Community discussions

MikroTik App
 
medooo2005
just joined
Topic Author
Posts: 6
Joined: Sun Jun 10, 2007 7:01 am

net cut

Sun Aug 19, 2007 8:20 am

i need help how ican drop the net cut
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: net cut

Mon Aug 20, 2007 2:55 pm

what is 'net cut' ?
 
User avatar
samsoft08
Long time Member
Long time Member
Posts: 613
Joined: Sat Nov 26, 2005 10:52 pm

Re: net cut

Wed Aug 22, 2007 2:06 am

you didnt heared about net-cut ?? the hacker is connecting yo unsecured hotspot network , getting an IP , making a scan for the network , choosing the victim mac address , cloning it in his PC , shut the victim OFF , get in as the real user (victim) , without any need for user name and password , its easy now to get in any MT hotspot , piece of cake , personally i overcame this problem by using a WPA encruption key at my AP's ..
 
User avatar
winxp2000
Member Candidate
Member Candidate
Posts: 113
Joined: Mon Jan 30, 2006 8:57 pm
Location: China
Contact:

Re: net cut

Wed Aug 22, 2007 6:12 am

Hacker?

hehe
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: net cut

Wed Aug 22, 2007 8:55 am

As there are not details included about the issue,
for the wireless use samsoft08 provided advice for securing network with WPA,
for Ethernet you may either use smart switches to ensure filtering by MAC-addresses or use PPPoE authentication server.
 
channingzou
Member Candidate
Member Candidate
Posts: 137
Joined: Sun Feb 25, 2007 7:57 am
Location: NC,USA

Re: net cut

Wed Aug 22, 2007 9:12 am

you didnt heared about net-cut ?? the hacker is connecting yo unsecured hotspot network , getting an IP , making a scan for the network , choosing the victim mac address , cloning it in his PC , shut the victim OFF , get in as the real user (victim) , without any need for user name and password , its easy now to get in any MT hotspot , piece of cake , personally i overcame this problem by using a WPA encruption key at my AP's ..
hi, do you need any software to do that ? I want try how to scan and choosing mac address see if work in my hotspot.
 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6263
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: net cut

Wed Aug 22, 2007 10:26 am

router os can do that easily ;)
 
User avatar
samsoft08
Long time Member
Long time Member
Posts: 613
Joined: Sat Nov 26, 2005 10:52 pm

Re: net cut

Thu Aug 23, 2007 5:08 am

can do what ??
with net-cut any one can enter any unsecured MT hotspot very easily !!!
 
channingzou
Member Candidate
Member Candidate
Posts: 137
Joined: Sun Feb 25, 2007 7:57 am
Location: NC,USA

Re: net cut

Thu Aug 23, 2007 7:32 am

i only saw can do easily.
I don't see any article how can easily.
will put article link about how to ?
 
channingzou
Member Candidate
Member Candidate
Posts: 137
Joined: Sun Feb 25, 2007 7:57 am
Location: NC,USA

Re: net cut

Thu Aug 23, 2007 8:42 am

i only saw can do easily.
I don't see any article how can easily.
will put article link about how to ?
oh ,yes ,it can cut network ,but how to get internet access use choosing the victim mac address
 
channingzou
Member Candidate
Member Candidate
Posts: 137
Joined: Sun Feb 25, 2007 7:57 am
Location: NC,USA

Re: net cut

Fri Aug 24, 2007 6:05 am

As there are not details included about the issue,
for the wireless use samsoft08 provided advice for securing network with WPA,
for Ethernet you may either use smart switches to ensure filtering by MAC-addresses or use PPPoE authentication server.
go http://www.arcai.com donwload netcut install it .connect to unsecured MT hotspot ,run netcut you will see all client has connected to this hotspot ,cut off whoever you want,whoever you cut will lose internet connection.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: net cut

Fri Aug 24, 2007 8:38 am

There are option always available, that can help you to protect the router from unauthorized clients.
 
channingzou
Member Candidate
Member Candidate
Posts: 137
Joined: Sun Feb 25, 2007 7:57 am
Location: NC,USA

Re: net cut

Fri Aug 24, 2007 9:27 am

There are option always available, that can help you to protect the router from unauthorized clients.
can you speak more clear, take example or link here
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: net cut

Fri Aug 24, 2007 9:37 am

You have to specify, do you use wireless or Ethernet network ?
 
channingzou
Member Candidate
Member Candidate
Posts: 137
Joined: Sun Feb 25, 2007 7:57 am
Location: NC,USA

Re: net cut

Fri Aug 24, 2007 5:09 pm

You have to specify, do you use wireless or Ethernet network ?
I use both in one router wireless for hotspot ,Ethernet network for local .
 
User avatar
samsoft08
Long time Member
Long time Member
Posts: 613
Joined: Sat Nov 26, 2005 10:52 pm

Re: net cut

Sun Aug 26, 2007 1:11 am

when they cut an authorized user , he wouldnt logout immidiatly , so they can clone his mac and enter the hotspot without any need for user name / pass , couse the victim still authorized in the router os hotspot , many many people doing this with the unsecured hotspot , and why the wisp still keep it unsecured ? couse they need it open for advertisment , i think the virtual AP can solve this problem with one condition , you must use router os as an AP ...
 
channingzou
Member Candidate
Member Candidate
Posts: 137
Joined: Sun Feb 25, 2007 7:57 am
Location: NC,USA

Re: net cut

Wed Aug 29, 2007 5:32 am

You have to specify, do you use wireless or Ethernet network ?
I use both in one router wireless for hotspot ,Ethernet network for local
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: net cut

Wed Aug 29, 2007 3:58 pm

For wireless HotSpot you may use WPA encryption protocol, it will protect from unauthorized access.
 
channingzou
Member Candidate
Member Candidate
Posts: 137
Joined: Sun Feb 25, 2007 7:57 am
Location: NC,USA

Re: net cut

Thu Aug 30, 2007 6:05 am

For wireless HotSpot you may use WPA encryption protocol, it will protect from unauthorized access.
it isn't a good solution. is there option available protect netcut from unauthorized and authorized client.
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: net cut

Thu Aug 30, 2007 9:23 am

Why it is not good solution ?
I think the best way to protect from bad person to bother your access point - do not allow him to connect (that WPA is doing great), as without correct security settings for WPA he/she will not bother your clients.
 
channingzou
Member Candidate
Member Candidate
Posts: 137
Joined: Sun Feb 25, 2007 7:57 am
Location: NC,USA

Re: net cut

Thu Aug 30, 2007 5:08 pm

when WPA enable ,they cann't connect to AP,how to sign up by self ? HOTSPOT doing like temp internet access,so I need they can sign up by self.
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Re: net cut

Thu Aug 30, 2007 9:05 pm

You could set up an open, unencrypted hotspot that allows only access to your user-registration page where you describe the services that you're offering to registered customers and allow potential customers to sign up for your services. Require them to identify themselves upon registration and to provide their payment details (credit card information etc.) and send them an email which they need to confirm in order to activate their access to your services (for example by clicking on an URL contained in the email text - the usual double-opt-in scheme). Upon successful confirmation automatically generate a certificate for them to be used for EAP protected access to your services, send them a copy of the cert and automatically import it into your radius infrastructure. If they're subscribing to your services for a limited time (i.e. three months or some such) make the certificate expire accordingly.

--Tom
 
channingzou
Member Candidate
Member Candidate
Posts: 137
Joined: Sun Feb 25, 2007 7:57 am
Location: NC,USA

Re: net cut

Fri Aug 31, 2007 5:22 am

You could set up an open, unencrypted hotspot that allows only access to your user-registration page where you describe the services that you're offering to registered customers and allow potential customers to sign up for your services. Require them to identify themselves upon registration and to provide their payment details (credit card information etc.) and send them an email which they need to confirm in order to activate their access to your services (for example by clicking on an URL contained in the email text - the usual double-opt-in scheme). Upon successful confirmation automatically generate a certificate for them to be used for EAP protected access to your services, send them a copy of the cert and automatically import it into your radius infrastructure. If they're subscribing to your services for a limited time (i.e. three months or some such) make the certificate expire accordingly.

--Tom
well there need two wireless AP one for WPA,one for unsecured.what about someone buy at once ,after known WPA code doing same thing ,do we need change WPA code monthly?
how can be a good solution.

I want an option can stop netcut without WPA.is this possible?
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Re: net cut

Fri Aug 31, 2007 9:38 am

Yes, logically there'd need to be two AP, one for unsecured connections (offering registration only) and one WPA protected for full network access, but you can use the virtual-AP feature of RouterOS so that you do not need to buy and install two AP devices - both AP can run on the same radios.

Regarding people 'knowing the WPA code': That would only be an issue with WPA-PSK, but the solution that I outlined uses EAP with certificates, so there is no PSK that can be shared between users. You're right that of course once a customer is fully connected to the WPA protected AP he can then again use Netcut or other network hijacking tools, but then you know who did it because the customer is registered and authorized at the AP with a personal ID (from the cert that you issued him).

--Tom
 
User avatar
sergejs
MikroTik Support
MikroTik Support
Posts: 6695
Joined: Thu Mar 31, 2005 3:33 pm
Location: Riga, Latvia
Contact:

Re: net cut

Fri Aug 31, 2007 3:44 pm

WPA-PSK is static, that's why it is priort to change only by router administrator. PSK scenario is easier for network administrator, as you are not required to configure RADIUS server and EAP.
Probably the permanent PSK phrase is not good solution, however it is not easy to notify all the clients about the PSK change on the other side. One of the solution if you stay with PSK, to print new PSK key at the Internet bill that is send to the client and change PSK phrase at access point at the last day of bill pay dedline or even at the first day after dealine.
 
channingzou
Member Candidate
Member Candidate
Posts: 137
Joined: Sun Feb 25, 2007 7:57 am
Location: NC,USA

Re: net cut

Sun Sep 02, 2007 7:28 am

Yes, logically there'd need to be two AP, one for unsecured connections (offering registration only) and one WPA protected for full network access, but you can use the virtual-AP feature of RouterOS so that you do not need to buy and install two AP devices - both AP can run on the same radios.

Regarding people 'knowing the WPA code': That would only be an issue with WPA-PSK, but the solution that I outlined uses EAP with certificates, so there is no PSK that can be shared between users. You're right that of course once a customer is fully connected to the WPA protected AP he can then again use Netcut or other network hijacking tools, but then you know who did it because the customer is registered and authorized at the AP with a personal ID (from the cert that you issued him).

--Tom
hi,if I use EAP with certificates, do I need buy certificates service from somewhere?
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Re: net cut

Sun Sep 02, 2007 11:30 am

if I use EAP with certificates, do I need buy certificates service from somewhere?
You can, but you don't need to. You can just as well run your own PKI. There are lots of tutorials on the net on how to setup a basic PKI (CA) with OpenSSL and a bunch of shell scripts, such as

http://www.sourcequench.net/pki/mkca-dist.tar.gz (code only, no tutorials)

The code available at that URL is not written by me (I just put it on my server so that you guys can download it), and it is not specially tailored to an EAP environment and therefore might need some tweaking, but I found it to be an easy and convinient toolbox for certificate management, including automatic maintenance of a CRL.

--Tom
 
channingzou
Member Candidate
Member Candidate
Posts: 137
Joined: Sun Feb 25, 2007 7:57 am
Location: NC,USA

Re: net cut

Mon Sep 03, 2007 7:06 am

do you have instruction for setup CA ? and what hardware do need.
thanks!

Who is online

Users browsing this forum: andreacar, carrionlee, Google [Bot], GoogleOther [Bot] and 83 guests