Wednesday, January 30, 2008

Finding and Executing wireless intruders

Finding and executing Wireless intruders.

Finding the intruder.

The easiest way to check is to go into your router and check the dhcp clients table and see what ip’s on your network are being used. Routers can be very different from one another to get to yours type ipconfig in the command prompt your router will be at the address that is the default gateway. Type that address in your address bar of your web browser(this works assuming you have a consumer grade router in your house not like a cisco 2611). A login screen should pop up. If you do not know your router’s username and password find it on the default password list

Some people will appreciate this list more than othersJ. On a Linksys you will click the status button, and then local network and then dhcp client table list. If you don’t have control of the router on your network you can use angryIP to scan your network for IP’s, typically your range will be to Or you can use an arp scan tool like cain and abel( Anyway wants you have one of these lists eliminate the IP’s that belong to your devices. If you can eliminate all the ip’s you have no intruder if you can not, you may have an intruder.

Eliminating the intruder.

First and easiest thing to do is see if he has simple file sharing enabled. To do this hit start->run then type \\ipaddress and yes you do have to have the right slashes. A good way to think about it is \ is a windows slash and / is a *nix slash. Ok let’s say that doesn’t bring up any shares or times out. Next we want to nmap the target.

After the install use the cmd line interface to nmap by hitting start->run then typing cmd. Now you are at the command line and you want to use nmap so type:

Nmap targetip –P0 –O

That’s a p and a zero and then the second one is an uppercase letter o. It means it won’t ping first and it will try to id the os as well. Ports you want to be open are 22(for ssh on *nix comps), 3389(rdp on windows comps), or any of the vnc ports. Hydra THC can brute force ssh and tsgrind can brute force RDP.

But remember brute force is just brute force. It’s really unskillful and oafish. You probably would rather try something more subtle like sniffing.

Please look at one of my earlier posts on password sniffing.

So by now you have enough knowledge to own the box.

You may also just want to enumerate data on your victim. If you want you could just boot him from the network by enabling 802.1x on your router.

No comments: