Page 1 of 1

Re: Hacking Hotspot

Posted: Sat May 24, 2008 6:31 am
by nvrpunk
Ban the MAC address access, wait till someone emails, verify they are the paying subscriber. By the time this is said and done, the *hackers* will be tired of wasting time, especially if you repeat this process.

Although this may be an inconvenience to the paying customer it will deter the hackers from bothering as they will have to do more scans, hop macs etc.

Re: Hacking Hotspot

Posted: Mon May 26, 2008 3:55 pm
by omega-00
I fully understand how painful is that.
I'm just changing 3 3com switch and 1 linksys web-smart switch because their web service are simply crashing and we can't even telnet, I dont know why. maybe stability is something cisco is selling. and honestly it is very very painful. but what's the choice anyway?
We had similar problems with the most recent range of linksys switches - IMHO they are crap.

In regards to what people are saying about not turning on encryption I fully understand the reasons, most clients have NO idea about connecting up or changing from one network to the other let alone connecting to a secure network. It would be GREAT to be able to do this but in theory most clients wouldn't understand and you couldn't expect to force all of them onto the secure one by disabling internet access via the unsecured.

With regards to blocking the hacks, this isn't a mikrotik issue.. mikrotik provide devices that will give you access when given the right information.. every network admin should know that you can't control whats going on at the users computer although you can control what comes through your device. Now if you can think of a constructive way that would stop these hacks from occuring without the user having to jump through hoops just to get online then by all means share it. If you can't then don't blame others for the issue.

My thought would be this, for users with a dhcp assigned address and a dhcp client id, why not devise a method to reverse check that the computer connected has that same client ID and if not, drop the wireless connection

Re:

Posted: Wed May 28, 2008 7:36 am
by roland
any guru can solve this problem?

We had similar MAC cloning on our hotspots, especially because we also use/offer the TRIAL feature ('free' for a few minutes per day). It is impossible to see a difference between real and fake MACs, however each time they change the MAC, they get a new IP from our DHCP, and a new entry in our DHCP table with their hostname.

So, the hacker most likely is about to produce multiple, hostname-identical DHCP traces.

I made two scripts. Script-A is COUNTING same-hostnames in the DHCP table.
Given the fact that maybe 2 people have same hostname and connect at the same time, we set the 'possible-hack-limit' to >2 same-hostnames.
The script write a global variable of list type ("hacklist"), which hold the identified hostnames. Schedule updates the list (run the script) every 2 minutes.

Scripts-B (runs every 20 seconds), uses the global hacklist, get the IP per host from DHCP tabble, scans the hotspot active users and kicks out those IPs.

after 2 times changing the MAC address, the hacker get a 20sec access at most.
I know that the hostname can be changed easily... however, it usually requires a PC-restart. Our hackers are all gone.
===================
script-A: (run every few minutes)
:local hosts [/ip dhcp-server lease find]
:local pcname "X"
:local pcnum 0
:global hacklist ""
:foreach h in $hosts do={
:local host [/ip dhcp-server lease get $h host-name]
:if ([:len $host] >0) do {
:set pcname ($pcname . "," . $host)
:set pcnum ($pcnum + 1)
}
}
:foreach h in $pcname do={
:local hh 0
:if (!([:find $hacklist $h]>=0)) do={
:foreach k in $pcname do={ :if ($k=$h) do={:set hh ($hh + 1) } }
:if ($hh>2) do={
:if ([:len $hacklist] >0) do {:set hacklist ($hacklist . "," . $h)} else={:set hacklist $h}
}
}
}

# monitor results in logfile once an hour
:local timer [:pick [/system clock get time] 3 5]
:if (($switch > 0) || ($timer >= "58")) do={
:log warning ("New Hacklist: " . $hacklist)
}

=======================
script-B (runs every 20 second)
# use global hacklist variable
#:log info ($hacklist)
:foreach host in $hacklist do={
:foreach i in= [/ip dhcp-server lease find host-name $host] do={
:local ipnum [/ip dhcp-server lease get $i address]
:local unum [/ip hotspot active find address $ipnum]
:if ([:len $unum] >0) do {
:local usr [/ip hotspot active get $unum user]
:log warning ($host . " " . $ipnum . " " . $usr)
#next line kick them out right now, could also check pppoe
/ip hotspot active remove $unum
#other stuff can do now with the identified IP and USER
}
}
}

================
hope it helps. it does in our case.
And sorry for the long post :)

Re: Hacking Hotspot

Posted: Thu Jun 05, 2008 10:33 am
by cravetou
to prevent hotspot hacking
use a wireless interface in the MT and uncheck the default forward in the wireless interface configuration
this will prevent client to communicate with each other

Re: Hacking Hotspot

Posted: Thu Jun 05, 2008 11:12 am
by websawadee
to prevent hotspot hacking
use a wireless interface in the MT and uncheck the default forward in the wireless interface configuration
this will prevent client to communicate with each other
I found that this still allows users to e.a. 'ping' each other thru the MT as a relay.
I use additionally a filter on the wlan-interface.
if user's address space is 172.20.x.x/16 (for example), I added filter dropping traffic
172.20.x.x/16 to 172.20.x.x/16 on wlan interface.
Just remember to exclude the IP of the router and/or default gateway ;-)

Re: Hacking Hotspot

Posted: Fri Jun 06, 2008 12:34 pm
by Alessio Garavano
Roland: I check my dhcp-server list an have more than 50 hostnames called "desktop" or "PC" or "pc" or "user" etc etc

I think the solution can be around the new "L2 Mesh Protocol" i am trying with excellents results, my network now is more stable and fast.

And i can see how this Layer 2 protocol know all hosts of the network and charge all hosts MACs of the network in /int mesh fdb table of each node of the net...

MT guys, can be this a possible future solution to wired and wireless network using this new protocol to prevent cloned MACs from different places?

This is my little grain of sand, I hope can help to invent a solution to this famous problem that we have crazy at all networks administrators :lol:

Best Regards!

Re: Hacking Hotspot

Posted: Sat Nov 28, 2009 12:50 am
by AnRkey
Found this clip showing how very simple and easy it is to get access to an MT hotspot without a login and pass.

http://www.youtube.com/watch?v=1WlfLCfdzlY

The whole point of a hotspot (to me any ways) is that it acts as a captive portal for client that can simply be connected to and used. By telling us to use WPA, WEP and other encryption you are simply missing the point.

MT dudes should just say it's not secure so we can stop wasting our time on this.

What work is being done to find a work-around for this issue? There must be some way... I'm sure that fixing the cookie/logout bug would solve this issue... would it not? Can't a cookie be wiped or even changed to show a logged out status? (problem solved if yes without uh's and buts)

After all, what good is a product that does not work as intended or is too easy to circumvent? For that matter what's the point of the login and password if it's that insecure, why not just ditch it? When I have a product that cant be fixed it get's retired... what are other vendors doing to get around this?

R

Re: Hacking Hotspot

Posted: Sat Nov 28, 2009 1:08 am
by fewi
That video shows absolutely nothing new (MAC address spoofing). MAC address spoofing is non-trivial to circumvent but several solutions and attempts are described in this thread.

The router has nothing to do with enforcing edge connections. From the router's point of view it's impossible to tell a spoofed MAC address connection from the legitimate connection. Cookies are an unsatisfactory workaround as it potentially excludes legitimate clients. This has absolutely nothing to do with Mikrotik's implementation, that's just how networks work.

Re: Hacking Hotspot

Posted: Sat Nov 28, 2009 2:04 am
by Chupaka
simply uncheck 'default forwarding' tick in Wifi properties? =)

p.s. they're using cracked version - have anybody saw WISP name? :D

Re: Hacking Hotspot

Posted: Sat Nov 28, 2009 4:59 am
by fewi
simply uncheck 'default forwarding' tick in Wifi properties? =)
Yes. Sorry, I should have been more explicit. To me that would count as configuring your edge to prevent this as it doesn't matter where the AP is. The Hotspot itself can't do this stuff for you, you have to prevent it wherever the client connects to the network (which admittedly definitely sometimes is the same device, but in an unrelated configuration section).

Re: Hacking Hotspot

Posted: Sun Dec 06, 2009 8:13 pm
by AnRkey
simply uncheck 'default forwarding' tick in Wifi properties? =)

p.s. they're using cracked version - have anybody saw WISP name? :D
Awesome, thanks this fixed my problem.

I did some tests and the "default forwarding" being off stops those kids dead in their tracks. Not one problem so far :D I cant believe I forgot this on to begin with. When I saw your post I knew instantly how silly I had been by not seeing it straight away.

We pay per GB down here for our data through put on ADSL. So it hurts not knowing and/or forgetting this little secret. Not to mention that your hotspot clients can now reach/see each other too if default forwarding is not off! So getting hacked is part one of the story, part two is the hackers can also see your clients directly so if they are not protected they get smacked too. Just imagine on large installations what a big issue this one tick box can cause by forgetting to set it correctly! :shock:

R

Re: Hacking Hotspot

Posted: Thu Jun 03, 2010 10:34 am
by ahang
Hello guys

Don't bother yourself, Mikrotik is hackable in my Area the ISP using MikrotikRouter OS v4.9 and to access the internet there's HotSpot and PPPoE and they are using the extreme ways from hacking but it won't work, I can get user/password and its MAC and IP, Today the method of hacking become a lot no one can control hackers, and ultimate solution to prevent from hacking is to unplug you cable from LAN or disconnect your PC from network !!!

Re: Hacking Hotspot

Posted: Thu Jun 03, 2010 10:37 am
by normis
PPPoE
if properly configured, I doubt you will be able to hack it. Admin usually is at fault :)

Re: Hacking Hotspot

Posted: Thu Jun 03, 2010 10:41 am
by ahang
if properly configured, I doubt you will be able to hack it. Admin usually is at fault :)
OK, what is the best secure way for users in Mikrotik ?

Re: Hacking Hotspot

Posted: Thu Jun 03, 2010 10:46 am
by normis
1. Control the way people access your network. Is that a wired network? How did this person plug his cable into your network? make sure to limit his opportunities. Is that a wireless network? Use WPA

2. Use encrypted PPPoE on either type of network, don't use address on the interface where PPPoE is running, configure firewall to drop everything that is not supposed to be coming from the client.

3. restrict communication between connected devices either by a managed switch or by wireless access list

Re: Hacking Hotspot

Posted: Thu Jun 03, 2010 11:16 am
by ahang
1. Control the way people access your network. Is that a wired network? How did this person plug his cable into your network? make sure to limit his opportunities. Is that a wireless network? Use WPA

2. Use encrypted PPPoE on either type of network, don't use address on the interface where PPPoE is running, configure firewall to drop everything that is not supposed to be coming from the client.

3. restrict communication between connected devices either by a managed switch or by wireless access list

no no, I mean if you want prevent yourself from hacking u don't have to use the internet at all !!! :lol:

the Encrypted PPPoE is ms-chap md5 v1 and ms-chap md5 v2 these two encrypted way can be decrypt and it will take a time.

and tell me more about that managed switch ? you guys talking about that pretty much



any way the language of hacking is different if the Mikrotik have a good security and all these encrypted and MAC & IP spoofing and etc... but it cannot consider some hackers method.

I'm quiet sure that the Mikrotik have a very good security the beginner and amateur hackers can't do anything, some one can do it like in advance level I can say there is 5% of exploit in Mikrtotik so you shud be very skillful to advantage from this 5%

Re: Hacking Hotspot

Posted: Thu Jun 10, 2010 4:34 am
by ether3al
Sounds like there is a need for a WIPs system!

We use AirDefence with policy based termination (wired and wireless) :)