WNR2000v2 Wireless Intruders?

[fordem]

You seem to have missed the point - what you are seeing is not MAC spoofing, in progress or otherwise.

We can approach this in two ways ...

a) Your MAC filtering is not working, and therefore an intruder does not need to use MAC spoofing to get onto your network - this would account for the different MAC addresses that you are seeing. MAC spoofing is not being used because it isn't necessary.

b) Your MAC filtering is working, and therefore an intruder needs to use MAC spoofing to get onto your network - if this were the case you would only see MAC addresses that have been entered into your MAC filter as allowed. The fact that you are seeing different MAC addresses indicates that MAC spoofing is not being used.

The very fact that you are seeing different MAC addresses indicates that MAC spoofing is not occuring - whether it be for the first reason or the second.

Let me explain how an individual would go about using MAC spoofing to associate with a wireless network using MAC filtering.

The individual would load wireless sniffing software onto a laptop and then sit at a location where he can capture wireless packets from the network he wishes to associate with - this is a purely passive operation, at this time he is not attached to your network, does not have to transmit a single packet and there is no evidence of his presence, unless you happen to visually see him.

Once he captured a few packets, and I do mean a few, half a dozen is enough, the source & destination MAC addresses are never encrypted, he can then extract an approved MAC address from the captured packets, set that address in the config file for his network card, and then associate with the network - the router at this point cannot distinguish between the intruder & a legitimate user - and neither can you.

If MAC filtering is the only form of security on the network, the intruder is in and you the owner of the network is none the wiser, the only MAC address that you will ever see is the one that has been approved in your MAC filter - you may notice higher than normal traffic levels, if you are observant, but, these abnormal traffic levels can just as easily be caused by a ligitimate user of that MAC address using a new application, or having a virus, or any equally acceptable excuse for increased bandwidth utilisation.

Hopefully, if you didn't understand before, why MAC filtering is considered a waste of time, you will now.

[Computer_User1]

Thanks for the clarification. I was under the impression that Mac spoofing involved generating many Macs until one matches, like a brute force attack. I didn't realize that one can just look at the a packet and get an unencrypted Mac address from the header! How convenient... nothing's secure in networking, isn't it?

Anyway, this still not seem to explain the potential intrusion I saw. Again of the 8 unknown devices I saw (3 before radio off / 5 after radio back on), all had the same characteristics: invalid Macs; scrambled device name; and wide range of IPs (from North America, Europe and even Asia). I suspected it was from nearby within the range of my wireless signal (probably by some elite hacker in the area), but same time I couldn't rule out the possibility that it could come from the internet through one of my wirelessly connected PCs. Whatever it was, I may never know.

But I am moving forward and leaving this behind. I've flashed the WNR2000v2 with a third party firmware, which gives much more features and controls over the router / networking, such as able to remove attached devices. Yeah, I know I just void the "warranty", which I don't have anyway from a refurbished product. In addition, I've employed two more techniques, which hopefully will make more difficult for intrusions. One, longer and harder to guess password, which hopefully renders brute force / dictionary attacks not worth the time. Two, turn off the radio when it's not in use.

[Winock]

I notice the same problem, but found out that this is happen after install an google calender on my ipad or iphone, the whole day trying to get rid of the intruders but every time everithing ok until i instal a google calender...

Is this the same problem?

[Computer_User1]

Quote:

Originally Posted by Winock

I notice the same problem, but found out that this is happen after install an google calender on my ipad or iphone, the whole day trying to get rid of the intruders but every time everithing ok until i instal a google calender...

Is this the same problem?

Thanks for posting, but it's a No for your question. I was using a PC, not an iPad nor iPhone. A PC does not need an app for Google Calendar, it can be accessed through a browser. Furthermore, I don't think I was using Google Calendar when the intrusion occurred.

[PBureau]

I had that same knee jerk reaction when I ran that discovery app, but my reaction was... whats mac address is that ...?

http://www.coffer.com/mac_find/

small web page that will hint what the device is, as mentioned, funny how in a household, you forget daughter cell phone etc..

[Laurazano]

THANK YOU! I opened the Network Map & knew there would be a fair number of devices shown on the map (four users in the home). My plan was to re- name those devices and insure all devices shown on map were legitimate. The link you provided made easier my task!

[Flippers]

Quote:

Originally Posted by fordem

You seem to have missed the point - what you are seeing is not MAC spoofing, in progress or otherwise.

We can approach this in two ways ...

a) Your MAC filtering is not working, and therefore an intruder does not need to use MAC spoofing to get onto your network - this would account for the different MAC addresses that you are seeing. MAC spoofing is not being used because it isn't necessary.

b) Your MAC filtering is working, and therefore an intruder needs to use MAC spoofing to get onto your network - if this were the case you would only see MAC addresses that have been entered into your MAC filter as allowed. The fact that you are seeing different MAC addresses indicates that MAC spoofing is not being used.

The very fact that you are seeing different MAC addresses indicates that MAC spoofing is not occuring - whether it be for the first reason or the second.

Let me explain how an individual would go about using MAC spoofing to associate with a wireless network using MAC filtering.

The individual would load wireless sniffing software onto a laptop and then sit at a location where he can capture wireless packets from the network he wishes to associate with - this is a purely passive operation, at this time he is not attached to your network, does not have to transmit a single packet and there is no evidence of his presence, unless you happen to visually see him.

Once he captured a few packets, and I do mean a few, half a dozen is enough, the source & destination MAC addresses are never encrypted, he can then extract an approved MAC address from the captured packets, set that address in the config file for his network card, and then associate with the network - the router at this point cannot distinguish between the intruder & a legitimate user - and neither can you.

If MAC filtering is the only form of security on the network, the intruder is in and you the owner of the network is none the wiser, the only MAC address that you will ever see is the one that has been approved in your MAC filter - you may notice higher than normal traffic levels, if you are observant, but, these abnormal traffic levels can just as easily be caused by a ligitimate user of that MAC address using a new application, or having a virus, or any equally acceptable excuse for increased bandwidth utilisation.

Hopefully, if you didn't understand before, why MAC filtering is considered a waste of time, you will now.

I have tried with both MAC filtering on or off, and still I have the apparent problem of hackers getting into the router somehow. What I am seeing is this in Attached Devices when I refresh the page:

The first two connections are legitimate (Macbook Pro and iPad), but the rest are not. Why is the device name scrambled? IP addresses show both China and the USA - how are these possible?
I have turned off the PING and the disabled the Router's PIN. Have also turned off SSID broadcast and running WPA2-PSK [AES] level security with a alpha-numeric (and mixed case) passphrase.
What exactly am I seeing? Here is a second image, much like the first:

Thanks!

[Computer_User1]

Wow, those are the screenshots I was missing before! Exact same characteristics as I described before, with scrambled device names (some almost like programming codes) and IPs all over the world. That proves I wasn't just imagining what I saw and wasn't alone for experiencing this. Thank you very much, Flippers!

Now that we have screenshots, and the count of two people for experiencing this potential intrusion attack in the same exact model of router. Can someone tell us what exactly is this? Is this really a hacking attack or just a glitch in the router?

Also a question for Flippers, did you happen to also upgraded your firmware before seeing this or not? Very important to confirm this, thanks.

[Flippers]

Router has latest update.

What is interesting is I changed the channel select from Automatic to a fixed channel - and these all went away! I've been monitoring the logs and so far, haven't seen much activity, but will check it later tonight to see if the problem has indeed vanished.

So there is a chance the problem is not actual attacks, rather weird buffer overflows based on channel used - the router had chosen channel 6 and I found several others in the immediate area on the same one, so chose an unused channel. Found the channels via an iPhone ap "WiFiFoFum" which shows a list of wi-fi in the area along with strength and channel used. Handy!

[jmizoguchi]

Quote:

What is interesting is I changed the channel select from Automatic to a fixed channel - and these all went away!

I bit strange behavior. You may want to put bug report on this

Quote:

Found the channels via an iPhone ap "WiFiFoFum" which shows a list of wi-fi in the area along with strength and channel used. Handy!

or use this one
http://www.metageek.net/products/inssider/

quite strong app for free