password.

+1

Also change the login ID and password of the APs' configuration menus using the strongest possible password.

 

[wirednuts]

yeah.. wep is your problem. he likely cracked the password and went from there. the cloning of the MAC addresses is probably to keep himself somewhat hidden i guess.

enable wpa2, change passwords for everything.

 

[dave_the_nerd]

Do your APs have a MAC ghosting option of their own? Change them to spell out obscenities in hex. (B0:0b:13:55:00:00 or somesuch.)

The first person who laughs out load while on the premises gets bludgeoned repeatedly about the head and shoulders with some variety of blunt instrument.

 

[RadiclDreamer]

Change encryption, mac filtering is near worthless. WEP is also near worthless.

 

[marcplante]

Does changing the SSID and turn off SSID broadcast help? or is there enough sniffing technology to offset that?

 

[AnonymouseUser]

Does changing the SSID and turn off SSID broadcast help? or is there enough sniffing technology to offset that?

That does nothing but stop casual users. Programs like Kismet will find everything.

 

[ImDonly1]

Anyone with the right wireless card, a YouTube video and 15 minutes of time can crack a WEP key. Move to WPA2.

Disabling the SSID broadcast does nothing because all sniffers tool detect wireless packets and the addresses associated with them, SSID visible or invisible doesn't matter.

 

[rogerdv]

The first time I talked ot my firend, he told me that was impossible to use wpa because it would require a single AP to work as center, and other APs connect to that one. Also, Nanos and Bullets doesnt support WPA, because they have some own protection that prevents WEP password to be decripted.
Anyway, I think the guy is getting the password by other means and even if we use WPA, he will still be able to clone the MAC of some AP and create a mess.

 

[Gryz]

Anyway, I think the guy is getting the password by other means and even if we use WPA, he will still be able to clone the MAC of some AP and create a mess.

Why don't you listen to the others here ?
WEP has been cracked a decade ago. The tools to do that have been available for almost as long. The procedure to crack any WEP-protected WiFi takes only a few minutes. You could just as well have no protection at all.

I don't know the details about WiFi encryption. But I would assume that everything is covered by the encryption, including layer-2 headers, MAC-addresses, etc. Once you use the proper encryption to lock people out, they can't mess with the network anymore.

The only solution is to use a better encryption method.

 

[JackMDS]

The first time I talked ot my firend, he told me that was impossible to use wpa because it would require a single AP to work as center, and other APs connect to that one. Also, Nanos and Bullets doesnt support WPA, because they have some own protection that prevents WEP password to be decripted.
Anyway, I think the guy is getting the password by other means and even if we use WPA, he will still be able to clone the MAC of some AP and create a mess.

The way you provide info make it impossible to really understand what is the actual configuration of the Network.

Encryption is part of each AP if you have APs that are old and can not go above WEP then it is time to get new ones so the whole Network can be protected by WPA and above (WPA2/WPA-AES).

If there is good encryption and the hardware configuration interface is protected by good secure id and password the MAC cloning business is irrelevant.

Given the content of the thread you should consider taking a Wireless consultant, or spend some time to do real learning of the issues if you want to do it by yourself.