Hacking Hotspot

nazadnan2003 · Tue Oct 31, 2006 8:43 am

I Have a Hotspot with web proxy enabled, and some hackers can hack my hotspot by using scanning programs which can scan the active IPs and their MACs and use one of them (by change MAC) to get the same IP of the authorized MAC and then access the Internet without asking to authenticate because its already authenticated.[/b]

Tue Oct 31, 2006 5:09 pm

'ip hotspot user profile' contains 'shared-users' option, 'shared-users=1' allows only 1 client to use the same login/password simultaneously.
1 session means, that only one user are able to use the particular HotSpot login. It might cause problems, as 'bad' user authenticated firstly and then 'good' client is unable to authenticate.

To resolve this,
- use login/password for the HotSpot authentication;
- if bad user has stolen IP/MAC-address and HotSpot login/password, then only managed switches help to protect wired network from unauthorized access (WPA/WPA2 encryption for the wireless network).

nazadnan2003 · Wed Nov 01, 2006 10:01 am

Dear sergejs:

I alrady use "shared-users=1" , and use login/password for the HotSpot authentication.
The "bad users" stole IP/MAC-address by using scanning programs, and chose one of the active IP/MAC-address.
If the stolen address is alrady autherized in the hotspot, then the "bad users" will recive Internet service as well as the 'good client' (both in the same time and the same IP/MAC-address).

Wed Nov 01, 2006 11:45 am

Do you have wireless or wired clients ?
For wireless clients you might use encryption WPA or WPA2, to protect network from unauthorized accesss.
For wired/Ethernet clients management switch might help you, if swith could make restrictions by MAC-address<--->port.

Duplicate IP and MAC-addresses on the newtowk cause problem for 'good' and 'bad' clients, internet will not work correctly for both them, if clients simultaneosly exists on the same network.

PPPoE server might be used instead to protect network from uathorized access.

nazadnan2003 · Sat Nov 04, 2006 5:24 pm

I have external Access Points connected to the MT Router.
I don’t use encryption WPA or WPA2, and I do not want to do so.

In my case both (Good and Bad users) use the Internet in the same time by using the same IP/MAC-address. Theoretically this is impossible, and internet will not work correctly for both of them. But practically it is work on both sides.

I need a way to prevent this from happened.

What can Managed Swatch do to me in my case?

andrewluck · Sat Nov 04, 2006 5:49 pm

A managed switch would help if your clients were all using ethernet. You could restrict MAC addresses to a single port each. That way, if the port changes the switch won't talk to them.

Unless you change to some form of controlled access you can't stop these MAC / IP hijacks.

Regards

Andrew

jo2jo · Sat Nov 04, 2006 8:10 pm

the switch idea is correct but i'm assuming this guy is in a wireless enviroment since he says the "hackers" are using scanners and are cloning active athenticated MAC addys...

in which case serge is right u need to use wpa or wpa2 and that will solve this.

what are your "good" clients using to connect? windows laptops? CPEs? and if its laptops u could always use a vpn session and give each good user a user id and password with that....you woudl not need any wpa or wpa2 encrytpion since the hackers coud conect to the ap but not through the vpn and thus no net access..

Hellbound · Tue Dec 05, 2006 5:07 pm

I Have a Hotspot with web proxy enabled, and some hackers can hack my hotspot by using scanning programs which can scan the active IPs and their MACs and use one of them (by change MAC) to get the same IP of the authorized MAC and then access the Internet without asking to authenticate because its already authenticated.[/b]

to be honest with you I hacked my ISP in such fashion 5 years ago myself, the only way I can think of is PPPoE authentication method.

Mikrotik RouterOS does not offer any solution for this, specially for wireless side.

at this moment there is no wireless hotspot to detect two radio with duplicate mac address and doing managed switch mac filtering is just a headache...

I've been thinking a lot of how to prevent this hack attempt since I did it myself. I can say the only answer might be in finding the culprit... by detecting its signal and location.

However I have other theories of using special java and cookie to read computer's hard disk serial number locally in login page and store it in server ro if another user cloned

Wed Dec 06, 2006 11:53 am

Hellbound, where is the problem to use encryption protocols (WPA, WPA2) for wireless users ? If your users will not distribute security configuration, then 'bad' user will not have any possibility to establish connection with AP without encruption configuration.

Mikro-Man-Tik · Wed Dec 06, 2006 2:09 pm

He sergejs...
The problem is when we using the encryption protocols (WPA, WPA2) for wireless users the New User can't connect to network and test the service if we use the hotspot service.

Wed Dec 06, 2006 2:12 pm

One of the workaround for this problem is Virtual AP created on HotSpot AP, where you can create trial HotSPot users and apart HotSpot server, but normal users will connect to the AP running encryption.

111111 · Wed Dec 06, 2006 2:51 pm

As Hellbound sad LOGIN ca get some extra info for user
OS, Browser, User account name (many PHP ex.)
hardware numbers, partition number,

Wed Dec 06, 2006 3:14 pm

111111,
what is the problem with encryption protocol configuration ?
Encryption protocol has unique configuration settings, that might be accepted from client with correct configuration, if you will not give them or user who paid for HotSpot will not give them further, nobody could not access to your AP without correct settings.

Hellbound · Wed Dec 06, 2006 7:56 pm

Hellbound, where is the problem to use encryption protocols (WPA, WPA2) for wireless users ? If your users will not distribute security configuration, then 'bad' user will not have any possibility to establish connection with AP without encruption configuration.

this is where you can force all user to enable encryption? but how many network with wide coverage is using that?

unfortunately if you take out encryption, there is almost nothing left to protect users.

111111 · Wed Dec 06, 2006 9:14 pm

sergejs
WPA 64bit 5 simbol pass is nead around 30min to be decripted
128bit 10 simbol ~ 8h

WPA2 is not supported by each AP client device

cmit · Wed Dec 06, 2006 10:48 pm

I think you meant WEP encryption when giving those times to decrypt/brute-force an encryption key.

WPA still goes as uncracked, I would suppose...

Best regards,
Christian Meis

111111 · Wed Dec 06, 2006 11:16 pm

cmit WPA i mean
officialy yes it is "most secure" like DVD protection
but "read the manual" say other

WPA + RADIUS + some user system info
that's other

ahmedramze · Thu Dec 07, 2006 2:32 am

I'm sure your problem it from your bad configration of hotspot , if you can send the configration by

/ip hotspot export

/ip dhcp-server export

/ip firewall nat export

and send it .

Your problem is happen when you use saim IP for DHCP and Hotspot .
the scanner software that hack the physical layer of network (( MAC )) and get the DHCP IP from your server who allow these ip to connect to your internet .

to remove these you must configer a temperary DHCP network that allow all user to connect to your hotspot , and configure the hotspot with diffrent ip . for example

1-DHCP server work in 192.168.0.1/24 in hotspot interface
2-do a hotspot server work with 10.200.10.1/24
3- allow the hotspot ips to acsess to you internet from from firewall by

ip firewall nat add chane=src  src-address=10.200.10.0/24 action=masq... out-interface=((yourWAN))

and told me what happen with you , and any one told you JAVA hotspot not secure told him you did not use right configration .

regard

Thu Dec 07, 2006 8:15 am

111111
1) I think you are reading documentation regarding the WEP, as only WEP has 64(40) and 128 (104) bit keys. I did not recommended WEP as encyption method, I said about WPA/WPA2.
Could you post link with this documentation ?

2) Do you manage to steal WPA key for AP running WPA encryption ?

janisk · Thu Dec 07, 2006 8:24 am

o boy, that was one good laugh in the morning. decrypt WPA in 30 minutes. Do you woodoo or have access to AP?

please clarify what documentation you read by posting links here, or name and source of materials.

Thu Dec 07, 2006 10:36 am

not so fast, janisk. it will take longer then 11111 mentioned (I doubt he's done it), but it looks possible in theory:

http://www.google.com/search?q=cracking+wpa

Thu Dec 07, 2006 10:52 am

Of course WPA2 is recommended, as well EAP is preffered to PSK, as well AES-CCM is preferred.
Anyway I doubt that 63 undictionary 'wpa(1)-preshared-key' will be 30 minutes work for regular user.

111111 · Fri Dec 08, 2006 11:47 am

someting interesting for they who not believe

WEP less then 5 sec

I code it ;)
сKуKцKсKфKсKущххKтKцKфKшKр
сKуKцKсKфKсKущххKтKцKфKщKр
сKуKцKсKфKсKущххKтKцKфKсрKр
сKуKцKсKфKсKущххKтKцKфKссKр
сKуKцKсKфKсKущххKтKцKфKстKр
сKуKцKсKфKсKущххKтKцKфKсуKр
сKуKцKсKфKсKущххKтKцKфKсфKр
сKуKцKсKфKсKущххKтKцKфKсхKр

Fri Dec 08, 2006 11:48 am

again WEP - WE ARE TALKING ABOUT WPA!

111111 · Fri Dec 08, 2006 11:55 am

WPA coding is simple too
just thing how is generated

Fri Dec 08, 2006 11:56 am

show us

somehow, I just don't believe you can do it in minutes

111111 · Fri Dec 08, 2006 1:24 pm

http://www.informit.com/articles/printe ... 70636&rl=1

Fri Dec 08, 2006 1:26 pm

did you even read it until the end?

As we've learned, cracking the password is no simple matter. Due to the WPA design, an attacker must have an insider's understanding of how the packets are created and how their data is used to secure a WPA-PSK network (or a tool that does this for the attacker). Our example provided a test using a previously known password. To successfully crack a random network, an attacker must have a large dictionary file, a powerful computer, and a little luck in order to obtain the password. Fortunately, this isn't as easy as it sounds.

nazadnan2003 · Fri Dec 08, 2006 9:21 pm

Dear ahmedramze can I have your Yahoo ID
for more explenation.

Hellbound · Sat Dec 09, 2006 8:52 pm

did you even read it until the end?

As we've learned, cracking the password is no simple matter. Due to the WPA design, an attacker must have an insider's understanding of how the packets are created and how their data is used to secure a WPA-PSK network (or a tool that does this for the attacker). Our example provided a test using a previously known password. To successfully **** a random network, an attacker must have a large dictionary file, a powerful computer, and a little luck in order to obtain the password. Fortunately, this isn't as easy as it sounds.

why not mikrotik try to detect wireless client with different signal strength with one mac address?

definitely modulation and signal strength can be helpful key to come up with some level of security?

smacebr · Mon Dec 11, 2006 3:21 pm

After we implement MK-PPPOE solution we saw our SSID (even with AP mac cloned) cloned and one PPPOE server was running in that "unknown" AP. They were getting user/password/mac from our customers. We already have one great solution for this. (once it works) But I am curious to know what Mikrotik suggests in these cases? (They always have better solution than ours

Mon Dec 11, 2006 3:24 pm

smacebr,
use encryption protocols for wireless clients, as it was suggested in the previous posts(WPA/WPA2).

smacebr · Mon Dec 11, 2006 3:30 pm

but the key is shared by all users in that interface. right?
The problem is that we suspect that who did that has access to our network. (He fixes computers - format, install OS, hardware etc - i've forgotten the word for this kind work). So if the Key is shared by all users in that interface he will be able to get the key when he visits one of our customers. Am I wrong?

janisk · Mon Dec 11, 2006 3:36 pm

preferably with eap certificates. but preshared key is also good choice for starters

like me

edit:

you can create virtualAP with different pre-shared key, like one key for group

smacebr · Mon Dec 11, 2006 3:54 pm

I have not checked "eap certificates" before. I must check it then. Any sugestion?

I was thinking about to develop one Dialer (for PCI Wireless Cards) and a customized AP Firmware (just like ApRouter and others) for doing an improved authentication.

After the user logs in (user,password,mac,station) in the radius. Our integration server would send one Key to the Dialer/AP(Fw.Customized) if it combines to the last key sent by our server in the previous session, the client (dialer/ap) will send another key back, in case of incorrect Key or not informing it the server will automatically disconected the user from MK. If everything is OK then the server sends the user a new key to be used in the next session. So this way these keys are updated each session and I hope avoid clonning for ever

Mikrotik what do you think about this kind of solution?

janisk · Mon Dec 11, 2006 4:18 pm

certificates can be used in this manner: AP and client receives certificate from radius server and then from this certificate keys are generated and they change over time, it is very very safe.

smacebr · Mon Dec 11, 2006 4:23 pm

Is it the same I talked above or is it diferent?
I need one example of implementing it to understand it better.

janisk · Tue Dec 12, 2006 4:35 pm

kind of the same, just already implemented in ROS, windows and Linux.

you have to generate TLS certificate for user and your AP, then set this certificate for router and for user

ofasa · Thu Dec 14, 2006 10:23 am

Dear sergejs:

I alrady use "shared-users=1" , and use login/password for the HotSpot authentication.
The "bad users" stole IP/MAC-address by using scanning programs, and chose one of the active IP/MAC-address.
If the stolen address is alrady autherized in the hotspot, then the "bad users" will recive Internet service as well as the 'good client' (both in the same time and the same IP/MAC-address).

1. Try disabling 'Universal Client'. (I think this is done by setting the address-pool in the user profile to 'none')

2. Try binding the MAC address to the IP address in the firewall (possibly with a login script in the user profile - if mac is xx-xx-xx-xx-xx-xx and ip is not yy.yy.yy.yy reject/tarpit/drop)

Just a few thoughts.

skynoc · Thu Dec 14, 2006 9:28 pm

hi guys ,
i have the same problem with mikrotik .
you should give each client a static ip or there should be a script running which gives each client a subnet of 30 bits , this can solve mikrotik hotspot service .

i m using hotspot with static ip only , and my system is running well ,

Fri Dec 15, 2006 7:55 am

skynoc, do you have HotSpot running on the wireless or Ethernet interface ?

nazadnan2003 · Sun Dec 17, 2006 12:04 pm

Ahmedramze wrote

I'm sure your problem it from your bad configuration of hotspot...

Dear Ahmedramze:
I'm sure that I follow the right steps described in the PDF Manual to configure the Hotspot, is there any possible that MikroTik make some mistake in their configurations??? !!!!

Ahmedramze wrote

and told me what happen with you...

the same problem still exist

The "bad users" stole IP/MAC-address by using scanning programs, and chose one of the active IP/MAC-address.
If the stolen address is already authorized in the hotspot, then the "bad users" will receive Internet service as well as the 'good client' (both in the same time and the same IP/MAC-address).

Ahmedramze wrote

and any one told you JAVA hotspot not secure told him you did not use right configuration.

Can you pleazzzzzzzz tell me from where this confidence originate abut JAVA Hotspot ????
Did you try to hack your Hotspot by yourself ?
If you are already can prevent this kind of illegal access to your Hotspot ? Can you pleazzzzzzzzz show us who can you do that?

Mon Dec 18, 2006 4:46 pm

nazadnan2003,
it is not very easy to understand, why wireless encryption protocols are not suitable for you ?
Wireless encryption protocols usage allows to protect wireless network from unauthorized users.

smacebr · Wed Dec 20, 2006 11:12 pm

Even using these wireless encryption protocols we still vulnerable, they can get the key with another customer, IMHO presharedkey does not work for ISP. We need one better solution.

Thu Dec 21, 2006 8:48 am

1. You have to educate customers, that distributing preshared keys over the unauthorized users is not a good idea;
2. Alternative more secure method than preshared key exists EAP. It is better and more secure. As it was described previosly.

nazadnan2003 · Mon Dec 25, 2006 11:56 am

sergejs
It is not very easy to understand why MT team can not confess that they couldn’t till now prevent this kind of penetration.
Many reasons make wireless encryption protocols are not suitable for me, these reasons are shortly describe below:

- My Hotspot is covering a small city with 5 Km diameter with other Hotspots, so it’s very important to my Hotspot to be easy to connect for first look.
- Most of the users are dummies (in networking skills), so each time a user face some problems in his connection or even in his PC regarding the internet I should support him without any charge.
- Imagine the time spends with this kink of problems, which can be spend with other users and problems can be charged.

Regards

Hellbound · Tue Dec 26, 2006 7:00 pm

I have an idea

MT make a simple Scanner detector that is trying to scan more than 3 IP in one minute and blacklist the mac address from the network so at least the person won't be able to scan the whole network for alive IP address.

at the other hand MT make dynamic IP and dynamic Gateway in 255.255.255.252 subnetting.

so even in layer 3 we can block scanning.
dynamically create local IP address and dhcp release dynamic setting (for instance)
gateway1: 10.1.1.1
client1: 10.1.1.2
subnet: 255.255.255.252

gateway2: 10.1.1.3/31
client2: 10.1.1.4/31
subnet: 255.255.255.252

and so on...

better than nothing.

thanks

janisk · Wed Dec 27, 2006 10:20 am

sergejs
It is not very easy to understand why MT team can not confess that they couldn’t till now prevent this kind of penetration.
Many reasons make wireless encryption protocols are not suitable for me, these reasons are shortly describe below:
- My Hotspot is covering a small city with 5 Km diameter with other Hotspots, so it’s very important to my Hotspot to be easy to connect for first look.
- Most of the users are dummies (in networking skills), so each time a user face some problems in his connection or even in his PC regarding the internet I should support him without any charge.
- Imagine the time spends with this kink of problems, which can be spend with other users and problems can be charged.

Regards

as sergejs wrote - educate your customers

and as i know WPA2 and EAP is available since 2.9.8. so it is more that a year.

and you can provide DEMO with no encryption and no real access to Internet with with virtualAP. so they anyone can connect and see how to configure their interface.

smacebr · Sun Dec 31, 2006 1:50 am

janisk,

I am looking for one path to implement this EAP in my network. Can you point me one tutorial that works with MK?

Thank you.

skynoc · Wed Jan 03, 2007 9:22 am

sergejs

i m using wired network on ethernet .

smacebr · Wed Jan 03, 2007 3:11 pm

good question skynoc,

What should we do in Wired networks?? They have already cloned my PPPOE server

Wed Jan 03, 2007 3:13 pm

Management switches, that provides security MAC address per port, should help you in such cases.

smacebr · Wed Jan 03, 2007 5:41 pm

sergejs,

Yes, it would solve but on the other hand it would be a very expensive solution, imagine our network with about 200 switches. It would be also hard maintaining. I believe we can reach a better, safer and cheaper solution.

The problem related to PPPOE is that it DOES NOT autenticate the SERVER. So the pppoe client does not know if the server is the real one or fake.

I have thought about how to solve this problem myself but I do not want to reinvent the wheel, and I would prefer to follow standards already implemented.

Each day more we are having PPPOE clonning here. There are a lot of dishonest people around. We sell internet thought wired and wireless networks.

For sure a better authentication method would solve it requiring much less work than "managed switches".

Dont you agree? Any idea?

Hellbound · Wed Jan 03, 2007 5:58 pm

sergejs,

Yes, it would solve but on the other hand it would be a very expensive solution, imagine our network with about 200 switches. It would be also hard maintaining. I believe we can reach a better, safer and cheaper solution.

The problem related to PPPOE is that it DOES NOT autenticate the SERVER. So the pppoe client does not know if the server is the real one or fake.

I have thought about how to solve this problem myself but I do not want to reinvent the wheel, and I would prefer to follow standards already implemented.

Each day more we are having PPPOE clonning here. There are a lot of dishonest people around. We sell internet thought wired and wireless networks.

For sure a better authentication method would solve it requiring much less work than "managed switches".

Dont you agree? Any idea?

to be frank with you, it is a very bad idea to use unmanaged switch to provide internet to people. you have no other choice to provide better security except upgrade to managed switch.

there is a brand called TP-Link which has very cheap product. I'm not sure about their quality since I haven't tried that myself but they usually use good chips for their products.

upgrade to manageable switch ASAP. bind mac-address to each port and make sure all ports are isolated.

smacebr · Wed Jan 03, 2007 7:31 pm

I understand you Hellbound. But the point is that the way we are working today is not totally safe. And there are ways to make is much more reliable. And I believe this solution is not so far as it looks. 4-Way, 6-Way autentication methods solves it (once it autenticate the client and server). The point is, I dont know which implementation to follow. I only know my current PPPOE implementation is not safe. And changing all hardwares we have today would be a real pain.

Hellbound · Wed Jan 03, 2007 7:43 pm

I fully understand how painful is that.
I'm just changing 3 3com switch and 1 linksys web-smart switch because their web service are simply crashing and we can't even telnet, I dont know why. maybe stability is something cisco is selling. and honestly it is very very painful. but what's the choice anyway?

but it is further more painful when you have to prepare 5 men just to visit your sites for funny problems.

every day that is pass by I better understand why people like cisco charge more for something more reliable and stable.

I have not implemented a wide network yet and I am not sure myself how to achieve low-cost and stable network at the same time.

one thing for sure is that since last two years I spend more than 30,000 USD just to test this and that. buy this and throw it away, buy that and throw it away because it is simply not stable.

can you believe that my APC ups is even crashing? my linksys switch is crashing... everything is crashing... i just hate this crashing but it all happens...

just listen to me. this one thing is necessary thing for your network. you may start doing it slowly, not just in one day. but you must really do it.

I've seen ISP using normal made-for-house 8 and 16 port switch. I just simply set my route to another client and I am connected to internet!!!

no mac cloning and no nothing... this was the kind of security.

managed switch will allow you turn off the port without visiting the site.

hope it helps.

skynoc · Wed Jan 10, 2007 2:09 pm

dear Mikrotik clients
i found an idea to use the hotspot service from mikrotik.
i have a wireless and wired network over 245 wireless access point and more than 80 switches . it is very expensive to change all these devices to manageable devices such as mikrotik wireless routerboard and cisco switches or 3 com etc...
i've been using hotspot with dhcp more than 2 years untill someone came to our network and start cloning our dhcp mac address to abuse our network we could know the person who did that but when more than 1 started to do that from different locations we found ourselves in the middle of a huge problem , so the solution was to provide each client a static ip address because the hacker was cloning an ip address and a mac address of the server which it has 2 subnets of 24 bit .
the hacker was doing as follow :
mikrotik router has 2 ip address : 10.10.10.1/24 and 10.10.0.10/24 (authenticated netowrk )
unauthenticated network has 2 subnets too : 192.168.0.1/24 and 192.168.1.1/24
the hacker pings the server with unauthenticated situation using his xp workstation and execute the arp -a command to see his arp table
he founds the dhcp ip address which is the unauthenticated network and the mac address he puts the mac address first the same as the dhcp server into his ethernet interface or wireless and then he puts the same ip address 192.168.0.1 and the authenticated ip address which is 10.10.10.1 now in this case no new clients can replicate with the dhcp server nor the authenticated clients can replicate with the gateway because there are 2 ip addresses are the same on one network , ( note that if you put on your card only the ip address of the server the xp station prompt for a conflict ip address on the network but if you put both ip address and mac address the same as the server the xp station still as jackass )
now to solve my problem , i gave each client static ip for example : i put 192.168.1.1/30 on the router so i can give 192.168.1.2 for the client and 192.168.1.1 as his gateway
i give the second client a different subnet such as 192.168.23.1/30 on the router and 192.168.23.2 as a client ip address and 192.168.23.1 as his gateway but in this situation no new clients can get a dynamic configuration but it is usefull .i was thinking to write a script which can talk with the dhcp server and give each client a subnet of 30 bit and each client has different subnet from the other .
in this case mikrotik can solve the hotspot problems

111111 · Wed Jan 10, 2007 9:01 pm

skynoc

add pool for each client ip address and dhcp will give auto ip
make static dhcp leases

skynoc · Thu Jan 11, 2007 8:11 pm

nice trick 111111
i tried it but it didnt work because when you setupt a new hotspot server the wizard ask which ip address you need hotspot to use by default 10.5.50.1/24 which is unique for all clients and this is the problem but what we need is to give each client dynamic ip assignment with 30 bit subnet .

yusabdu · Fri Jan 12, 2007 1:41 pm

please let the mikrotik guys get a very good and cheap solution to this problem of hacking hotspot

111111 · Fri Jan 12, 2007 7:11 pm

How simple will be, if some one write a JAVA (php, asp, or other) script,
with will see(use) hard disk number, partition number, processor number then Radius will not be cheaten so easy

nazadnan2003 · Fri Jan 12, 2007 7:37 pm

There is an old scenario named DHCP-Pool Method describe in Hotspot chapter in Reference Manual for RouterOS 2.8 , which is show the possibility of making tow different address pools, the first address pool (Temporary address pool) for unauthorized customers, and the other address pool (Real address pool) for the authorized customers.
According to this scenario, when the customer first connected to the hotspot, he should get a temporary IP address for very short time (14 seconds±), in this period the customer should complete the authorization process and login to the hotspot. After the end of the lease, the customer will get a new IP address from the Real pool.

In this scenario, when the hacker first connected to the hotspot, he will get a Temporary IP address and when he run any scanning programs, all what he get is a few IP's / MAC's for other unauthorized customers and he will never see the authorized IP's / MAC's because they are in deferent pool (subnet mask).

Unfortunately I could not achieve this scenario in my Hotspot because I have RouterOS 2.9.29, the IP of authorized customer changed from the Temporary to the Real just inside the Router in IP/Hotspot/Hosts page.

If there is any one can ensure that he succeeds to achieve this scenario in his Hotspot, I'll be grateful to him if he share us his experience.

I believe that it is the only helpful way to solve Hacking Hotspot problem, unless if there is a way to distinguish between the real and clone MAC and then drop all connections came from cloned MAC and accept connections from real MAC.

skynoc · Sat Jan 13, 2007 9:15 am

a script writen in mikrotik can help but a miracle or a guru can do it only.

zuf · Sat Jan 13, 2007 7:33 pm

hi my sir if u remove cookies from hotspot it made bad user cant login in your hotspot if he stolen mac for good user thanx

skynoc · Sun Jan 14, 2007 12:19 pm

to sergejs
manageable switches are not the solution for this issue .
note that this problem is not in mikrotik hotspot only,it affects dhcp

regards

nazadnan2003 · Mon Jan 15, 2007 5:32 am

hi my sir if u remove cookies from hotspot it made bad user cant login in your hotspot if he stolen mac for good user thanx

Dear friend ZUF I think you'd better if you read the Reference Manual carefully before you make any suggestion.
Cookies did not work as you think

skynoc · Fri Jan 19, 2007 11:54 am

any guru can solve this problem?

Hellbound · Fri Jan 19, 2007 12:48 pm

any guru can solve this problem?

yes,
just use manageable switch to isolate,
IP is in layer 3, you can't block hacker from layer 2 access.

for hotspot wireless user you can just uncheck default forwarding
and drop scanner but for none manageable switch. people can see
each other and you have no way on earth to block them.

3com 24 port managed switch wtih 2 gigabit uplink is around : 200 USD down here
3com 24 port unmanaged without uplink is around 100 USD,

just don't buy unmanaged and buy managed, simple math

macahan · Wed Feb 07, 2007 8:35 am

After we implement MK-PPPOE solution we saw our SSID (even with AP mac cloned) cloned and one PPPOE server was running in that "unknown" AP. They were getting user/password/mac from our customers. We already have one great solution for this. (once it works) But I am curious to know what Mikrotik suggests in these cases? (They always have better solution than ours ;)

If you use CHAP challange on your PPPoE then they can not get the password. Because it uses a challange handshake.
You do not want to use PAP for pppoe because that means you send clear text passwords. But CHAP or MSCHAP.v2 will not hand the clone PPPoE server the password. It never sends the password. It uses a challange and responds handshake system.

skynoc · Wed Feb 07, 2007 10:52 am

this is not what we are talking about...

janisk · Wed Feb 07, 2007 11:00 am

create wireless link with WPA/WPA2 with PSK, change PSK once a week, use radius to authenticate users, use access list on your AP.
PSK key - create it to max allowed length

instruct your users to not to share this key with others.
and stop these posts about hacking hotspot/AP while you are not using any protection that is already available.

monaro · Wed Feb 07, 2007 10:25 pm

I think AP (dlink, linksys, etc) have client security features where hackers cannot scan other user ip address, computers, etc since the AP disallow access between each other wireless users. Turn them on.

I have configure all my wireless AP to set the client security to enable.

janisk · Thu Feb 08, 2007 9:55 am

I think AP (dlink, linksys, etc) have client security features where hackers cannot scan other user ip address, computers, etc since the AP disallow access between each other wireless users. Turn them on.

I have configure all my wireless AP to set the client security to enable.

in ROS you can turn that thing on and off and it is called "default forwarding" in wireless seection

samsoft08 · Sun Feb 11, 2007 12:59 am

only in wireless section ??

samsoft08 · Sun Feb 11, 2007 1:15 am

so what about the example mentioned above about making temporary pool ?? i found it great in theory ..

samsoft08 · Sun Feb 11, 2007 4:04 am

nazadnan2003, I tried the example above , its working but as you said the real IP is only exist inside the router and the client still got the temp IP and scanning will result all the mac's of the clients ..
and this becouse the lease time is repeating it self each time its finished !!! i dont know why , maybe becouse the client still connected ..

i hope that someone knows how to overcome this lease issue it will be a great help couse i think this example is the best way to protect clients mac's and IP's from being scanned by hackers ..

acim · Sun Feb 11, 2007 11:25 am

The "bad users" stole IP/MAC-address by using scanning programs, and chose one of the active IP/MAC-address.
If the stolen address is alrady autherized in the hotspot, then the "bad users" will recive Internet service as well as the 'good client' (both in the same time and the same IP/MAC-address).

As there can't be two network nodes with the same IP, does this mean if you completely clone MAC and IP, you behave the same as another machine with this MAC/IP? So both machines with the same MAC/IP receive packets without matter who really asked for them? Huh, this is big problem and probably just cryption can help.

In this case, do you see both machines with the same MAC as registered clients in wireless section? Or you see just one?

janisk · Mon Feb 12, 2007 3:37 pm

OMG

this is how networking has been working for decades.

and yes if you have connected user to DHCP with DHCP lease active lease will renew itself while client is connected

and yes if you clone mac address and ip then you are as good as original user

EDIT:

ensure your cabling security
ensure your wireless security with tools that are provided and most of admins find enough to ensure that their network is safe.

you have everything what you need to make your network safe - safer you make - tougher for users to connect

samsoft08 · Mon Feb 12, 2007 9:14 pm

you mean that the manual example is wrong ??
so why they made 2 pools ??? one for unauthorized users and one for authorized users if the IP wouldnt change anyway ??

forget the encryption , some WISP need to show thier advertising on the log in page of the hotspot , so the cant use encryption .

that solution ( 2 IP pools ) is the best as i think , but it needs more testing , if the user IP change from temp pool to auth pool that would be great ..

navibaghdad · Mon Feb 12, 2007 9:47 pm

Realy

No one from MK team can help to solve this issue or to explain how to implement the example

hci · Tue Feb 13, 2007 12:20 am

I Have a Hotspot with web proxy enabled, and some hackers can hack my hotspot by using scanning programs which can scan the active IPs and their MACs and use one of them (by change MAC) to get the same IP of the authorized MAC and then access the Internet without asking to authenticate because its already authenticated.

By watching proxy logs learn his favorite sites and block them all.

Matt

jonmansey · Mon Mar 19, 2007 10:50 pm

heres a suggestion that may strengthen the hotspot against the trial period hack a little more against simple mac address rotation, perhaps the trial user can be sent a cookie, then if they come back in with one of these cookies later from a different MAC and try to get trial, they are blocked. Trivial to clear cookies to get around it, I realize, but its one extra annoying step the hacker has to do to get access.

jm

Ghassan · Thu Mar 22, 2007 8:28 pm

hi guys ,
i have the same problem with mikrotik .
you should give each client a static ip or there should be a script running which gives each client a subnet of 30 bits , this can solve mikrotik hotspot service .

i m using hotspot with static ip only , and my system is running well ,

sometimes clients can run IP scan and they can find your subnets by running ip scan then you can not do any thing , also if any autenticated user is online for exmple we might say ...

you are controlling them by
- MAC-ADDRESS
- STATIC IP ADDRESS with (*.*.*.*/30)
- limitation per one session
- authenticate by hotspot login page

what else ? you can not do anything if a user is scanning your network .

I heard that there are still hacking HOTSPOT even if it subnetted , they can see any available ip address which is already authenticated ...

The best thing is if you are on a network ... management by switches with layer 3 .
and for wireless , the only thing that our companies is limiting its customers by their access point ( LOCAL LOOP ) but i am waiting for this configuration ... restricting every access point by WPA and IP , it will solve your problems
if anyone found a solution then i would like to hear it .

Regards,
Ghassan

roland · Fri Mar 23, 2007 8:38 pm

We blocked several ports (udp 161,135-139,445) and icmp traffic; our Hacker's scanner because useless.
In addition we filter all traffic from clients directed to the AP (input chain) or other clients. Only traffic from client to gateway (AP is not the gateway, we use bridging) got passed.

Maybe not perfect, but the Hackers are gone.

atheros · Sat Mar 24, 2007 12:45 pm

We blocked several ports (udp 161,135-139,445) and icmp traffic; our Hacker's scanner because useless.
In addition we filter all traffic from clients directed to the AP (input chain) or other clients. Only traffic from client to gateway (AP is not the gateway, we use bridging) got passed.

Maybe not perfect, but the Hackers are gone.

you can not block any port service even the ip address on direct connected network, Those are going to get working even you take out the router.

roland · Sat Mar 24, 2007 1:10 pm

I mentioned "AP" aka AccessPoint (wireless). We don't provide wired access. And we use filters in 'firewall' and 'bridge'.
Anyway, so far it worked. We got the hackers away. Not important for me if 'technically correct'

atheros · Sun Mar 25, 2007 1:53 am

Let's go to the beach and get relax....

doush · Sun May 06, 2007 9:22 pm

now the solution might be

1- get a PC
2- Install Linux
3- Install Snort with additional Packgaes and signatures
4- Put the box behind RouterOS
5- Run snort and Block every scanning attempt and blacklist them

ray · Thu Jun 21, 2007 1:24 am

hi dear all
I have same problem ,when any hacker use the same IP and MAC of one good user he will be same PC so no way to block it because every thing it same just one thing its not the PC Nname so i can see the name its flashing between the good and bad user "from DHCP server Leases" . so I give small idea let MT team do thing for us we dont need change our server OS.

babyface · Thu Jun 21, 2007 3:31 am

I think that you lost the point of view.

If you don't use encryption, all the data of the network can be intercepted easily. No matter the routes, no matter the gateway... nothing matters.

Use WPA/WPA2 PSK with at least 8 characters for your clients, and create a virtual AP opened for the demo.

ray · Thu Jun 21, 2007 12:35 pm

tnx
its good idea but what we can do for wire?

magic · Thu Jun 21, 2007 1:39 pm

Hi,

In my country you can use police to attack the hackers who use your network. We had a few people who cloned mac addresses and find out the fixed IP-s. First we changed the clients IP-s but this is a hard work on a bigger network (and some dummy customer can't do it so it is money too to send out somebody to do this).
After a sort time I allowed them to use the Internet with the cloned (illegal) address and save the traffic on the router (MT can do this). There is a lot of windows and linux program which can analyze the traffic. Every user read his email, login to somewhere, use MSN. There is a lot of way to find out who is the user. For example if you know the MSN login and some friends of the hacker not a big trouble to find who is it.
We found every hacker in 2-3 days and phone them. Just told them if they didn't stop to use our network we will send every information to police. Nobody tried it again. Never told them how we found him!!!!!!
There was one time when we give information to police. They went out to the hacker and found some drog too

We are just waiting for the judgement.

We use pppoe and radius now. We don't have any phone call from customer since we changed to pppoe. Every AP has separation. So there is no direct traffic between wireless clients. The wep/wpa is not a good solution in my opinion because the old wireless equipment are 10-30% slower if you use these and there is the possibility to crack them.
On ethernet side use the not so cheap managed swithes. If you are a service provider you have to invest money to your network.
There is a lot of good example on the MT wiki,documentation and on the demo routers. Use firewall rules to limit scanners (ICMP ports) and block those ports which is used by the viruses.

Krisz

ray · Thu Jun 21, 2007 1:59 pm

thnx but if our hackers dont care to police.

janisk · Thu Jun 21, 2007 2:45 pm

then use PPPoE and Hotspot as user magic suggested
or send information straight to police and see what happens

you have all the means provided

ray · Thu Jun 21, 2007 4:00 pm

thank you
can you tell me plz how i use PPPoE and Hotspot as user magic

janisk · Fri Jun 22, 2007 8:47 am

take a look here:
http://wiki.mikrotik.com/

maybe will find something useful

miahac · Sun Jun 24, 2007 8:49 pm

After we implement MK-PPPOE solution we saw our SSID (even with AP mac cloned) cloned and one PPPOE server was running in that "unknown" AP. They were getting user/password/mac from our customers. We already have one great solution for this. (once it works) But I am curious to know what Mikrotik suggests in these cases? (They always have better solution than ours

Good. If someone has cloned your SSID and PPPOE server then they are broadcasting from a fixed access point. TRACK IT DOWN. In the US this is criminal hacking, or at least theft of utility. Prove it and sue the guy, get him on the front page of the newspaper. If you are in a more lawless place, find more creative ways of retaliation.

hilton · Fri May 23, 2008 12:55 pm

go and play in the street please and stop bothering us.

nazadnan2003 · Fri May 23, 2008 9:31 pm

My same idea

nvrpunk · Sat May 24, 2008 6:31 am

Ban the MAC address access, wait till someone emails, verify they are the paying subscriber. By the time this is said and done, the *hackers* will be tired of wasting time, especially if you repeat this process.

Although this may be an inconvenience to the paying customer it will deter the hackers from bothering as they will have to do more scans, hop macs etc.

omega-00 · Mon May 26, 2008 3:55 pm

I fully understand how painful is that.
I'm just changing 3 3com switch and 1 linksys web-smart switch because their web service are simply crashing and we can't even telnet, I dont know why. maybe stability is something cisco is selling. and honestly it is very very painful. but what's the choice anyway?

We had similar problems with the most recent range of linksys switches - IMHO they are crap.

In regards to what people are saying about not turning on encryption I fully understand the reasons, most clients have NO idea about connecting up or changing from one network to the other let alone connecting to a secure network. It would be GREAT to be able to do this but in theory most clients wouldn't understand and you couldn't expect to force all of them onto the secure one by disabling internet access via the unsecured.

With regards to blocking the hacks, this isn't a mikrotik issue.. mikrotik provide devices that will give you access when given the right information.. every network admin should know that you can't control whats going on at the users computer although you can control what comes through your device. Now if you can think of a constructive way that would stop these hacks from occuring without the user having to jump through hoops just to get online then by all means share it. If you can't then don't blame others for the issue.

My thought would be this, for users with a dhcp assigned address and a dhcp client id, why not devise a method to reverse check that the computer connected has that same client ID and if not, drop the wireless connection

roland · Wed May 28, 2008 7:36 am

any guru can solve this problem?

We had similar MAC cloning on our hotspots, especially because we also use/offer the TRIAL feature ('free' for a few minutes per day). It is impossible to see a difference between real and fake MACs, however each time they change the MAC, they get a new IP from our DHCP, and a new entry in our DHCP table with their hostname.

So, the hacker most likely is about to produce multiple, hostname-identical DHCP traces.

I made two scripts. Script-A is COUNTING same-hostnames in the DHCP table.
Given the fact that maybe 2 people have same hostname and connect at the same time, we set the 'possible-hack-limit' to >2 same-hostnames.
The script write a global variable of list type ("hacklist"), which hold the identified hostnames. Schedule updates the list (run the script) every 2 minutes.

Scripts-B (runs every 20 seconds), uses the global hacklist, get the IP per host from DHCP tabble, scans the hotspot active users and kicks out those IPs.

after 2 times changing the MAC address, the hacker get a 20sec access at most.
I know that the hostname can be changed easily... however, it usually requires a PC-restart. Our hackers are all gone.
===================
script-A: (run every few minutes)
:local hosts [/ip dhcp-server lease find]
:local pcname "X"
:local pcnum 0
:global hacklist ""
:foreach h in $hosts do={
:local host [/ip dhcp-server lease get $h host-name]
:if ([:len $host] >0) do {
:set pcname ($pcname . "," . $host)
:set pcnum ($pcnum + 1)
}
}
:foreach h in $pcname do={
:local hh 0
:if (!([:find $hacklist $h]>=0)) do={
:foreach k in $pcname do={ :if ($k=$h) do={:set hh ($hh + 1) } }
:if ($hh>2) do={
:if ([:len $hacklist] >0) do {:set hacklist ($hacklist . "," . $h)} else={:set hacklist $h}
}
}
}

# monitor results in logfile once an hour
:local timer [:pick [/system clock get time] 3 5]
:if (($switch > 0) || ($timer >= "58")) do={
:log warning ("New Hacklist: " . $hacklist)
}

=======================
script-B (runs every 20 second)
# use global hacklist variable
#:log info ($hacklist)
:foreach host in $hacklist do={
:foreach i in= [/ip dhcp-server lease find host-name $host] do={
:local ipnum [/ip dhcp-server lease get $i address]
:local unum [/ip hotspot active find address $ipnum]
:if ([:len $unum] >0) do {
:local usr [/ip hotspot active get $unum user]
:log warning ($host . " " . $ipnum . " " . $usr)
#next line kick them out right now, could also check pppoe
/ip hotspot active remove $unum
#other stuff can do now with the identified IP and USER
}
}
}

================
hope it helps. it does in our case.
And sorry for the long post

cravetou · Thu Jun 05, 2008 10:33 am

to prevent hotspot hacking
use a wireless interface in the MT and uncheck the default forward in the wireless interface configuration
this will prevent client to communicate with each other

websawadee · Thu Jun 05, 2008 11:12 am

to prevent hotspot hacking
use a wireless interface in the MT and uncheck the default forward in the wireless interface configuration
this will prevent client to communicate with each other

I found that this still allows users to e.a. 'ping' each other thru the MT as a relay.
I use additionally a filter on the wlan-interface.
if user's address space is 172.20.x.x/16 (for example), I added filter dropping traffic
172.20.x.x/16 to 172.20.x.x/16 on wlan interface.
Just remember to exclude the IP of the router and/or default gateway

Alessio Garavano · Fri Jun 06, 2008 12:34 pm

Roland: I check my dhcp-server list an have more than 50 hostnames called "desktop" or "PC" or "pc" or "user" etc etc

I think the solution can be around the new "L2 Mesh Protocol" i am trying with excellents results, my network now is more stable and fast.

And i can see how this Layer 2 protocol know all hosts of the network and charge all hosts MACs of the network in /int mesh fdb table of each node of the net...

MT guys, can be this a possible future solution to wired and wireless network using this new protocol to prevent cloned MACs from different places?

This is my little grain of sand, I hope can help to invent a solution to this famous problem that we have crazy at all networks administrators

Best Regards!

AnRkey · Sat Nov 28, 2009 12:50 am

Found this clip showing how very simple and easy it is to get access to an MT hotspot without a login and pass.

http://www.youtube.com/watch?v=1WlfLCfdzlY

The whole point of a hotspot (to me any ways) is that it acts as a captive portal for client that can simply be connected to and used. By telling us to use WPA, WEP and other encryption you are simply missing the point.

MT dudes should just say it's not secure so we can stop wasting our time on this.

What work is being done to find a work-around for this issue? There must be some way... I'm sure that fixing the cookie/logout bug would solve this issue... would it not? Can't a cookie be wiped or even changed to show a logged out status? (problem solved if yes without uh's and buts)

After all, what good is a product that does not work as intended or is too easy to circumvent? For that matter what's the point of the login and password if it's that insecure, why not just ditch it? When I have a product that cant be fixed it get's retired... what are other vendors doing to get around this?

R

fewi · Sat Nov 28, 2009 1:08 am

That video shows absolutely nothing new (MAC address spoofing). MAC address spoofing is non-trivial to circumvent but several solutions and attempts are described in this thread.

The router has nothing to do with enforcing edge connections. From the router's point of view it's impossible to tell a spoofed MAC address connection from the legitimate connection. Cookies are an unsatisfactory workaround as it potentially excludes legitimate clients. This has absolutely nothing to do with Mikrotik's implementation, that's just how networks work.

Chupaka · Sat Nov 28, 2009 2:04 am

simply uncheck 'default forwarding' tick in Wifi properties? =)

p.s. they're using cracked version - have anybody saw WISP name?

fewi · Sat Nov 28, 2009 4:59 am

simply uncheck 'default forwarding' tick in Wifi properties? =)

Yes. Sorry, I should have been more explicit. To me that would count as configuring your edge to prevent this as it doesn't matter where the AP is. The Hotspot itself can't do this stuff for you, you have to prevent it wherever the client connects to the network (which admittedly definitely sometimes is the same device, but in an unrelated configuration section).

AnRkey · Sun Dec 06, 2009 8:13 pm

simply uncheck 'default forwarding' tick in Wifi properties? =)

p.s. they're using cracked version - have anybody saw WISP name?

Awesome, thanks this fixed my problem.

I did some tests and the "default forwarding" being off stops those kids dead in their tracks. Not one problem so far

I cant believe I forgot this on to begin with. When I saw your post I knew instantly how silly I had been by not seeing it straight away.

We pay per GB down here for our data through put on ADSL. So it hurts not knowing and/or forgetting this little secret. Not to mention that your hotspot clients can now reach/see each other too if default forwarding is not off! So getting hacked is part one of the story, part two is the hackers can also see your clients directly so if they are not protected they get smacked too. Just imagine on large installations what a big issue this one tick box can cause by forgetting to set it correctly!

R

ahang · Thu Jun 03, 2010 10:34 am

Hello guys

Don't bother yourself, Mikrotik is hackable in my Area the ISP using MikrotikRouter OS v4.9 and to access the internet there's HotSpot and PPPoE and they are using the extreme ways from hacking but it won't work, I can get user/password and its MAC and IP, Today the method of hacking become a lot no one can control hackers, and ultimate solution to prevent from hacking is to unplug you cable from LAN or disconnect your PC from network !!!

Thu Jun 03, 2010 10:37 am

PPPoE

if properly configured, I doubt you will be able to hack it. Admin usually is at fault

ahang · Thu Jun 03, 2010 10:41 am

if properly configured, I doubt you will be able to hack it. Admin usually is at fault

OK, what is the best secure way for users in Mikrotik ?

Thu Jun 03, 2010 10:46 am

1. Control the way people access your network. Is that a wired network? How did this person plug his cable into your network? make sure to limit his opportunities. Is that a wireless network? Use WPA

2. Use encrypted PPPoE on either type of network, don't use address on the interface where PPPoE is running, configure firewall to drop everything that is not supposed to be coming from the client.

3. restrict communication between connected devices either by a managed switch or by wireless access list

ahang · Thu Jun 03, 2010 11:16 am

1. Control the way people access your network. Is that a wired network? How did this person plug his cable into your network? make sure to limit his opportunities. Is that a wireless network? Use WPA

2. Use encrypted PPPoE on either type of network, don't use address on the interface where PPPoE is running, configure firewall to drop everything that is not supposed to be coming from the client.

3. restrict communication between connected devices either by a managed switch or by wireless access list

no no, I mean if you want prevent yourself from hacking u don't have to use the internet at all !!!

the Encrypted PPPoE is ms-chap md5 v1 and ms-chap md5 v2 these two encrypted way can be decrypt and it will take a time.

and tell me more about that managed switch ? you guys talking about that pretty much

any way the language of hacking is different if the Mikrotik have a good security and all these encrypted and MAC & IP spoofing and etc... but it cannot consider some hackers method.

I'm quiet sure that the Mikrotik have a very good security the beginner and amateur hackers can't do anything, some one can do it like in advance level I can say there is 5% of exploit in Mikrtotik so you shud be very skillful to advantage from this 5%

ether3al · Thu Jun 10, 2010 4:34 am

Sounds like there is a need for a WIPs system!

We use AirDefence with policy based termination (wired and wireless)

Who is online