wpa security cracked??

delllat

I have had dial up speeds on my 3 meg eircom broadband this afternoon and when i ran a speedtest the result was also dial up like

so i investigated further and found out there was another unidentified computer on the network

i have wpa enabled but chose the password of 123456789 for easy to remember

as soon as i changed the password to 1234567891011121314151617181920 (temporarily) i tested my speeds again and i was getting the full 3 meg again so whoever it was was downloading a serious amounnt of shict on my connection

my router is in the hall of the apartment block i live in because thats the only place the phone line is and so other neighbours could probably tamper with it it if they wanted but i thought it was secure and i changed the ssid as well when i installed it

does anybody know how this could have been possible?

is there anyway to limiit access to the network to the 3 laptops only which arev supposed to be on it?

TestTransmission

delllat wrote: »

I have had dial up speeds on my 3 meg eircom broadband this afternoon and when i ran a speedtest the result was also dial up like

so i investigated further and found out there was another unidentified computer on the network

i have wpa enabled but chose the password of 123456789 for easy to remember

as soon as i changed the password to 1234567891011121314151617181920 (temporarily) i tested my speeds again and i was getting the full 3 meg again so whoever it was was downloading a serious amounnt of shict on my connection

my router is in the hall of the apartment block i live in because thats the only place the phone line is and so other neighbours could probably tamper with it it if they wanted but i thought it was secure and i changed the ssid as well when i installed it

does anybody know how this could have been possible?

is there anyway to limiit access to the network to the 3 laptops only which arev supposed to be on it?

yah,move it out of the hallway

delllat

is it possible to get the password from the router?
i didnt think it was since i changed it and the ssid

Try1ng

You can limit the access to the MAC address of the laptops that you want to access it.

DublinWriter

There are a couple of open-source programs that can crack WPA/WEP. Having passwords that are comprised of numeric characters only is not a good idea.

Having said that, I think it was a simpler hack than that. Many people don't bother changing the default username/password of routers. Someone could have just googled the particular make and model of your router and got the info that way.

I've also noticed that many routers will allow admin access via the 10/100baseT sockets by default.

Spear

WPA can be cracked by dictionary attacks, and 12456789 is simple and common enough to be in even basic dictionary files.

delllat

Try1ng wrote: »

You can limit the access to the MAC address of the laptops that you want to access it.

thanks for all those replies
how do i go about limiting access to the 3 mac address that are supposed to be using it?

im using the eircom netopia router,it should be the newest model since i only got it 2 week ago

delllat

DublinWriter wrote: »

There are a couple of open-source programs that can crack WPA/WEP. Having passwords that are comprised of numeric characters only is not a good idea.

Having said that, I think it was a simpler hack than that. Many people don't bother changing the default username/password of routers. Someone could have just googled the particular make and model of your router and got the info that way.

I've also noticed that many routers will allow admin access via the 10/100baseT sockets by default.

so that means if someone plugs in an ethernet cable they have access to the admin settings which include the wpa password and such?

BoB_BoT

yup, pluggin in a cable and knowing that admin is username is good enough to get into the netopias system config, think they come with no password as default, also the key entered for wpa on the config page is not covered by asterisks so it's there for all to see. change your password on the router, along with using a stronger wpa key as already suggested.

delllat

thanks bob,ive just found the options to limit access by mac address so ive enabled that in case the password does get "discovered" again

i will also be keeping a close eye on how many mac addresses are connected to the network

just out of interest is there any way to find out the location of a mac address or narrow it down to the brand of computer or anything?

whoever was stealing it is not too far away because they were able to steal almost all the bandwidth(it was so slow i could barely open a page) so they must be quite close

Spear

delllat wrote: »

thanks bob,ive just found the options to limit access by mac address so ive enabled that in case the password does get "discovered" again

i will also be keeping a close eye on how many mac addresses are connected to the network

just out of interest is there any way to find out the location of a mac address or narrow it down to the brand of computer or anything?

whoever was stealing it is not too far away because they were able to steal almost all the bandwidth(it was so slow i could barely open a page) so they must be quite close

Stick it in this to find out the manufacturer at least.

http://coffer.com/mac_find/

And whoever did it is close enough to get all the traffic between your PC and the router, as you need to capture a full handshake between the two devices upon connection to start a dictionary attack.

BoB_BoT

you can't physically track where that person is, however, the mac address is a perment address assigned to network cards, if it's a laptop this is sometimes printed on the underside of it. If it's a desktop you'd have to use ipconfig /all in a command prompt box to descover the mac. look at the netopia statistics logs for LAN, it may even have the computers network name and mac address beside it, and the person could have named it "Bobs PC" or something similar, helps narrow down who the person is :P also it will allow you to block that mac address

for extra paranoia, you can disable the dhcp server, change the ip address range from 192.168.1.x to something like 192.168.57.x be sure to remember this as if you do change it, you'll have to remember these numbers and hardcode them into any device that connects to the network.

DeepBlue

If the OP's router is accessible to everyone who has access to the hallway then couldn't any of his neighbours simply do a hard-reset of his router to undo any of the security measures suggested above?

Isn't the first step to secure access to the router?

delllat

just trying to find the log info and it has been cleared since i restarted the router after enableing the mac address security functionso i no longer have the mac address of the offender

dont think il bother disabling the dhcp thing since it seems a bit compliacted but thanks for the suggestons bob and the other guy

when looking for that i looked at the security log which said:

Your Gateway has detected and successfully blocked an event that could have compromised the security of your network.

Please refer to your customer documentation for a description of the logged event.

Number of security log entries : 2

Security alert type : Port Scan
Protocol type : UDP


whats this all about?

BoB_BoT

that's true DeepBlue, but to be physically caught tampering with the router is (probably in my own head) more serious than cracking a key, it's easier to get caught tampering with the router. The person using the connection probably didn't expect to be caught and thought they were doing it in secret :P

Delllat why not just get a longer phone cable, run it to the inside of your door at the very least, prevents physical tampering as DeepBlue suggested.

Don't worry about port scanning, it's people probing for weak networks, it's pretty common, have a couple of similar reports in my logs, ips track back to places all over the world.
actually out of interest, what's the ip address of the blocked attack, just looking at mine again, seem to have a lot of attempted probes from an ip in amsterdam...

ok just updating, having some fun :P, went to the network that the IP linked too "Network Coordination Centre" (in amsterdam), entered the IP into their WHOIS turns out it's an eircom account that's doing the port scanning. :P anyone know if this is Eircom or an eircom customer?