Hacking Hotspot

nazadnan2003 · October 31, 2006, 6:43am

I Have a Hotspot with web proxy enabled, and some hackers can hack my hotspot by using scanning programs which can scan the active IPs and their MACs and use one of them (by change MAC) to get the same IP of the authorized MAC and then access the Internet without asking to authenticate because its already authenticated.[/b]

sergejs · October 31, 2006, 3:09pm

‘ip hotspot user profile’ contains ‘shared-users’ option, ‘shared-users=1’ allows only 1 client to use the same login/password simultaneously.
1 session means, that only one user are able to use the particular HotSpot login. It might cause problems, as ‘bad’ user authenticated firstly and then ‘good’ client is unable to authenticate.

To resolve this,

use login/password for the HotSpot authentication;
if bad user has stolen IP/MAC-address and HotSpot login/password, then only managed switches help to protect wired network from unauthorized access (WPA/WPA2 encryption for the wireless network).

nazadnan2003 · November 1, 2006, 8:01am

Dear sergejs:

I alrady use “shared-users=1” , and use login/password for the HotSpot authentication.
The “bad users” stole IP/MAC-address by using scanning programs, and chose one of the active IP/MAC-address.
If the stolen address is alrady autherized in the hotspot, then the “bad users” will recive Internet service as well as the ‘good client’ (both in the same time and the same IP/MAC-address).

sergejs · November 1, 2006, 9:45am

Do you have wireless or wired clients ?
For wireless clients you might use encryption WPA or WPA2, to protect network from unauthorized accesss.
For wired/Ethernet clients management switch might help you, if swith could make restrictions by MAC-address<—>port.

Duplicate IP and MAC-addresses on the newtowk cause problem for ‘good’ and ‘bad’ clients, internet will not work correctly for both them, if clients simultaneosly exists on the same network.

PPPoE server might be used instead to protect network from uathorized access.

nazadnan2003 · November 4, 2006, 3:24pm

I have external Access Points connected to the MT Router.
I don’t use encryption WPA or WPA2, and I do not want to do so.

In my case both (Good and Bad users) use the Internet in the same time by using the same IP/MAC-address. Theoretically this is impossible, and internet will not work correctly for both of them. But practically it is work on both sides.

I need a way to prevent this from happened.

What can Managed Swatch do to me in my case?

andrewluck · November 4, 2006, 3:49pm

A managed switch would help if your clients were all using ethernet. You could restrict MAC addresses to a single port each. That way, if the port changes the switch won’t talk to them.

Unless you change to some form of controlled access you can’t stop these MAC / IP hijacks.

Regards

Andrew

jo2jo · November 4, 2006, 6:10pm

the switch idea is correct but i’m assuming this guy is in a wireless enviroment since he says the “hackers” are using scanners and are cloning active athenticated MAC addys…

in which case serge is right u need to use wpa or wpa2 and that will solve this.

what are your “good” clients using to connect? windows laptops? CPEs? and if its laptops u could always use a vpn session and give each good user a user id and password with that…you woudl not need any wpa or wpa2 encrytpion since the hackers coud conect to the ap but not through the vpn and thus no net access..

Hellbound · December 5, 2006, 3:07pm

to be honest with you I hacked my ISP in such fashion 5 years ago myself, the only way I can think of is PPPoE authentication method.

Mikrotik RouterOS does not offer any solution for this, specially for wireless side.

at this moment there is no wireless hotspot to detect two radio with duplicate mac address and doing managed switch mac filtering is just a headache…

I’ve been thinking a lot of how to prevent this hack attempt since I did it myself. I can say the only answer might be in finding the culprit… by detecting its signal and location.

However I have other theories of using special java and cookie to read computer’s hard disk serial number locally in login page and store it in server ro if another user cloned

sergejs · December 6, 2006, 9:53am

Hellbound, where is the problem to use encryption protocols (WPA, WPA2) for wireless users ? If your users will not distribute security configuration, then ‘bad’ user will not have any possibility to establish connection with AP without encruption configuration.

Mikro-Man-Tik · December 6, 2006, 12:09pm

He sergejs…
The problem is when we using the encryption protocols (WPA, WPA2) for wireless users the New User can’t connect to network and test the service if we use the hotspot service.

sergejs · December 6, 2006, 12:12pm

One of the workaround for this problem is Virtual AP created on HotSpot AP, where you can create trial HotSPot users and apart HotSpot server, but normal users will connect to the AP running encryption.

111111 · December 6, 2006, 12:51pm

As Hellbound sad LOGIN ca get some extra info for user
OS, Browser, User account name (many PHP ex.)
hardware numbers, partition number,

sergejs · December 6, 2006, 1:14pm

111111,
what is the problem with encryption protocol configuration ?
Encryption protocol has unique configuration settings, that might be accepted from client with correct configuration, if you will not give them or user who paid for HotSpot will not give them further, nobody could not access to your AP without correct settings.

Hellbound · December 6, 2006, 5:56pm

this is where you can force all user to enable encryption? but how many network with wide coverage is using that?

unfortunately if you take out encryption, there is almost nothing left to protect users.

111111 · December 6, 2006, 7:14pm

sergejs
WPA 64bit 5 simbol pass is nead around 30min to be decripted
128bit 10 simbol ~ 8h

WPA2 is not supported by each AP client device

cmit · December 6, 2006, 8:48pm

I think you meant WEP encryption when giving those times to decrypt/brute-force an encryption key.

WPA still goes as uncracked, I would suppose…

Best regards,
Christian Meis

111111 · December 6, 2006, 9:16pm

cmit WPA i mean
officialy yes it is “most secure” like DVD protection
but “read the manual” say other

WPA + RADIUS + some user system info
that’s other

ahmedramze · December 7, 2006, 12:32am

I’m sure your problem it from your bad configration of hotspot , if you can send the configration by

/ip hotspot export

/ip dhcp-server export

/ip firewall nat export

and send it .

Your problem is happen when you use saim IP for DHCP and Hotspot .
the scanner software that hack the physical layer of network (( MAC )) and get the DHCP IP from your server who allow these ip to connect to your internet .

to remove these you must configer a temperary DHCP network that allow all user to connect to your hotspot , and configure the hotspot with diffrent ip . for example

1-DHCP server work in 192.168.0.1/24 in hotspot interface
2-do a hotspot server work with 10.200.10.1/24
3- allow the hotspot ips to acsess to you internet from from firewall by

ip firewall nat add chane=src  src-address=10.200.10.0/24 action=masq... out-interface=((yourWAN))

and told me what happen with you , and any one told you JAVA hotspot not secure told him you did not use right configration .

regard

sergejs · December 7, 2006, 6:15am

111111

I think you are reading documentation regarding the WEP, as only WEP has 64(40) and 128 (104) bit keys. I did not recommended WEP as encyption method, I said about WPA/WPA2.
Could you post link with this documentation ?
Do you manage to steal WPA key for AP running WPA encryption ?

janisk · December 7, 2006, 6:24am

o boy, that was one good laugh in the morning. decrypt WPA in 30 minutes. Do you woodoo or have access to AP?

please clarify what documentation you read by posting links here, or name and source of materials.