Is one of my users trying to h4x0r
July 17, 2006 8:25 AM Subscribe

I need to know the process to set up a "evil twin" ad hoc network. I think one of my users here may be trying to play around where they should not, and I need to know how to check if they are trying to set up a "evil twin" called "free wifi access"

Friday night I had a user notice a wif ad hoc network called "Free public access"
I need to find out how one gets set up, so I can check if a user I suspect of doing this is.
To make it even worse, the user is running Japanese windows. So the more detailed the instructions the better.

No. I am not going to be setting it up myself. I just need to understand the process.

posted by JonnyRotten to computers & internet (23 comments total)

Could you clarify a bit? Are you located in an area where other wireless networks could be located nearby? Picking up stray wireless networks is not at all uncommon in populated areas. There's nothing sinister about this. As to how someone sets up a wireless network, that's simply a matter of buying an access point, or setting up a laptop to act as one (also not sinister).

The Windows' Language setting has no bearing.
posted by odinsdream at 8:30 AM on July 17, 2006

On the suspect machine

Start > Control Panel > Network Connections

Right-click properties on the wireless network connection and see what it's set up to do? I suggest checking it out on an english machine first so you don't have to rely on the the Japanese text to figure out what you are doing :)

Or do you want to try and figure out who it is without touching their PC? That's a bit trickier but still doable.
posted by public at 8:37 AM on July 17, 2006

Lots of thoughts about suspicious "free public access" networks in this thread.
posted by junkbox at 8:39 AM on July 17, 2006

Write down your router address/external IP address.

Now connect to the Ad hoc network. Ping your router. If it's just a jump or two, yeah, they're piggybacking. Note the IP address of the 'router' of the adhoc network'

Switch back to your wireless/router. Find their IP address in the DHCP list.
Just block their MAC address on the router. When they come complaining to you, you found your guy.
posted by filmgeek at 8:59 AM on July 17, 2006

We are not in a populated area, and it was showing up at full strength when there is no place around to have it.
I saw it on the "view avaible wireless networks" on two computers, and was trying to triangulate on its location and it dissappeared. But soon after one of the users packed up his laptop and went home.

I read the previous thread about this, but it doesn;t tell you how to set one up. So without knowing how one is set up in windows XP I don't know how to check out if one was set up..
It was gone before I had a chance to connect to it to find out the IP and the MAC address.
posted by JonnyRotten at 9:06 AM on July 17, 2006

odinsdream , It was not a access point, and dissappeared as soon as I started to investigate it. It was a Ad-hoc network in a area that we provide WiFi access for our users.

The language setting has bearing because if its a vague comment on a general area of windows I can't fucking read it.
So thats why I mentioned it was in Japanese and asked for a DETAILED guide. Not if their intentions were sinister.
posted by JonnyRotten at 9:10 AM on July 17, 2006

Sorry, its been a rough morning. I didn't mean to get snippy, but I control the network here, and when someone starts broadcasting on my turf Its a situation I need to deal with. I wouldn't have posted it if it didn't seem fishy to me.
posted by JonnyRotten at 9:15 AM on July 17, 2006

It could also be a mistake, if the user connected to a free wifi point before, and then tried to reconnect while at the office, and ended up running their own ad hoc connection instead.
posted by anildash at 9:19 AM on July 17, 2006

(Meaning, you could very easily send out an email saying, "it appears one of you is mistakenly running a network that others could accidentally connect to. If you think it's your machine, let me know; Otherwise, I'll be stopping by to check and make sure you didn't do this by accident.")
posted by anildash at 9:20 AM on July 17, 2006

I would buy that anildash, if it wasn't turned off and not coming back.
its dissapearance was wayyy to too much of a coincidence for me.
posted by JonnyRotten at 9:23 AM on July 17, 2006

but I control the network here, and when someone starts broadcasting on my turf Its a situation I need to deal with

Or, to look at it another way, it isn't something you need to deal with, because it's unlicensed spectrum. It isn't your network, after all, and you honestly don't have control in this situation.

What I'm trying to understand is why it concerns you, when you've provided no details on what, beyond simply having a network SSID flying around, is causing you to worry. Is the unknown network, beyong simply existing, causing you other concerns?
posted by odinsdream at 9:37 AM on July 17, 2006

It concerns me because I work for a branch of a multi-million dollar international corporation, and if someone uses a fake WiFi hotspot to steal information then I can kiss my job goodbye.

It looked to me that someone could possibly running a "evil twin" type scam and using it to collect user information which could then be further used to compromise our network.

We own the property on every single side of use WELL out of standard range. If someone was to come onto our property and try to run this scam I would treat it the same.

Its something I need to deal with because I love my job, I love the company I work for (GAH!) and I love providing for my family and I rather not risk losing those things.
posted by JonnyRotten at 9:44 AM on July 17, 2006

thats supposed to be "side of us as WELL"
posted by JonnyRotten at 9:45 AM on July 17, 2006

Well. The best I can get is that you think that someone is imitating your ESSID which should be pretty easy to determine, just get an old laptop with a wifi card and run kismet or net stumbler. If you see your ESSID with a different BSSID, bingo.

Is there an ITS guy at your company who maybe has experience in this? Most multi-million dollar international corporations have dedicated IT Security guys who will either have or will authorize you to get the equipment you need to secure your network.
posted by Skorgu at 11:06 AM on July 17, 2006

Johnny, I am not a network security professional (nor do I play one on TV), but I would suggest that your users are part of the solution here. Send out a memo detailing exactly how to connect to your wireless network, and ways to spot if it is an evil twin (is there a default web page the system goes to on first connect? Is there a challenge/response setup or a specific screen they go to on the real deal?). You might also want to look at ways of restricting the networks your users would access: do they come with software that can lock them down to access your network only?
posted by baggers at 11:12 AM on July 17, 2006

Jonny, I guess I was unclear -- I'm not ruling out that this could be deliberate; I'm saying that giving someone the out of saying it's a mistake (1) could lead them to undoing their mischief or (2) at least gives you a reason to check everyone's machines. No?
posted by anildash at 11:50 AM on July 17, 2006

Well. The Ad-hoc network popped up for about 5 minutes today and then dissappeared again.
All my users deny ever having connected to anything that says "free WiFi hotspot"
I am going to be training them on properly connecting to our network and being safe outside of here.

I guess I would still like to have instructions on setting up one of my own so I can show them what it looks like when they see one.

So back to my original question. Does anyone know how to set up a "evil twin" access point?
posted by JonnyRotten at 2:00 PM on July 17, 2006

You're simply asking how to configure a windows pc as an "access point", right? I don't see where "evil twin" comes in if the SSID of the access point this user is creating isn't the same or similar to an already existing SSID.

Anyway, configuring a windows box as an access point is easy - there's a wizard that let's you set up your PC to do internet connection sharing. For the wireless part, configure the card to use ad-hoc, pick a SSID, and you're good to go.

Lots of links here.
posted by cactus at 2:36 PM on July 17, 2006

A couple ideas:

1. You dont seem to know the basics of wireless networking. A determined attacker will be able to outsmart you 100% of the time. Thats the reality you probably dont want to hear. Considering you dont even seem to have an IT department, I say call in a professional consultant if you truly think something horrible is going on.

2. Ad hocs happen accidentally all the time. If I leave my card in ad-hoc mode then I'll be broadcasting some SSID. I'm not bridging or anything. Also, considering the SSIDs are different i would think this is most likely an accident. Considering you let your users have admin access to their machines it sounds like wireless would be the silliest way to do something illicit.

The DIY layman can problably use netstumbler. You will see all the access points in your area. Write down the MAC of the offending machine. Do you have it on your network? Check your router or whatever machine does DHCP. Use a sniffer (ethereal) if you can figure it out.
posted by skallas at 3:08 PM on July 17, 2006

For a step by step, scroll down to the 5th answer here. The process will be different on xp and 98 machines because they dont use the windows wireless manager.
posted by skallas at 3:11 PM on July 17, 2006

err, different on 2000 and 98 machines.
posted by skallas at 3:11 PM on July 17, 2006

Ad hocs happen accidentally all the time. If I leave my card in ad-hoc mode then I'll be broadcasting some SSID. I'm not bridging or anything. Also, considering the SSIDs are different i would think this is most likely an accident. Considering you let your users have admin access to their machines it sounds like wireless would be the silliest way to do something illicit.

I seriously doubt this was a accident. If I did I would not have wasted anyones time posting it here. I suspect someone was taking company time on a friday afternoon to set their laptop up to do this, either at home or at work. If it was an accident it would not have dissappeared the minute I started checking into it.
If it was an accident then I need to understand how they are set up, so that I can train my users to watch out for them. I imagine I will be able to train them better if I can get screen shots of what supicious APs look like and what they should not click on.
posted by JonnyRotten at 7:08 PM on July 17, 2006 [1 favorite]

Your claims lack any factual basis. When you started "checking into it," what exactly would you have done that would prompt the supposedly malicious individual to shut the network down?

Occam's Razor is worth bringing up - but you seem to be ignoring the advice here. XP will automatically do this in some cases, as shown above over and over.

There is nothing "suspicious" about one AP or another. They'll all just appear in a list. You keep bringing up "evil twin" and other such loaded terms. Stop. Think about what it is that bugs you besides simply noticing the SSID in a list. If you connect to the network, are you presented with some kind of phishing scheme? Do you know how such a thing would work? Can you even get access to the internet through the network? If not - you don't really need to worry about the person sniffing traffic, since none of your real users would actually connect to the rogue AP and be able to do anything.

Define your goals - what is it you're trying to achieve here? What security is being threatened? How does the threat work?
posted by odinsdream at 10:45 PM on July 17, 2006

« Older Help me create a comprehensive... | How do I catalogue (somewhat i... Newer »

You are not logged in, either login or create an account to post comments

Is one of my users trying to h4x0r July 17, 2006 8:25 AM Subscribe

Is one of my users trying to h4x0r
July 17, 2006 8:25 AM Subscribe