Community discussions

MikroTik App
 
User avatar
smacebr
newbie
Posts: 36
Joined: Wed Aug 23, 2006 2:55 pm
Location: Rio de Janeiro, Brazil
Contact:

Wed Jan 03, 2007 3:11 pm

good question skynoc,

What should we do in Wired networks?? They have already cloned my PPPOE server :|
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Wed Jan 03, 2007 3:13 pm

Management switches, that provides security MAC address per port, should help you in such cases.
 
User avatar
smacebr
newbie
Posts: 36
Joined: Wed Aug 23, 2006 2:55 pm
Location: Rio de Janeiro, Brazil
Contact:

Wed Jan 03, 2007 5:41 pm

sergejs,

Yes, it would solve but on the other hand it would be a very expensive solution, imagine our network with about 200 switches. It would be also hard maintaining. I believe we can reach a better, safer and cheaper solution.

The problem related to PPPOE is that it DOES NOT autenticate the SERVER. So the pppoe client does not know if the server is the real one or fake.

I have thought about how to solve this problem myself but I do not want to reinvent the wheel, and I would prefer to follow standards already implemented.

Each day more we are having PPPOE clonning here. There are a lot of dishonest people around. We sell internet thought wired and wireless networks.

For sure a better authentication method would solve it requiring much less work than "managed switches".

Dont you agree? Any idea?
 
Hellbound
Long time Member
Long time Member
Posts: 508
Joined: Tue Oct 26, 2004 11:21 am

Wed Jan 03, 2007 5:58 pm

sergejs,

Yes, it would solve but on the other hand it would be a very expensive solution, imagine our network with about 200 switches. It would be also hard maintaining. I believe we can reach a better, safer and cheaper solution.

The problem related to PPPOE is that it DOES NOT autenticate the SERVER. So the pppoe client does not know if the server is the real one or fake.

I have thought about how to solve this problem myself but I do not want to reinvent the wheel, and I would prefer to follow standards already implemented.

Each day more we are having PPPOE clonning here. There are a lot of dishonest people around. We sell internet thought wired and wireless networks.

For sure a better authentication method would solve it requiring much less work than "managed switches".

Dont you agree? Any idea?
to be frank with you, it is a very bad idea to use unmanaged switch to provide internet to people. you have no other choice to provide better security except upgrade to managed switch.

there is a brand called TP-Link which has very cheap product. I'm not sure about their quality since I haven't tried that myself but they usually use good chips for their products.

upgrade to manageable switch ASAP. bind mac-address to each port and make sure all ports are isolated.
 
User avatar
smacebr
newbie
Posts: 36
Joined: Wed Aug 23, 2006 2:55 pm
Location: Rio de Janeiro, Brazil
Contact:

Wed Jan 03, 2007 7:31 pm

I understand you Hellbound. But the point is that the way we are working today is not totally safe. And there are ways to make is much more reliable. And I believe this solution is not so far as it looks. 4-Way, 6-Way autentication methods solves it (once it autenticate the client and server). The point is, I dont know which implementation to follow. I only know my current PPPOE implementation is not safe. And changing all hardwares we have today would be a real pain.
 
Hellbound
Long time Member
Long time Member
Posts: 508
Joined: Tue Oct 26, 2004 11:21 am

Wed Jan 03, 2007 7:43 pm

I fully understand how painful is that.
I'm just changing 3 3com switch and 1 linksys web-smart switch because their web service are simply crashing and we can't even telnet, I dont know why. maybe stability is something cisco is selling. and honestly it is very very painful. but what's the choice anyway?

but it is further more painful when you have to prepare 5 men just to visit your sites for funny problems.

every day that is pass by I better understand why people like cisco charge more for something more reliable and stable.

I have not implemented a wide network yet and I am not sure myself how to achieve low-cost and stable network at the same time.

one thing for sure is that since last two years I spend more than 30,000 USD just to test this and that. buy this and throw it away, buy that and throw it away because it is simply not stable.

can you believe that my APC ups is even crashing? my linksys switch is crashing... everything is crashing... i just hate this crashing but it all happens...

just listen to me. this one thing is necessary thing for your network. you may start doing it slowly, not just in one day. but you must really do it.

I've seen ISP using normal made-for-house 8 and 16 port switch. I just simply set my route to another client and I am connected to internet!!!

no mac cloning and no nothing... this was the kind of security.

managed switch will allow you turn off the port without visiting the site.

hope it helps.
 
skynoc
Member Candidate
Member Candidate
Posts: 140
Joined: Wed Jul 07, 2004 10:20 pm
Contact:

my suggestion

Wed Jan 10, 2007 2:09 pm

dear Mikrotik clients
i found an idea to use the hotspot service from mikrotik.
i have a wireless and wired network over 245 wireless access point and more than 80 switches . it is very expensive to change all these devices to manageable devices such as mikrotik wireless routerboard and cisco switches or 3 com etc...
i've been using hotspot with dhcp more than 2 years untill someone came to our network and start cloning our dhcp mac address to abuse our network we could know the person who did that but when more than 1 started to do that from different locations we found ourselves in the middle of a huge problem , so the solution was to provide each client a static ip address because the hacker was cloning an ip address and a mac address of the server which it has 2 subnets of 24 bit .
the hacker was doing as follow :
mikrotik router has 2 ip address : 10.10.10.1/24 and 10.10.0.10/24 (authenticated netowrk )
unauthenticated network has 2 subnets too : 192.168.0.1/24 and 192.168.1.1/24
the hacker pings the server with unauthenticated situation using his xp workstation and execute the arp -a command to see his arp table
he founds the dhcp ip address which is the unauthenticated network and the mac address he puts the mac address first the same as the dhcp server into his ethernet interface or wireless and then he puts the same ip address 192.168.0.1 and the authenticated ip address which is 10.10.10.1 now in this case no new clients can replicate with the dhcp server nor the authenticated clients can replicate with the gateway because there are 2 ip addresses are the same on one network , ( note that if you put on your card only the ip address of the server the xp station prompt for a conflict ip address on the network but if you put both ip address and mac address the same as the server the xp station still as jackass )
now to solve my problem , i gave each client static ip for example : i put 192.168.1.1/30 on the router so i can give 192.168.1.2 for the client and 192.168.1.1 as his gateway
i give the second client a different subnet such as 192.168.23.1/30 on the router and 192.168.23.2 as a client ip address and 192.168.23.1 as his gateway but in this situation no new clients can get a dynamic configuration but it is usefull .i was thinking to write a script which can talk with the dhcp server and give each client a subnet of 30 bit and each client has different subnet from the other .
in this case mikrotik can solve the hotspot problems
 
User avatar
111111
Member Candidate
Member Candidate
Posts: 195
Joined: Thu Oct 05, 2006 1:39 am
Location: BG,SOFIA

Wed Jan 10, 2007 9:01 pm

skynoc

add pool for each client ip address and dhcp will give auto ip
make static dhcp leases
 
skynoc
Member Candidate
Member Candidate
Posts: 140
Joined: Wed Jul 07, 2004 10:20 pm
Contact:

Thu Jan 11, 2007 8:11 pm

nice trick 111111
i tried it but it didnt work because when you setupt a new hotspot server the wizard ask which ip address you need hotspot to use by default 10.5.50.1/24 which is unique for all clients and this is the problem but what we need is to give each client dynamic ip assignment with 30 bit subnet .
 
User avatar
yusabdu
just joined
Posts: 16
Joined: Tue Nov 21, 2006 10:43 am
Location: Nigeria

Fri Jan 12, 2007 1:41 pm

please let the mikrotik guys get a very good and cheap solution to this problem of hacking hotspot
 
User avatar
111111
Member Candidate
Member Candidate
Posts: 195
Joined: Thu Oct 05, 2006 1:39 am
Location: BG,SOFIA

Fri Jan 12, 2007 7:11 pm

How simple will be, if some one write a JAVA (php, asp, or other) script,
with will see(use) hard disk number, partition number, processor number then Radius will not be cheaten so easy
 
User avatar
nazadnan2003
newbie
Topic Author
Posts: 31
Joined: Tue Sep 05, 2006 10:12 am
Location: Iraq
Contact:

Fri Jan 12, 2007 7:37 pm

There is an old scenario named DHCP-Pool Method describe in Hotspot chapter in Reference Manual for RouterOS 2.8 , which is show the possibility of making tow different address pools, the first address pool (Temporary address pool) for unauthorized customers, and the other address pool (Real address pool) for the authorized customers.
According to this scenario, when the customer first connected to the hotspot, he should get a temporary IP address for very short time (14 seconds±), in this period the customer should complete the authorization process and login to the hotspot. After the end of the lease, the customer will get a new IP address from the Real pool.
Image

In this scenario, when the hacker first connected to the hotspot, he will get a Temporary IP address and when he run any scanning programs, all what he get is a few IP's / MAC's for other unauthorized customers and he will never see the authorized IP's / MAC's because they are in deferent pool (subnet mask).

Unfortunately I could not achieve this scenario in my Hotspot because I have RouterOS 2.9.29, the IP of authorized customer changed from the Temporary to the Real just inside the Router in IP/Hotspot/Hosts page.

If there is any one can ensure that he succeeds to achieve this scenario in his Hotspot, I'll be grateful to him if he share us his experience.

I believe that it is the only helpful way to solve Hacking Hotspot problem, unless if there is a way to distinguish between the real and clone MAC and then drop all connections came from cloned MAC and accept connections from real MAC.
 
skynoc
Member Candidate
Member Candidate
Posts: 140
Joined: Wed Jul 07, 2004 10:20 pm
Contact:

Sat Jan 13, 2007 9:15 am

a script writen in mikrotik can help but a miracle or a guru can do it only.
 
zuf
just joined
Posts: 14
Joined: Tue Jan 02, 2007 8:20 pm

zuf

Sat Jan 13, 2007 7:33 pm

hi my sir if u remove cookies from hotspot it made bad user cant login in your hotspot if he stolen mac for good user thanx
 
skynoc
Member Candidate
Member Candidate
Posts: 140
Joined: Wed Jul 07, 2004 10:20 pm
Contact:

Sun Jan 14, 2007 12:19 pm

to sergejs
manageable switches are not the solution for this issue .
note that this problem is not in mikrotik hotspot only,it affects dhcp


regards
 
User avatar
nazadnan2003
newbie
Topic Author
Posts: 31
Joined: Tue Sep 05, 2006 10:12 am
Location: Iraq
Contact:

Re: zuf

Mon Jan 15, 2007 5:32 am

hi my sir if u remove cookies from hotspot it made bad user cant login in your hotspot if he stolen mac for good user thanx
Dear friend ZUF I think you'd better if you read the Reference Manual carefully before you make any suggestion.
Cookies did not work as you think
 
skynoc
Member Candidate
Member Candidate
Posts: 140
Joined: Wed Jul 07, 2004 10:20 pm
Contact:

Fri Jan 19, 2007 11:54 am

any guru can solve this problem?
 
Hellbound
Long time Member
Long time Member
Posts: 508
Joined: Tue Oct 26, 2004 11:21 am

Fri Jan 19, 2007 12:48 pm

any guru can solve this problem?
yes,
just use manageable switch to isolate,
IP is in layer 3, you can't block hacker from layer 2 access.

for hotspot wireless user you can just uncheck default forwarding
and drop scanner but for none manageable switch. people can see
each other and you have no way on earth to block them.

3com 24 port managed switch wtih 2 gigabit uplink is around : 200 USD down here
3com 24 port unmanaged without uplink is around 100 USD,

just don't buy unmanaged and buy managed, simple math
 
macahan
just joined
Posts: 6
Joined: Mon Jun 14, 2004 6:48 am
Location: Pittsburg, KS - USA
Contact:

Re: Hack PPPOE

Wed Feb 07, 2007 8:35 am

After we implement MK-PPPOE solution we saw our SSID (even with AP mac cloned) cloned and one PPPOE server was running in that "unknown" AP. They were getting user/password/mac from our customers. We already have one great solution for this. (once it works) But I am curious to know what Mikrotik suggests in these cases? (They always have better solution than ours ;)
If you use CHAP challange on your PPPoE then they can not get the password. Because it uses a challange handshake.
You do not want to use PAP for pppoe because that means you send clear text passwords. But CHAP or MSCHAP.v2 will not hand the clone PPPoE server the password. It never sends the password. It uses a challange and responds handshake system.
 
skynoc
Member Candidate
Member Candidate
Posts: 140
Joined: Wed Jul 07, 2004 10:20 pm
Contact:

If you use CHAP challange on your PPPoE then they can not ge

Wed Feb 07, 2007 10:52 am

this is not what we are talking about...
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Wed Feb 07, 2007 11:00 am

create wireless link with WPA/WPA2 with PSK, change PSK once a week, use radius to authenticate users, use access list on your AP.
PSK key - create it to max allowed length

instruct your users to not to share this key with others.
and stop these posts about hacking hotspot/AP while you are not using any protection that is already available.
 
monaro
newbie
Posts: 32
Joined: Wed Feb 07, 2007 10:05 pm

Block ip scanning by enable client security

Wed Feb 07, 2007 10:25 pm

I think AP (dlink, linksys, etc) have client security features where hackers cannot scan other user ip address, computers, etc since the AP disallow access between each other wireless users. Turn them on.

I have configure all my wireless AP to set the client security to enable.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Block ip scanning by enable client security

Thu Feb 08, 2007 9:55 am

I think AP (dlink, linksys, etc) have client security features where hackers cannot scan other user ip address, computers, etc since the AP disallow access between each other wireless users. Turn them on.

I have configure all my wireless AP to set the client security to enable.
in ROS you can turn that thing on and off and it is called "default forwarding" in wireless seection
 
User avatar
samsoft08
Long time Member
Long time Member
Posts: 613
Joined: Sat Nov 26, 2005 10:52 pm

Sun Feb 11, 2007 12:59 am

only in wireless section ??
 
User avatar
samsoft08
Long time Member
Long time Member
Posts: 613
Joined: Sat Nov 26, 2005 10:52 pm

Sun Feb 11, 2007 1:15 am

so what about the example mentioned above about making temporary pool ?? i found it great in theory ..
 
User avatar
samsoft08
Long time Member
Long time Member
Posts: 613
Joined: Sat Nov 26, 2005 10:52 pm

Sun Feb 11, 2007 4:04 am

nazadnan2003, I tried the example above , its working but as you said the real IP is only exist inside the router and the client still got the temp IP and scanning will result all the mac's of the clients ..
and this becouse the lease time is repeating it self each time its finished !!! i dont know why , maybe becouse the client still connected ..

i hope that someone knows how to overcome this lease issue it will be a great help couse i think this example is the best way to protect clients mac's and IP's from being scanned by hackers ..
 
User avatar
acim
Member
Member
Posts: 415
Joined: Mon Sep 12, 2005 12:26 am
Location: Serbia
Contact:

Sun Feb 11, 2007 11:25 am

The "bad users" stole IP/MAC-address by using scanning programs, and chose one of the active IP/MAC-address.
If the stolen address is alrady autherized in the hotspot, then the "bad users" will recive Internet service as well as the 'good client' (both in the same time and the same IP/MAC-address).
As there can't be two network nodes with the same IP, does this mean if you completely clone MAC and IP, you behave the same as another machine with this MAC/IP? So both machines with the same MAC/IP receive packets without matter who really asked for them? Huh, this is big problem and probably just cryption can help.

In this case, do you see both machines with the same MAC as registered clients in wireless section? Or you see just one?
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Mon Feb 12, 2007 3:37 pm

OMG :shock: :shock: :shock:

this is how networking has been working for decades.

and yes if you have connected user to DHCP with DHCP lease active lease will renew itself while client is connected

and yes if you clone mac address and ip then you are as good as original user

EDIT:

ensure your cabling security
ensure your wireless security with tools that are provided and most of admins find enough to ensure that their network is safe.

you have everything what you need to make your network safe - safer you make - tougher for users to connect
 
User avatar
samsoft08
Long time Member
Long time Member
Posts: 613
Joined: Sat Nov 26, 2005 10:52 pm

Mon Feb 12, 2007 9:14 pm

you mean that the manual example is wrong ??
so why they made 2 pools ??? one for unauthorized users and one for authorized users if the IP wouldnt change anyway ??

forget the encryption , some WISP need to show thier advertising on the log in page of the hotspot , so the cant use encryption .

that solution ( 2 IP pools ) is the best as i think , but it needs more testing , if the user IP change from temp pool to auth pool that would be great ..
 
User avatar
navibaghdad
newbie
Posts: 27
Joined: Mon Oct 09, 2006 5:38 pm

Mon Feb 12, 2007 9:47 pm

Realy :shock: No one from MK team can help to solve this issue or to explain how to implement the example :(
 
hci
Long time Member
Long time Member
Posts: 674
Joined: Fri May 28, 2004 5:10 pm

Re: Hacking Hotspot

Tue Feb 13, 2007 12:20 am

I Have a Hotspot with web proxy enabled, and some hackers can hack my hotspot by using scanning programs which can scan the active IPs and their MACs and use one of them (by change MAC) to get the same IP of the authorized MAC and then access the Internet without asking to authenticate because its already authenticated.
By watching proxy logs learn his favorite sites and block them all.

Matt
 
jonmansey
Frequent Visitor
Frequent Visitor
Posts: 84
Joined: Sat Sep 18, 2004 3:43 am

Mon Mar 19, 2007 10:50 pm

heres a suggestion that may strengthen the hotspot against the trial period hack a little more against simple mac address rotation, perhaps the trial user can be sent a cookie, then if they come back in with one of these cookies later from a different MAC and try to get trial, they are blocked. Trivial to clear cookies to get around it, I realize, but its one extra annoying step the hacker has to do to get access.

jm
Last edited by jonmansey on Sat Mar 24, 2007 6:44 pm, edited 1 time in total.
 
Ghassan
Member Candidate
Member Candidate
Posts: 213
Joined: Mon May 29, 2006 11:08 pm
Location: Lebanon
Contact:

Re: hotspot is too weak

Thu Mar 22, 2007 8:28 pm

hi guys ,
i have the same problem with mikrotik .
you should give each client a static ip or there should be a script running which gives each client a subnet of 30 bits , this can solve mikrotik hotspot service .

i m using hotspot with static ip only , and my system is running well ,
sometimes clients can run IP scan and they can find your subnets by running ip scan then you can not do any thing , also if any autenticated user is online for exmple we might say ...

you are controlling them by
- MAC-ADDRESS
- STATIC IP ADDRESS with (*.*.*.*/30)
- limitation per one session
- authenticate by hotspot login page

what else ? you can not do anything if a user is scanning your network .

I heard that there are still hacking HOTSPOT even if it subnetted , they can see any available ip address which is already authenticated ...

The best thing is if you are on a network ... management by switches with layer 3 .
and for wireless , the only thing that our companies is limiting its customers by their access point ( LOCAL LOOP ) but i am waiting for this configuration ... restricting every access point by WPA and IP , it will solve your problems
if anyone found a solution then i would like to hear it .

Regards,
Ghassan
 
roland
newbie
Posts: 40
Joined: Sat Jan 22, 2005 12:03 pm
Location: Thailand

Fri Mar 23, 2007 8:38 pm

We blocked several ports (udp 161,135-139,445) and icmp traffic; our Hacker's scanner because useless.
In addition we filter all traffic from clients directed to the AP (input chain) or other clients. Only traffic from client to gateway (AP is not the gateway, we use bridging) got passed.

Maybe not perfect, but the Hackers are gone. :)
 
atheros
just joined
Posts: 22
Joined: Thu Feb 23, 2006 10:23 am
Location: BALI - INDONESIA

Sat Mar 24, 2007 12:45 pm

We blocked several ports (udp 161,135-139,445) and icmp traffic; our Hacker's scanner because useless.
In addition we filter all traffic from clients directed to the AP (input chain) or other clients. Only traffic from client to gateway (AP is not the gateway, we use bridging) got passed.

Maybe not perfect, but the Hackers are gone. :)

you can not block any port service even the ip address on direct connected network, Those are going to get working even you take out the router.
 
roland
newbie
Posts: 40
Joined: Sat Jan 22, 2005 12:03 pm
Location: Thailand

Sat Mar 24, 2007 1:10 pm

I mentioned "AP" aka AccessPoint (wireless). We don't provide wired access. And we use filters in 'firewall' and 'bridge'.
Anyway, so far it worked. We got the hackers away. Not important for me if 'technically correct' 8)
 
atheros
just joined
Posts: 22
Joined: Thu Feb 23, 2006 10:23 am
Location: BALI - INDONESIA

Sun Mar 25, 2007 1:53 am

Let's go to the beach and get relax.... :P
 
doush
Long time Member
Long time Member
Posts: 665
Joined: Thu Jun 04, 2009 3:11 pm

Sun May 06, 2007 9:22 pm

now the solution might be

1- get a PC
2- Install Linux
3- Install Snort with additional Packgaes and signatures
4- Put the box behind RouterOS
5- Run snort and Block every scanning attempt and blacklist them
 
ray
just joined
Posts: 5
Joined: Thu Jun 21, 2007 1:04 am

Re: Hacking Hotspot

Thu Jun 21, 2007 1:24 am

:(
hi dear all
I have same problem ,when any hacker use the same IP and MAC of one good user he will be same PC so no way to block it because every thing it same just one thing its not the PC Nname so i can see the name its flashing between the good and bad user "from DHCP server Leases" . so I give small idea let MT team do thing for us we dont need change our server OS.
 
babyface
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Wed Feb 21, 2007 2:22 pm

Re: Hacking Hotspot

Thu Jun 21, 2007 3:31 am

I think that you lost the point of view.

If you don't use encryption, all the data of the network can be intercepted easily. No matter the routes, no matter the gateway... nothing matters.

Use WPA/WPA2 PSK with at least 8 characters for your clients, and create a virtual AP opened for the demo.
 
ray
just joined
Posts: 5
Joined: Thu Jun 21, 2007 1:04 am

Re: Hacking Hotspot

Thu Jun 21, 2007 12:35 pm

tnx
its good idea but what we can do for wire?
 
User avatar
magic
Frequent Visitor
Frequent Visitor
Posts: 52
Joined: Fri Mar 04, 2005 9:53 pm
Location: Sopron, Hungary
Contact:

Re: Hacking Hotspot

Thu Jun 21, 2007 1:39 pm

Hi,

In my country you can use police to attack the hackers who use your network. We had a few people who cloned mac addresses and find out the fixed IP-s. First we changed the clients IP-s but this is a hard work on a bigger network (and some dummy customer can't do it so it is money too to send out somebody to do this).
After a sort time I allowed them to use the Internet with the cloned (illegal) address and save the traffic on the router (MT can do this). There is a lot of windows and linux program which can analyze the traffic. Every user read his email, login to somewhere, use MSN. There is a lot of way to find out who is the user. For example if you know the MSN login and some friends of the hacker not a big trouble to find who is it.
We found every hacker in 2-3 days and phone them. Just told them if they didn't stop to use our network we will send every information to police. Nobody tried it again. Never told them how we found him!!!!!!
There was one time when we give information to police. They went out to the hacker and found some drog too :-) We are just waiting for the judgement.

We use pppoe and radius now. We don't have any phone call from customer since we changed to pppoe. Every AP has separation. So there is no direct traffic between wireless clients. The wep/wpa is not a good solution in my opinion because the old wireless equipment are 10-30% slower if you use these and there is the possibility to crack them.
On ethernet side use the not so cheap managed swithes. If you are a service provider you have to invest money to your network.
There is a lot of good example on the MT wiki,documentation and on the demo routers. Use firewall rules to limit scanners (ICMP ports) and block those ports which is used by the viruses.

Krisz
 
ray
just joined
Posts: 5
Joined: Thu Jun 21, 2007 1:04 am

Re: Hacking Hotspot

Thu Jun 21, 2007 1:59 pm

:shock:
thnx but if our hackers dont care to police.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Hacking Hotspot

Thu Jun 21, 2007 2:45 pm

then use PPPoE and Hotspot as user magic suggested
or send information straight to police and see what happens

you have all the means provided
 
ray
just joined
Posts: 5
Joined: Thu Jun 21, 2007 1:04 am

Re: Hacking Hotspot

Thu Jun 21, 2007 4:00 pm

thank you
can you tell me plz how i use PPPoE and Hotspot as user magic :?
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: Hacking Hotspot

Fri Jun 22, 2007 8:47 am

take a look here:
http://wiki.mikrotik.com/

maybe will find something useful
 
miahac
Long time Member
Long time Member
Posts: 516
Joined: Wed Dec 14, 2005 5:04 pm
Location: Wichita, KS

Re: Hack PPPOE

Sun Jun 24, 2007 8:49 pm

After we implement MK-PPPOE solution we saw our SSID (even with AP mac cloned) cloned and one PPPOE server was running in that "unknown" AP. They were getting user/password/mac from our customers. We already have one great solution for this. (once it works) But I am curious to know what Mikrotik suggests in these cases? (They always have better solution than ours ;)
Good. If someone has cloned your SSID and PPPOE server then they are broadcasting from a fixed access point. TRACK IT DOWN. In the US this is criminal hacking, or at least theft of utility. Prove it and sue the guy, get him on the front page of the newspaper. If you are in a more lawless place, find more creative ways of retaliation.
 
User avatar
hilton
Long time Member
Long time Member
Posts: 634
Joined: Thu Sep 07, 2006 5:12 pm
Location: Jozi (aka Johannesburg), South Africa

Re: Hacking Hotspot

Fri May 23, 2008 12:55 pm

go and play in the street please and stop bothering us.
 
User avatar
nazadnan2003
newbie
Topic Author
Posts: 31
Joined: Tue Sep 05, 2006 10:12 am
Location: Iraq
Contact:

Re: Hacking Hotspot

Fri May 23, 2008 9:31 pm

My same idea :lol:
 
nvrpunk
just joined
Posts: 6
Joined: Sat May 24, 2008 5:44 am

Re: Hacking Hotspot

Sat May 24, 2008 6:31 am

Ban the MAC address access, wait till someone emails, verify they are the paying subscriber. By the time this is said and done, the *hackers* will be tired of wasting time, especially if you repeat this process.

Although this may be an inconvenience to the paying customer it will deter the hackers from bothering as they will have to do more scans, hop macs etc.
 
User avatar
omega-00
Forum Guru
Forum Guru
Posts: 1167
Joined: Sat Jun 06, 2009 4:54 am
Location: Australia
Contact:

Re: Hacking Hotspot

Mon May 26, 2008 3:55 pm

I fully understand how painful is that.
I'm just changing 3 3com switch and 1 linksys web-smart switch because their web service are simply crashing and we can't even telnet, I dont know why. maybe stability is something cisco is selling. and honestly it is very very painful. but what's the choice anyway?
We had similar problems with the most recent range of linksys switches - IMHO they are crap.

In regards to what people are saying about not turning on encryption I fully understand the reasons, most clients have NO idea about connecting up or changing from one network to the other let alone connecting to a secure network. It would be GREAT to be able to do this but in theory most clients wouldn't understand and you couldn't expect to force all of them onto the secure one by disabling internet access via the unsecured.

With regards to blocking the hacks, this isn't a mikrotik issue.. mikrotik provide devices that will give you access when given the right information.. every network admin should know that you can't control whats going on at the users computer although you can control what comes through your device. Now if you can think of a constructive way that would stop these hacks from occuring without the user having to jump through hoops just to get online then by all means share it. If you can't then don't blame others for the issue.

My thought would be this, for users with a dhcp assigned address and a dhcp client id, why not devise a method to reverse check that the computer connected has that same client ID and if not, drop the wireless connection
 
roland
newbie
Posts: 40
Joined: Sat Jan 22, 2005 12:03 pm
Location: Thailand

Re:

Wed May 28, 2008 7:36 am

any guru can solve this problem?

We had similar MAC cloning on our hotspots, especially because we also use/offer the TRIAL feature ('free' for a few minutes per day). It is impossible to see a difference between real and fake MACs, however each time they change the MAC, they get a new IP from our DHCP, and a new entry in our DHCP table with their hostname.

So, the hacker most likely is about to produce multiple, hostname-identical DHCP traces.

I made two scripts. Script-A is COUNTING same-hostnames in the DHCP table.
Given the fact that maybe 2 people have same hostname and connect at the same time, we set the 'possible-hack-limit' to >2 same-hostnames.
The script write a global variable of list type ("hacklist"), which hold the identified hostnames. Schedule updates the list (run the script) every 2 minutes.

Scripts-B (runs every 20 seconds), uses the global hacklist, get the IP per host from DHCP tabble, scans the hotspot active users and kicks out those IPs.

after 2 times changing the MAC address, the hacker get a 20sec access at most.
I know that the hostname can be changed easily... however, it usually requires a PC-restart. Our hackers are all gone.
===================
script-A: (run every few minutes)
:local hosts [/ip dhcp-server lease find]
:local pcname "X"
:local pcnum 0
:global hacklist ""
:foreach h in $hosts do={
:local host [/ip dhcp-server lease get $h host-name]
:if ([:len $host] >0) do {
:set pcname ($pcname . "," . $host)
:set pcnum ($pcnum + 1)
}
}
:foreach h in $pcname do={
:local hh 0
:if (!([:find $hacklist $h]>=0)) do={
:foreach k in $pcname do={ :if ($k=$h) do={:set hh ($hh + 1) } }
:if ($hh>2) do={
:if ([:len $hacklist] >0) do {:set hacklist ($hacklist . "," . $h)} else={:set hacklist $h}
}
}
}

# monitor results in logfile once an hour
:local timer [:pick [/system clock get time] 3 5]
:if (($switch > 0) || ($timer >= "58")) do={
:log warning ("New Hacklist: " . $hacklist)
}

=======================
script-B (runs every 20 second)
# use global hacklist variable
#:log info ($hacklist)
:foreach host in $hacklist do={
:foreach i in= [/ip dhcp-server lease find host-name $host] do={
:local ipnum [/ip dhcp-server lease get $i address]
:local unum [/ip hotspot active find address $ipnum]
:if ([:len $unum] >0) do {
:local usr [/ip hotspot active get $unum user]
:log warning ($host . " " . $ipnum . " " . $usr)
#next line kick them out right now, could also check pppoe
/ip hotspot active remove $unum
#other stuff can do now with the identified IP and USER
}
}
}

================
hope it helps. it does in our case.
And sorry for the long post :)
 
cravetou
Frequent Visitor
Frequent Visitor
Posts: 55
Joined: Tue Oct 16, 2007 11:17 am

Re: Hacking Hotspot

Thu Jun 05, 2008 10:33 am

to prevent hotspot hacking
use a wireless interface in the MT and uncheck the default forward in the wireless interface configuration
this will prevent client to communicate with each other
 
websawadee
just joined
Posts: 2
Joined: Sat May 10, 2008 1:16 pm

Re: Hacking Hotspot

Thu Jun 05, 2008 11:12 am

to prevent hotspot hacking
use a wireless interface in the MT and uncheck the default forward in the wireless interface configuration
this will prevent client to communicate with each other
I found that this still allows users to e.a. 'ping' each other thru the MT as a relay.
I use additionally a filter on the wlan-interface.
if user's address space is 172.20.x.x/16 (for example), I added filter dropping traffic
172.20.x.x/16 to 172.20.x.x/16 on wlan interface.
Just remember to exclude the IP of the router and/or default gateway ;-)
 
User avatar
Alessio Garavano
Member
Member
Posts: 306
Joined: Sat May 29, 2004 12:49 am
Location: Corrientes, Argentina
Contact:

Re: Hacking Hotspot

Fri Jun 06, 2008 12:34 pm

Roland: I check my dhcp-server list an have more than 50 hostnames called "desktop" or "PC" or "pc" or "user" etc etc

I think the solution can be around the new "L2 Mesh Protocol" i am trying with excellents results, my network now is more stable and fast.

And i can see how this Layer 2 protocol know all hosts of the network and charge all hosts MACs of the network in /int mesh fdb table of each node of the net...

MT guys, can be this a possible future solution to wired and wireless network using this new protocol to prevent cloned MACs from different places?

This is my little grain of sand, I hope can help to invent a solution to this famous problem that we have crazy at all networks administrators :lol:

Best Regards!
 
User avatar
AnRkey
Member Candidate
Member Candidate
Posts: 118
Joined: Tue Sep 15, 2009 6:01 pm

Re: Hacking Hotspot

Sat Nov 28, 2009 12:50 am

Found this clip showing how very simple and easy it is to get access to an MT hotspot without a login and pass.

http://www.youtube.com/watch?v=1WlfLCfdzlY

The whole point of a hotspot (to me any ways) is that it acts as a captive portal for client that can simply be connected to and used. By telling us to use WPA, WEP and other encryption you are simply missing the point.

MT dudes should just say it's not secure so we can stop wasting our time on this.

What work is being done to find a work-around for this issue? There must be some way... I'm sure that fixing the cookie/logout bug would solve this issue... would it not? Can't a cookie be wiped or even changed to show a logged out status? (problem solved if yes without uh's and buts)

After all, what good is a product that does not work as intended or is too easy to circumvent? For that matter what's the point of the login and password if it's that insecure, why not just ditch it? When I have a product that cant be fixed it get's retired... what are other vendors doing to get around this?

R
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Hacking Hotspot

Sat Nov 28, 2009 1:08 am

That video shows absolutely nothing new (MAC address spoofing). MAC address spoofing is non-trivial to circumvent but several solutions and attempts are described in this thread.

The router has nothing to do with enforcing edge connections. From the router's point of view it's impossible to tell a spoofed MAC address connection from the legitimate connection. Cookies are an unsatisfactory workaround as it potentially excludes legitimate clients. This has absolutely nothing to do with Mikrotik's implementation, that's just how networks work.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8709
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: Hacking Hotspot

Sat Nov 28, 2009 2:04 am

simply uncheck 'default forwarding' tick in Wifi properties? =)

p.s. they're using cracked version - have anybody saw WISP name? :D
 
fewi
Forum Guru
Forum Guru
Posts: 7717
Joined: Tue Aug 11, 2009 3:19 am

Re: Hacking Hotspot

Sat Nov 28, 2009 4:59 am

simply uncheck 'default forwarding' tick in Wifi properties? =)
Yes. Sorry, I should have been more explicit. To me that would count as configuring your edge to prevent this as it doesn't matter where the AP is. The Hotspot itself can't do this stuff for you, you have to prevent it wherever the client connects to the network (which admittedly definitely sometimes is the same device, but in an unrelated configuration section).
 
User avatar
AnRkey
Member Candidate
Member Candidate
Posts: 118
Joined: Tue Sep 15, 2009 6:01 pm

Re: Hacking Hotspot

Sun Dec 06, 2009 8:13 pm

simply uncheck 'default forwarding' tick in Wifi properties? =)

p.s. they're using cracked version - have anybody saw WISP name? :D
Awesome, thanks this fixed my problem.

I did some tests and the "default forwarding" being off stops those kids dead in their tracks. Not one problem so far :D I cant believe I forgot this on to begin with. When I saw your post I knew instantly how silly I had been by not seeing it straight away.

We pay per GB down here for our data through put on ADSL. So it hurts not knowing and/or forgetting this little secret. Not to mention that your hotspot clients can now reach/see each other too if default forwarding is not off! So getting hacked is part one of the story, part two is the hackers can also see your clients directly so if they are not protected they get smacked too. Just imagine on large installations what a big issue this one tick box can cause by forgetting to set it correctly! :shock:

R
 
ahang
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Tue Apr 06, 2010 1:16 am
Location: 127.0.0.1

Re: Hacking Hotspot

Thu Jun 03, 2010 10:34 am

Hello guys

Don't bother yourself, Mikrotik is hackable in my Area the ISP using MikrotikRouter OS v4.9 and to access the internet there's HotSpot and PPPoE and they are using the extreme ways from hacking but it won't work, I can get user/password and its MAC and IP, Today the method of hacking become a lot no one can control hackers, and ultimate solution to prevent from hacking is to unplug you cable from LAN or disconnect your PC from network !!!
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Hacking Hotspot

Thu Jun 03, 2010 10:37 am

PPPoE
if properly configured, I doubt you will be able to hack it. Admin usually is at fault :)
 
ahang
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Tue Apr 06, 2010 1:16 am
Location: 127.0.0.1

Re: Hacking Hotspot

Thu Jun 03, 2010 10:41 am

if properly configured, I doubt you will be able to hack it. Admin usually is at fault :)
OK, what is the best secure way for users in Mikrotik ?
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 26322
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Re: Hacking Hotspot

Thu Jun 03, 2010 10:46 am

1. Control the way people access your network. Is that a wired network? How did this person plug his cable into your network? make sure to limit his opportunities. Is that a wireless network? Use WPA

2. Use encrypted PPPoE on either type of network, don't use address on the interface where PPPoE is running, configure firewall to drop everything that is not supposed to be coming from the client.

3. restrict communication between connected devices either by a managed switch or by wireless access list
 
ahang
Frequent Visitor
Frequent Visitor
Posts: 59
Joined: Tue Apr 06, 2010 1:16 am
Location: 127.0.0.1

Re: Hacking Hotspot

Thu Jun 03, 2010 11:16 am

1. Control the way people access your network. Is that a wired network? How did this person plug his cable into your network? make sure to limit his opportunities. Is that a wireless network? Use WPA

2. Use encrypted PPPoE on either type of network, don't use address on the interface where PPPoE is running, configure firewall to drop everything that is not supposed to be coming from the client.

3. restrict communication between connected devices either by a managed switch or by wireless access list

no no, I mean if you want prevent yourself from hacking u don't have to use the internet at all !!! :lol:

the Encrypted PPPoE is ms-chap md5 v1 and ms-chap md5 v2 these two encrypted way can be decrypt and it will take a time.

and tell me more about that managed switch ? you guys talking about that pretty much



any way the language of hacking is different if the Mikrotik have a good security and all these encrypted and MAC & IP spoofing and etc... but it cannot consider some hackers method.

I'm quiet sure that the Mikrotik have a very good security the beginner and amateur hackers can't do anything, some one can do it like in advance level I can say there is 5% of exploit in Mikrtotik so you shud be very skillful to advantage from this 5%
 
ether3al
newbie
Posts: 42
Joined: Tue Jan 19, 2010 3:23 am

Re: Hacking Hotspot

Thu Jun 10, 2010 4:34 am

Sounds like there is a need for a WIPs system!

We use AirDefence with policy based termination (wired and wireless) :)

Who is online

Users browsing this forum: AndyGs, hatred, xristostsilis and 97 guests