5

I'm trying to figure out how to configure a network so that I can tell what an intruder did (in the past) while on the network after they are detected. eg. If someone with a wi-fi enabled laptop parked outside my home and connected to my home network because he was able to crack my weak encryption. and if he were to do some fraudulent activity from my network, how can I configure my network and where would I have to look on the network to see what he was up to? What devices would be able to log valuable information and how would I make sense of this information?

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
Tony
  • 51
  • 1
  • 1
  • 2
  • 3
    could you clarify your question please. Are you asking how to determine if there is an intruder on your network and determine what they are actively doing or are you asking about how to determine what they did while connected in the past? Is this a theoretical question or is this in response to thinking you have been compromised. If it is a response to a real world scenario, what tipped you off or made you suspicious? – AJ Henderson Jan 04 '13 at 06:06
  • A very nice answer by Callum made me think why at the first place we are taking passive security measures. Why we donot take active measures by deploying ACL on router based on MAC address. A home user knows what are legal MAC addresses for his network based on which we can restrict access. If a router has a support for ACL it a must for security. I further googled it and find articles on ACL configuration for [wireless network](http://kb.netgear.com/app/answers/detail/a_id/13112/~/securing-your-wireless-network:-access-control-list). – Ali Ahmad Jan 04 '13 at 15:49
  • @AJHenderson - Thanks for your comment. The question is a theoretical one and yes I am asking about how to determine what they did while connected in the past. However, I also appreciate the comments on passive network analysis. – Tony Jan 06 '13 at 05:25
  • Why don't you just use a strong WPA key and make intrusion impossible? The question sounds really weird.... Why do you accept intrusion as such if you can easily prevent it from happening? – kaidentity Sep 23 '16 at 14:33

6 Answers6

5

Most routers (even retail wifi units) have an admin screen that lists all the active clients that have been allocated an IP address by DHCP. This usually lists the MAC address of the client too.

usually they look like this:

CLIENT NAME       IP ADDRESS       MAC ADDRESS
android_blah      192.168.1.10     AA-BB-CC-00-00-00
my_pc             192.168.1.11     DD-EE-AA-00-00-00

If you do not recognise the client names - then a handy tip is to take the first 3 octets of the MAC address and google them (e.g. AA-BB-CC) and this will tell you the manufacturer of the device which could help determine whether it really is inside or outside of your home.

Callum Wilson
  • 2,533
  • 10
  • 15
  • In addition to this, you may also allow only your known MACs connect to the wifi. – The Illusive Man Jan 04 '13 at 16:05
  • absolutely, but the OP should be aware that MAC address filtering shouldn't be the only security measure because whilst MAC addresses are meant to be only set by the chip manufacturer; nowadays they can be changed by attackers. – Callum Wilson Jan 04 '13 at 16:10
  • Not only can they be changed by the attackers, but they are also required by the 802.11i spec in order for encryption to work. So if they are using WPA or WPA2 PSK, which they probably are, it literally requires plaintext MACs to be exchanged in cleartext unless they're using 802.11w (unlikely). – JZeolla Jan 04 '13 at 18:35
3

You yourself likely can't do much as most consumer gear isn't going to keep a log of what happened. Your ISP likely has records about activity from your account and that could be useful, but you are unlikely to be able to get it without a court order. General rule, unless you have reason to suspect something nefarious, simply document the breach, fix it and move on with life. Keeping the MAC address of the connection if you have it (should be listed in the router or AP if the connection was recent), but that is likely spoofed if someone was actually up to no good.

Really you only need to be worried about being able to support it wasn't you. It's up to the authorities to track down any illicit activity that might have been done (though it is much more likely they were simply a neighbor mooching off your connection.)

It is also worth running virus scans and such on your other systems to make sure they were not up to anything within your network, but if those don't reveal anything I wouldn't be that worried. What initially raised your suspicions?

On the off chance that your equipment has the ability to record useful information about network activity available and turned on, it would most likely be on the router, but the exact way to get to it would depend on the make and model.

Note that the majority of this answer is addressing the question as you phrased it which seems to indicate you believe they were simply using your network for an Internet connection and not attacking your network directly. If that is incorrect, then a lot of what you can do changes as computers on your network would have very valuable information in their event logs about access attempts and the like. You could access this information from the event viewer under administrative tools in the control panel on most Windows machines. If you can't find it there, you can also find it as a snap-in for Microsoft Management Console, which you can launch by going to run and typing mmc. The information in there is going to be rather hard to follow if you don't know what to look for though and the full details of what to look for are a bit broad for a Q/A format (more like a lecture series).

More details about what made you think this was going on might help narrowing down the scope of where you might be able to find information.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
  • Could those down voting please expand on why the answer is not liked? As I understand the question, I'm not sure what more valid answer could be given. The question seems to be asking how to determine what was done in the past. Perhaps the original asker can shed some additional light on what the question is actually about. – AJ Henderson Jan 04 '13 at 06:05
  • No idea why it was downvoted. I'd say this is the best answer here so far. – Polynomial Jan 04 '13 at 09:23
2

You can scan your network with network security scanners to detect for any intruder IP accessing your wifi network. It may not be a perfect solution for a corporate environment but i think it will work for home network with far fewer nodes in a network. The following is a list of some network scanning tools it some help for you

For passive network analysis you can use network sniffers such as wireshark to analyze your network traces for intruder IP. A relevant article may be of some interest for a read.

Ali Ahmad
  • 4,784
  • 8
  • 35
  • 61
  • 4
    This will work if the intruder is activly on the network, but Tony seems to have been asking about determining what they were doing after the fact, at which point a network scanner isn't going to do any good. – AJ Henderson Jan 04 '13 at 06:07
  • I edited the answer to your question – Ali Ahmad Jan 04 '13 at 06:53
0

Have a look at Kismet.

Kismet is an 802.11 wireless network detector, sniffer, and intrusion detection system. Kismet will work with any wireless card which supports raw monitoring mode, and can sniff 802.11b, 802.11a, 802.11g, and 802.11n traffic

Kismet includes IDS functionality, providing a stateless and stateful IDS for layer 2 and layer 3 wireless attacks. Kismet can alert on fingerprints (specific single-packet attacks) and trends (unusual probes, disassociation floods, etc).

You can set kismet up on a raspberry pi with a second wifi NIC and it will happily listen for wireless clients, recording their mac addresses and possibly saving raw packet traffic.

Dean Brundage
  • 101
  • 2
0

Since I now know your question is theoretical, I can answer it better about how you can setup your network so you would be able to tell. The exact way of setting it up will vary from device to device, but there are a lot of options available. The key is that you need a device capable of logging that is in a location on the network that everything the person does will go through it.

For an average home network, this could be either the Wireless Access Point, the Router or if applicable, the gateway or firewall. The wireless access point will get the information right as they get on to the network and will ensure that all activity coming in on the wireless network is logged, but if they were to use their wireless connection to compromise a wired system and then use the wired system, you would have an incomplete log.

Most likely the Router also serves as the gateway and firewall (the device that gives the rest of the network access to the Internet and ensures the Internet doesn't have unintended access to the private network). Logging at the gateway and/or firewall ensures that all outbound traffic is logged, but won't tell you anything about what the intruder did internally on your network.

In most home networks, since there is only one router and it also generally serves as wireless access point, gateway and firewall, it will end up being privy to all connections flowing across the network. It may not have access to all the contents of the packets it routes (if encryption is used) but it at least (by necessity) has access to the routing information (ie, where it is coming from and where it is going). This is likely the best place in a home network to log.

Most consumer routers do not have this kind of logging by default, however third party firmwares such as DD-WRT often add logging capability to the routers that can either write to an internal store (limited space) or a network share. Exactly what information can be stored and how it is formatted varies from device to device, but in general information like the IP and MAC Address of the client as well as the requested destination IP, Port and protocol (such as TCP or UDP) as well as a timestamp can give you a lot of what you need to get at least a general idea of what was going on.

If space is no object, it may even be possible to log the content of every packet sent across the network, but that will be a huge amount of space and it may not be safe to exclude "known" MAC addresses from the logging to try and reduce the amount since MAC spoofing is fairly easy on a wireless network. (IE, the intruder can make themselves look like a valid machine) Of course, if you are going to this kind of length, you could also do a per machine certificate and/or not use a weak key at which point the problem would likely be avoided in the first place.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
0

You could always set up a honeypot in conjunction with not broadcasting your SSID (service set identifier). An attacker would not know the real AP exists, thus attack the honeypot which you can log to varying degrees based on how much knowledge you have. A simple google search will wield you with many tools. MAC address filtering is a good security feature if no clients were connected to your AP which is unlikely. There are also downfalls to not broadcasting your SSID because it is easily uncloaked as soon as a client connects. You could also set up a proxy like squid and log various information such as sites that are visited and such. Hope this helps.

Sighbah
  • 341
  • 1
  • 7