Question Dangerous? Stalker type device - linking to innocent users normal wireless connections.

[inqinq]

Hello
Have student shared accomodation, with BT Hub5 Infinity and a repeater. All good. . . untill. . .

A student put a cable from the hub LAN1 up and into own room. . . slowly the network got problematic. . .

* users often could connect, but with no internet. . . or were just unable to connect


Now This:
In Admin. . . I noticed a (no mac address, all zeos) device on the LAN1.
The LAN1 device is static IP. . . it matches. . . a connected user dhcp IP on 2.4Ghz

As soon as the users device is disconected, the LAN1 device vanishes
As soon as the users device is connected, the LAN1 device appears again. . . saying connected, then sits saying not connected

4 users, each device a phone, has been the target

What could do this?
Is it / could it be malicious or snoopy activities?

Appreciate any thoughts , experience , knowhow.
Thanks

 

[bill001g]

This is the problem with home equipment it trust the users and it also does not protect against the idiots who only "think" they know what they are doing.

It could be he connected a AP/router and left it unprotected. Now someone else can hack into the network. This is why most companies disallow connection of employee owned equipment. There security becomes only as good as the dumbest employee.

The other option would be the person is actually actively hacking the network. There are programs that arp spoof to try to take over control. They are used to try to attempt to limit other users traffic. You would be surprised by the number of posts here with people who almost brag about doing this to limit their brother/sisters traffic so their game runs better.

There really is no way to protect a lan...at least with consumer grade equipment. Commercial stuff has all kinds of feature to prevent things like arp and dhcp snooping and can use 802.1x on ethernet ports to prevent unauthorized equipment from being plugged in.

It depends on how much pressure you can put on the person. Tell them if the problem persists they will have no internet access at all. If they are hacking themselves you would hope it stops. If they are just stupid then they maybe learn that they should not mess with things that they are not qualified to do. Then again I suspect this is the same age person that eats tide pods so what can you do.

 

[inqinq]

Thanks for your post. . . very interesting.

Would a LAN connection possibly create more opportunity than a wireless connection for a hacker / muppet.
Can appreciate if someone is willful, then it gets tricky to protect.

Do legal things such as Alexa and Now TV sticks. . . that come with their own Apps. . . to connect through the network (even if wireless connection). . . are these gadgets "willful" and "forceful" to make themselves dominant. . . maybe

One last thing. . . the stalker device states a mac address of all zeros. . . . would/should this be a signature of malicious intent (ie hiding / none identity sneaky), or do some devices just not have a mac address allocated.

 

[bill001g]

A lan connection you would have to be inside the house to attack so it almost always is someone trusted that would attack this.

Wifi if properly secured is pretty safe but even the manufactures make it kinda of tough. They have feature like WPS that have been cracked for years but they still put on routers because of all the stupid/lazy people who want to just push one magic button and it sets things up.

All kinds of hacks on devices on the network. Unlike pc and phones that are constantly patched other devices have huge holes in their security that can be corrupted locally or even from the internet. I know the security cameras I have are at a great risk so they are not even connected to a network that has internet.

Hard to say what a mac address of all zero is. Some of those could be management messages but they seldom are tied to ip addresses. You might find something out by capturing the packets with wireshark. It would be nice if you could capture all the data coming from the offending port but that needs a switch/router with a special feature. If it attacks or send data to your pc though you should be able to see what the actual data format is. May give a clue what it is.

 

[inqinq]

Yep, heard of WPS weakness, so got that disabled. Highly probable that the problem came / started from the room at the end of the LAN1 connection. . . so may investigate soon. . . but not before. . .
. . . looking into the wireshark suggestion (thanks for mention). . . If I could get some form of sample, it may indeed help figure what the device is / is doing. . . and so reveal the attitude of the person behind the device. . . and any data capture would, perhaps add to a bit more evidence, should there be any dodgy doings.

Thanks for your knowledge and your time to comment. Most interesting.

 

[inqinq]

Downloaded wireshark. Got it ready to snoop and record on my main admin computer. . .
Decided to connect one of the latest targeted devices IP 192 168 1 64, , , and sure enough, as soon as connects the stalker device pops up on Hub admin interface. . . also sporting the identical IP
sooo. . .
So I recorded whilst connecting and disconecting target device 3 times then stopped recording.

Wireshark is new to me, but figured how to filter for the shared IP (that cut the data log down by a million ish).
Then picked one of the lines. . . it mentions laptopmobi. . . (that's the targeted device, the good guy)

When clicking that line (4000) I recognise:
* The mac address of the good guy. . .
(la🇱🇦la:43:54:9e). . . I changed it a bit
* The possible mac address of the stalker device which shows in Hub Admin UI as all zeros, but here as. . .
Dst: Broadcast (ff:ff:ff:ff:ff:ff). . .
(maybe the correct association?????)

The other thing noticed is User Datagram Protocol and Port 137 being used. . .
(possible exploit point in action?????)



Wireshark part of log (copy and paste):

line:
Frame4000 171.801745 192.168.1.64 192.168.1.255 NBNS 110 Registration NB LAPTOPMOBI<00>

extra detail of line:
Frame 4000: 110 bytes on wire (880 bits), 110 bytes captured (880 bits) on interface \Device\NPF_{D8BE731A-CFA1-4DD6-AC4D-D271364E6F31}, id 0
Ethernet II, Src: IntelCor_43:54:9e (la🇱🇦la:43:54:9e), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
Internet Protocol Version 4, Src: 192.168.1.64, Dst: 192.168.1.255
User Datagram Protocol, Src Port: 137, Dst Port: 137
NetBIOS Name Service



I could be wrong. only been at wireshark for couple hours. . . what an amazing bit of kit. . . (in the good-guys hands)

Any thoughts, possibilities. . .
or suggestions for filtering for exploits & dodgy dealings, something similar.
Thanks

 

[bill001g]

I forget lots of things now that I retired. Netbios is a older protocol microsoft used to use for file sharing. It sends out broadcasts to find a name server. This has been replaced by DNS if I remember correctly.

It is not uncommon for broadcast packets( ie dst fffffff) to have a 0 mac address. I am just not sure about netbios. Many times this is done in the very first packets of some communications and the actual mac addresses are used later.

In general netbios does not hurt anything. You can disable the support in the nic setting on machines. From what I can tell this is just a simple request to register a name in a serer that does not actually exist.

There is malware that can appear to be netbios traffic but I don't think it can do much if nothing responds to it.

In general you will only see traffic that is broadcast or sent directly to your mac address. To actually see that machines traffic you must insert yourself into the cable between the router and the device. Although they make Ethernet tap device a small switch that has port mirror ability will let you capture all traffic.

 

[inqinq]

Yep. See the worthwhile step would be to get inserted into the cable. Will look into best way to apply this

The Hub LAN1 (4 in all) had the cable pulled out. . . to see if get a disconnect. . . the person living in the closed room is away for now. . .
Interestingly, the device stills shows up on the admin UI, under the LAN1 column. . . appearing fleetingly as connected, then continuing to show, but as "not connected".
Found it interesting it appears under the LAN1 column, even when no cable inserted.

But, It is still selecting a device using and listed (as normal) under the wifi 2.4 and or 5GHz. . . and sits there with the copied IP address. . . and when we disconnect the terget device. . . it too vanishes. . . then appears again showing another IP address. . .which again matches another target device on the 2.4 and or 5GHz column.

Well. . .
When the person returns, they will be asked for info as to what they have setup in their room. . .
meanwhile I'll still learn and try to figure what it may be and what it's up to.

Thanks again for your feedback. Much appreciated.