Re: How to track down a wireless hacker

From: Nicholas Chapel (nicholas.chapel@gmail.com)
Date: Wed Nov 07 2007 - 15:35:50 EST

• Next message: cwright@bdosyd.com.au: "Re: Re: How to track down a wireless hacker"
• Previous message: Frederic Charpentier: "Announcement : CCWAPSS methodology release 1.1"
• In reply to: jond: "How to track down a wireless hacker"
• Next in thread: ep: "RE: How to track down a wireless hacker"
• Reply: ep: "RE: How to track down a wireless hacker"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On 11/6/07, jond <x@jond.com> wrote:
> However they also asked me if it's possible to track down the attacker
> if this happened again. From what I know, it's not possible is it?

It's *possible*, but that's not saying much. My understanding is that
it would basically involve tracking the physical signal. Which is
far, far more effort than is practical given that you've got every
client station transmitting on the same channel.

> If the attacker didn't change their MAC address, and say the companies
> lawyers could get some sort of court order to intel, dell, etc to
> release which MAC address went to which computer and who bought said
> computer. Does the manufacture even keep that info?

I would be absolutely astounded if they did have that record. And
since it's trivial to change the software MAC address, any 'evidence'
would be sketchy at best.

> If the attacker did change their MAC address, the real MAC address
> will never transverse the wire(AIR) right, or is it still in the
> packet somewhere?

That's correct, the MAC would never make it into the packets.

> Any other thoughts or ideas to track someone down?

Look for suspicious types sitting around with a laptop and an antenna?
 Otherwise, good luck. Personally, I'd recommend locking down the
WLAN and just ensuring that it isn't likely to be compromised again.
It seems like what the client is asking would just be a snipe hunt.

I figure the best shot you have is if the intruder is *really dumb*,
and accessed or transmitted information over the network that would be
personally identifying. Of course you need a packet capture for that,
and at this point unless your client is so into catching this guy that
they're willing to have you set up a honeypot and pray that he decides
to connect again, it seems to me like you're pretty much SOL.

--Nick

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Need to secure your web apps NOW?
Cenzic finds more, "real" vulnerabilities fast.
Click to try it, buy it or download a solution FREE today!

http://www.cenzic.com/downloads
------------------------------------------------------------------------

• Next message: cwright@bdosyd.com.au: "Re: Re: How to track down a wireless hacker"
• Previous message: Frederic Charpentier: "Announcement : CCWAPSS methodology release 1.1"
• In reply to: jond: "How to track down a wireless hacker"
• Next in thread: ep: "RE: How to track down a wireless hacker"
• Reply: ep: "RE: How to track down a wireless hacker"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:58:12 EDT