Is one of my users trying to h4x0r
July 17, 2006 8:25 AM   Subscribe

I need to know the process to set up a "evil twin" ad hoc network. I think one of my users here may be trying to play around where they should not, and I need to know how to check if they are trying to set up a "evil twin" called "free wifi access"

Friday night I had a user notice a wif ad hoc network called "Free public access"
I need to find out how one gets set up, so I can check if a user I suspect of doing this is.
To make it even worse, the user is running Japanese windows. So the more detailed the instructions the better.

No. I am not going to be setting it up myself. I just need to understand the process.
posted by JonnyRotten to Computers & Internet (17 answers total)
On the suspect machine

Start > Control Panel > Network Connections

Right-click properties on the wireless network connection and see what it's set up to do? I suggest checking it out on an english machine first so you don't have to rely on the the Japanese text to figure out what you are doing :)

Or do you want to try and figure out who it is without touching their PC? That's a bit trickier but still doable.
posted by public at 8:37 AM on July 17, 2006

Lots of thoughts about suspicious "free public access" networks in this thread.
posted by junkbox at 8:39 AM on July 17, 2006

Write down your router address/external IP address.

Now connect to the Ad hoc network. Ping your router. If it's just a jump or two, yeah, they're piggybacking. Note the IP address of the 'router' of the adhoc network'

Switch back to your wireless/router. Find their IP address in the DHCP list.
Just block their MAC address on the router. When they come complaining to you, you found your guy.
posted by filmgeek at 8:59 AM on July 17, 2006

Response by poster: We are not in a populated area, and it was showing up at full strength when there is no place around to have it.
I saw it on the "view avaible wireless networks" on two computers, and was trying to triangulate on its location and it dissappeared. But soon after one of the users packed up his laptop and went home.

I read the previous thread about this, but it doesn;t tell you how to set one up. So without knowing how one is set up in windows XP I don't know how to check out if one was set up..
It was gone before I had a chance to connect to it to find out the IP and the MAC address.
posted by JonnyRotten at 9:06 AM on July 17, 2006

Response by poster: odinsdream , It was not a access point, and dissappeared as soon as I started to investigate it. It was a Ad-hoc network in a area that we provide WiFi access for our users.

The language setting has bearing because if its a vague comment on a general area of windows I can't fucking read it.
So thats why I mentioned it was in Japanese and asked for a DETAILED guide. Not if their intentions were sinister.
posted by JonnyRotten at 9:10 AM on July 17, 2006

Response by poster: Sorry, its been a rough morning. I didn't mean to get snippy, but I control the network here, and when someone starts broadcasting on my turf Its a situation I need to deal with. I wouldn't have posted it if it didn't seem fishy to me.
posted by JonnyRotten at 9:15 AM on July 17, 2006

It could also be a mistake, if the user connected to a free wifi point before, and then tried to reconnect while at the office, and ended up running their own ad hoc connection instead.
posted by anildash at 9:19 AM on July 17, 2006

(Meaning, you could very easily send out an email saying, "it appears one of you is mistakenly running a network that others could accidentally connect to. If you think it's your machine, let me know; Otherwise, I'll be stopping by to check and make sure you didn't do this by accident.")
posted by anildash at 9:20 AM on July 17, 2006

Response by poster: I would buy that anildash, if it wasn't turned off and not coming back.
its dissapearance was wayyy to too much of a coincidence for me.
posted by JonnyRotten at 9:23 AM on July 17, 2006

Response by poster: It concerns me because I work for a branch of a multi-million dollar international corporation, and if someone uses a fake WiFi hotspot to steal information then I can kiss my job goodbye.

It looked to me that someone could possibly running a "evil twin" type scam and using it to collect user information which could then be further used to compromise our network.

We own the property on every single side of use WELL out of standard range. If someone was to come onto our property and try to run this scam I would treat it the same.

Its something I need to deal with because I love my job, I love the company I work for (GAH!) and I love providing for my family and I rather not risk losing those things.
posted by JonnyRotten at 9:44 AM on July 17, 2006

Response by poster: thats supposed to be "side of us as WELL"
posted by JonnyRotten at 9:45 AM on July 17, 2006

Well. The best I can get is that you think that someone is imitating your ESSID which should be pretty easy to determine, just get an old laptop with a wifi card and run kismet or net stumbler. If you see your ESSID with a different BSSID, bingo.

Is there an ITS guy at your company who maybe has experience in this? Most multi-million dollar international corporations have dedicated IT Security guys who will either have or will authorize you to get the equipment you need to secure your network.
posted by Skorgu at 11:06 AM on July 17, 2006

Johnny, I am not a network security professional (nor do I play one on TV), but I would suggest that your users are part of the solution here. Send out a memo detailing exactly how to connect to your wireless network, and ways to spot if it is an evil twin (is there a default web page the system goes to on first connect? Is there a challenge/response setup or a specific screen they go to on the real deal?). You might also want to look at ways of restricting the networks your users would access: do they come with software that can lock them down to access your network only?
posted by baggers at 11:12 AM on July 17, 2006

Jonny, I guess I was unclear -- I'm not ruling out that this could be deliberate; I'm saying that giving someone the out of saying it's a mistake (1) could lead them to undoing their mischief or (2) at least gives you a reason to check everyone's machines. No?
posted by anildash at 11:50 AM on July 17, 2006

Response by poster: Well. The Ad-hoc network popped up for about 5 minutes today and then dissappeared again.
All my users deny ever having connected to anything that says "free WiFi hotspot"
I am going to be training them on properly connecting to our network and being safe outside of here.

I guess I would still like to have instructions on setting up one of my own so I can show them what it looks like when they see one.

So back to my original question. Does anyone know how to set up a "evil twin" access point?
posted by JonnyRotten at 2:00 PM on July 17, 2006

Best answer: You're simply asking how to configure a windows pc as an "access point", right? I don't see where "evil twin" comes in if the SSID of the access point this user is creating isn't the same or similar to an already existing SSID.

Anyway, configuring a windows box as an access point is easy - there's a wizard that let's you set up your PC to do internet connection sharing. For the wireless part, configure the card to use ad-hoc, pick a SSID, and you're good to go.

Lots of links here.
posted by cactus at 2:36 PM on July 17, 2006

Response by poster: Ad hocs happen accidentally all the time. If I leave my card in ad-hoc mode then I'll be broadcasting some SSID. I'm not bridging or anything. Also, considering the SSIDs are different i would think this is most likely an accident. Considering you let your users have admin access to their machines it sounds like wireless would be the silliest way to do something illicit.

I seriously doubt this was a accident. If I did I would not have wasted anyones time posting it here. I suspect someone was taking company time on a friday afternoon to set their laptop up to do this, either at home or at work. If it was an accident it would not have dissappeared the minute I started checking into it.
If it was an accident then I need to understand how they are set up, so that I can train my users to watch out for them. I imagine I will be able to train them better if I can get screen shots of what supicious APs look like and what they should not click on.
posted by JonnyRotten at 7:08 PM on July 17, 2006 [1 favorite]

« Older American history in fifteen books or less   |   Cataloging research materials Newer »
This thread is closed to new comments.