1

Our private network consists of a Netgear router flashed with DD-WRT, a QNAP server, a dumb 8 port switch, and a number of Ethernet connected laptops, desktops and 2 x WiFi mobile devices.

A while back, our WiFi was hacked by people with nothing better to do with their lives. We suspect our next door neighbors who work in IT but cannot prove anything - at least from a legal standpoint. Not sure if this would help anyway.

At the time, our network was secured with WPA2-AES and MAC address filtering. Even with these security measures in place, they still gained access by spoofing their MAC addresses and cracking our passwords which are always max length and contain the security industry recommended special chars / symbols, mixed case, and numbers.

These people are like cyber ghosts! I say this because we could never identify their connections from our router logs or GUI. We tried using angryip, whosonmywifi, as well as other tools but nothing worked. We spent countless hours on the phone with our ISP, had our IP changed, running tracerts for traffic routes and so forth. Despite these efforts, it was actually our Windows 10 computers that identified them on our network. We managed to obtain screenshots of their devices with manufacturer details.

Anyway, this went on for some time and after 6 months or so of playing cat and mouse with them, I factory reset all the devices in our network and decided to try WPA2-Enterprise with AES using the built in RADIUS capability on our QNAP server. In addition, I also turned off the 5ghz radios and lowered the TX power on the 2.4ghz radio to 30 (although I am aware they can increase their own radio strength to overcome this). I have set the key renewal frequency to 1800 and also limited the max associated clients on the 2.4ghz radio to 2 devices only.

Despite our best efforts, they are still hacking our network and our own mobile devices are often not able to connect or are getting bounced off the network.

We have tried everything possible and short of disabling our WiFi altogether, we do not know what to do and are therefore seeking some external advice on what our best course of action should be. While we would like to catch and expose them, we prefer to stop them from doing it altogether using the equipment and software we already have.

Through appropriate channels, I am happy to share anything to help anyone willing to help me with resolving this issue.

Please help.

tamosa
  • 11
  • 3
  • 1
    Why all the complication on a home network (ddrt, EPA enterprise, radius)? WPA2 Personal with AES and a strong network key is plenty to keep your neighbors out. With all the unnecessary complication of "enterprise" technology being used in a home, it is not surprising someone has found a hole. No offense, but are you an IT administrator with wifi security and radius server experience? Any basic modern home router is usually safe out of the box nowadays. – Appleoddity Sep 06 '17 at 04:28
  • What makes you think these devices weren't your own devices? Post the screenshots. Feel free to blank out the last half of each MAC address, but leave the first half visible. – Spiff Sep 06 '17 at 04:32
  • 1
    @Appleoddity You must not follow the security news. Most home gateways are ridiculously insecure out of the box. Vulns are found all the time and rarely get patched. – Spiff Sep 06 '17 at 04:39
  • My network is not complicated at all if you consider my description of it. The only complication is that I have added a RADIUS server for WiFi authentication and only because of the hacking. Aside from applying recommended security settings in DD-WRT (disable remote access, disable SSH, disable UPnP etc, everything is stock standard from the box. I only have one rule applied to my firewall which is to maintain a static VPN connection. Nothing else has been done to my router firewall. – tamosa Sep 06 '17 at 05:24
  • @Spiff - requested screenshots as below: https://www.screencast.com/t/baEI3tia7Sr https://www.screencast.com/t/kQCZelsto1 https://www.screencast.com/t/p6V0ARyYG https://www.screencast.com/t/M5ozuru12u4 https://www.screencast.com/t/Ajph0hY1 – tamosa Sep 06 '17 at 05:45
  • Note how none of these devices appears with an IP address. They are *not* on your network. – Daniel B Sep 06 '17 at 06:40
  • You can be authenticated to a wireless network without having an IP, but yes, they probably aren't on the network. The inability to connect is probably deauth attacks, which are trivial to do and hard to trace without more logging than is possible on most devices. – Austin Hemmelgarn Sep 06 '17 at 15:34
  • Thanks @tamosa, those screenshots were helpful. See my Answer below (which I just updated again with information about disabling WPS and WCN so you don't see nearby smartphones and things -- which aren't actually on your network -- in Windows' "Network" window. – Spiff Sep 06 '17 at 19:01

2 Answers2

1

Microsoft made the mistake in Windows 7/8/10 of using the same Network window to not only show what's really in your network, but also nearby wireless devices that you could make wireless peer to peer connections to. So you're seeing your neighbors phones because you're in Wi-Fi range of them, but they aren't on your network. They're probably just capable of Wi-Fi Direct or Wi-Fi Protected Setup or related technologies Wireless Simple Config (WSC) or Windows Connect Now (WCN).

Want proof? Fully disable the Wi-Fi and Bluetooth radios on your Windows PC and plug it into your network via Ethernet. Reboot it for good measure to clear out any caches, and make sure Wi-Fi and Bluetooth are still off. With Wi-Fi and Bluetooth disabled, your PC won't be able to scan wirelessly for potential peer devices in range, and will only be able to scan your home LAN for devices that are truly on your network. I'll bet those phones don't show up now.

Edited to add: You'll also need to disable WPS (Wi-Fi Protected Setup) on all your APs, and/or disable the WCN (Windows Connect Now) service, WCNCSVC, on Windows. WPS and WCN allow the AP to find WPS-capable devices such as smartphones in radio range that you might want to put onto the network, and relay information about those devices to Windows machines that could participate on the administrator side of WCN/WPS to help get those wireless devices onto the network. So because of those technologies, even wired-only PCs may see unfamiliar nearby phones in Windows' "Network" window.

See also: Windows 10: Phones appearing in Network

You were never hacked, you were just misled by Windows' terrible UI choices. Now all the tweaks you've done to your network based on a misunderstanding have made your network unusable. Go back to pure WPA2-PSK (AES-CCMP only, no TKIP) with a strong passphrase and no MAC address filtering, full power, and no limit on simultaneous client associations.

Spiff
  • 101,729
  • 17
  • 175
  • 229
  • My Windows 10 sees some mobile devices like in the screenshots shown, but I have no BT and no Wifi on my desktop. – FarO Sep 06 '17 at 08:35
  • @OlafM Ones without IP addresses and not on your network, just like OP? Apparently WPS-capable APs can relay the list of WPS-capable clients they see via Wi-Fi and relay that information across the network to the WCN service on Windows. This allows the Windows machine to then use WCN/WPS to offer to get that client onto the network (in case it's a nee device of yours or of a guest that you'd like to put onto the network). From what I'm reading, disabling WPS in the AP or disabling the WCN service on Windows should make this go away. – Spiff Sep 06 '17 at 15:40
  • Hey thanks guys, I managed to follow all the suggestions you provided here and it seems to have stopped for now. I have been logging for two solid days now and I cannot see anything abnormal on our network which is a great sign. Thanks again. – tamosa Sep 09 '17 at 00:35
  • Thanks for the followup @tamosa. If you conclude that an answer resolved your problem, please click the check mark (tick mark) outline next to the answer that resolved it for you, to accept it as the official answer so the system shows this question as resolved. – Spiff Sep 09 '17 at 01:51
1

Despite our best efforts, they are still hacking our network and our own mobile devices are often not able to connect or are getting bounced off the network.

deauth attacks, that block devices from connecting to a wifi, are easy and cheap: https://github.com/spacehuhn/esp8266_deauther

Try using 802.11w on the wifi network, at least deauth attacks are blocked.

Other flooding attacks (they don't get inside the network, but make it useless to legitimate wifi clients) are still possible.

FarO
  • 1,884
  • 3
  • 21
  • 37