I've had this before. I have a netbook that needs a buggy beta driver to connect wirelessly, so I can't use encryption on my router. Usually I turn off the wireless functionality when I don't need it, but more often than not I forget.

I found my neighbors made good use of my negligence, and I can't blame them. The nice girls next door apparently have two OSX's so here's what I did. I redirected all unknown devices to one site (kittenwar, whoehahaha). That stopped my neighbors well enough.

But after I had a wardriver on my network, I felt pretty sorry and (perhaps more importantly) I didn't want these attacks to seem to come from my IP address. It had all outward appearance that the wardriver had no idea (s)he was redirected. So... I just told ye olde iptables to drop everything except for my very own machines. I filter on MAC so it can be spoofed, but thats not my reason for writing y'all.

I have one on my network right now. He's been using my network for well over *calculates* 9 (say NINE) hours continuously. He's up to 20000 attacks at external sites now. I did some scans. It's a Vista, it's uptime is about the same length as the attack and all. I went outside, but as to is expected, no one was sitting in a car with a laptop. I thought maybe someone just left their notebook running in a car, but now that we are a couple of hours further I still see him on the network, and I doubt any lappy would last that long. So I'm not ruling out that it's a neighbor, who has the benefit of juice coming from the wall. Or he's got some high powered external battery, but I don't want to get carried away here.



A couple of things ignite my curiosity. I really think my firewall is setup properly. I don't think he can look any further than *ehm* nowhere. As far as he's concerned, every site on Internet is out tonight. Nobody is home. Then I imagine (but don't know) he's running some autonomous non-interactive process. Probably unsupervised.
That would explain he's not noticing his signal isn't reaching anything.

But I'm also curious about this sort of behavior. I, like everyone, get a lot of attacks on my network. It doesn't bother me, as I think my setup is secure. But this attack isn't pointed at me and is coming from the inside. That is different. The person doing this is close (needs to be as I have a very very cheap router).

Now what can I do? Yeah I know, I can secure my wireless AP further with extra MAC filtering or be more disciplined in turning it off, but what's the fun in that??

___
He doesn't know that I know that he's using my network. I think he failed to check whether his connection is fully enabled. Or maybe he's dodging the protection I have in place. I know I can dodge my own security, spoofing MAC and using a different IP than the one that is assigned may do the trick (although that would trigger the rate limiter so effectively you're not much further). But he's not using any of the ways I know that will, in combination, dodge the security. Nothing of the sorts.

I want to do something. Something we Dutch call 'tot stichting en vermaak', I can't really translate the connotations of that, but the closest is 'both educational and fun'. Security is interesting to me, and this real life black hat seems like to good a chance to miss. What is he doing, why, how, those questions I'd like to get answered from my new friend. Without him knowing it. And I don't mind playing a bit, as long as it's legal...

Have you actually gotten this far reading? Wow! Thanks! I thought about honeyd (as previously was recommended by a forum member here) but any thoughts? I wont catch him today, but I want to be ready next time. Have a devious trick up my sleeve, if you will.

Thanks for reading, and take care

Have you tried using signal strength indicators to get a physical location?

Nope, my router doesn't have that sort of highly advanced technology. Maybe if I could get my main lappy in ad-hoc mode and get some route to him I might be able. But I don't know how to do that, if at all possible. Could I take a measurement from another point than from the router itself?

A wireless sniffer will show you signal strength for both access points and clients. So by sniffing from your laptop and walking around you should be able to get a good idea of where the bad guy's computer is.

Oke, I just fired up Backtrack in virtualbox, I'm gonna try that now

Any recommendations?

Not really. In fact, I wasn't even aware one could run such a sniffer in a virtual machine.

Eh... I wouldn't know why, but sniffin's new to me, so I might be wrong. The tools I know of are demanding in terms of learning curve. And it's well passed midnight, so the 'human factor' comes into play. I disabled my wireless AP and I decided to call it a night (he was still there y'know).

I did write my ISP about this, asked them if my IP address left 'interesting' things in their logs. Seems like the shortest route to firewall configuration sanity checking. My logs say nothing got through, but I want to check just to be sure.

But thanks for your *very* fast response! I'll look into the sniffer when time allows. I may have more questions on the matter that I'd like to discuss, and any thoughts are still welcome.

Take care!

you can do a mac filter on the wireless router.
turn off dhcp
and disable ssid broadcast.

or

connect the wireless router to a seperate nic on your firewall and run openvpn on the firewall and allow iptables to only allow stuff from the openvpn network to pass and not the unencrypted network

It is possible if you have a virtual ethernet device. Or, alternatively, you could use a USB ethernet/wifi device for full control.
Those two in red will only deter casual users, but will do nothing for someone who is determined to get in.

In the off chance that this person used your open access point in the past, the machine could be attaching to the AP via Windows Zero Wireless Configuration without the user knowing it. This happened to me in the past when I was using Windows XP. I had 2 AP's. I used one for internet and the other was for local media storage. Sometimes my wireless device would disassociate from my internet AP and connect to my other AP.

Can I ask what this wireless card is? It seems to me that is the root of your problem and if you can find a way to use encryption, all your other problems go away.

As for encryption - I suspect wpa_supplicant would solve your problems.