Hack 68. Protect Your Home WiFi Network
The bad guys don't just target corporate networks. If you have a WiFi network at home, intruders are after you as well. Here's how to keep your network and all your PCs safe.
Your home WiFi network is an open invitation to intruders. It's like leaving your front door wide open and putting a sign out front saying, "Come in and take anything you want."
That's because WiFi broadcasting doesn't stop at your front door, or even the walls of your house or apartment. It leaks out through them. Anyone with a WiFi-connected device passing by can detect the signal and easily connect to your network [Hack #65] . And once they've connected, they can do much more than just steal your bandwidth; if you've enabled folder-sharing on any PCs, they can get at your personal information and files, delete files, and wreak a lot more havoc than that.
But there's a lot you can do to keep out intruders and protect your network and PCs. First, make sure you use encryption on your network [Hack #69] . If you've set up PCs on your network for sharing folders, you can require anyone who tries to get into those folders to have a password. Open Windows Explorer, right-click each folder on which you've enabled sharing, choose Properties, and click the Sharing tab. (This works in XP Professional only.)
But that's just the basics. There's a lot more you need to do. No single hack will keep your network protected, so you should use all of what follows.
7.5.1. Stop Broadcasting Your Network's SSID
Your service set identifier (SSID) is your network's name, and if people know what your SSID is, it's easier for them to find your network and connect to it. Your router broadcasts its SSID, and that broadcast tells passersby there's a network there. It also gives out the name, which makes it easier to connect to.
So, if you turn off SSID broadcasting, you'll go a long way toward protecting your network. But doing that, by itself, won't necessarily solve the problem. Even if you stop broadcasting your network's name, people might still be able to connect to your network. That's because manufacturers generally ship their wireless routers with the same generic SSID; for example, Linksys routers all have the SSID "Linksys" by default. So, even if you stop broadcasting your SSID, intruders can easily guess your router's name and log on.
The answer? First change your SSID's name, and then hide it. That way, passersby won't see it, and they won't be able to guess it either. How you do this varies from manufacturer to manufacturer, and even from model to model from the same manufacturer. But for many models of Linksys routers, here's what to do.
To change your SSID name and stop broadcasting it, log in to the setup screen by opening your browser and going to http://192.168.1.1. When the login screen appears, leave the username blank. In the password section type admin, and then press Enter.
Click the Wireless tab and look for the Wireless Network Name (SSID) box. Enter the new name of your network. On the same screen, scroll down to SSID Broadcast and choose Disabled, as shown in Figure 7-7. Then, click Save Settings. If you are doing this from a wireless PC, you will immediately lose your connection to the access point and the Internet.
Figure 7-7. Changing your SSID name from the default
After you change your network name, reconnect each WiFi computer to the network, using the new network name. To reconnect in Windows XP SP2, right-click the small wireless icon in the Windows system tray. From the screen that appears, click Change Advanced Settings, and then click the Wireless Networks tab. Click the Add button in the Preferred Network section, type the network name, click OK, and then OK again. In installation of Windows XP prior to SP2, click the small wireless network icon in the Windows system tray and select the Wireless Networks tab. Click the Add button, type in the network name, click OK, and then OK again.
While you're at the Wireless screen, there's something else you can do to help keep your network invisible to outsiders. You should regularly change the channel over which your router transmits. That way, if someone has tapped into it before, she won't know on which channel it's now broadcasting. Choose a new wireless channel from the Wireless Channel drop-down list, and then click Save Settings.
7.5.2. Limit the Number of IP Addresses on Your Network
Your wireless router uses DHCP to hand out network addresses to each PC on your network. So, another way to stop intruders from hopping onto your network is to limit the number of IP addresses it hands out to the number of computers you actually have. That way, no one else will be able to get an IP address from your network's DHCP server because your PCs will use up all the available IP addresses.
Your router's built-in DHCP server hands out IP addresses whenever a computer needs to use the network, and the router lets you set the maximum number of IP addresses it hands out. To limit the number on a Linksys router, go to the Setup screen and scroll to the bottom. In the Number of Address box, type the number of computers that will use your network and click Save Settings, as shown in Figure 7-8. If you add another computer to your network, make sure you go back to the screen and increase the number of DHCP users by one.
Figure 7-8. Limiting the number of IP addresses your DHCP server hands out
If you use this technique, you'll also have to change the number of IP addresses your router hands out if you turn off one of your PCs or take it away from the network. For example, if you take a laptop with you on the road, remember to change the number of IP addresses your router hands out and decrease the number by one.
7.5.3. Check and Filter MAC Addresses
The simplest way to check if you have an intruder is to see a list of every PC on your network. If you see an unfamiliar PC, it means you have an intruder.
To see all the computers currently on your network and their MAC addresses, log on to the router, click Status, and then click Local Network. Click the DHCP Client Table button, and you'll see a list of all the PCs on your network, their IP addresses, and their MAC addresses, as shown in Figure 7-9. If you see an unfamiliar computer listed there, you have an intruder. To kick the intruder off the network, check the box next to its listing and click Delete.
Figure 7-9. Checking to see whether any intruders have made it onto your wireless network
That will only temporarily solve the problem, though. The intruder can simply reconnect to your network and get a new IP address. You can, however, permanently ban any specific PC from ever connecting.
When you see an intruder, write down his MAC address. Then click Security, and from the screen that appears click Edit MAC Filter Setting. From the MAC Address Control Table that appears, type the MAC address onto a line and click Apply. The PC with that MAC address will now be permanently banned from your PC.
For even more security, you can allow only PCs with certain MAC addresses onto your networkjust those who you want to let in. How you do this varies from router to router, but on a Linksys, from the main setup screen choose Wireless Wireless Network Access to get to the Wireless Network Access screen. Select Restrict Access. Scroll to the bottom of the screen and click Wireless Client MAC List. You'll see a list of every wireless PC on your network, including their MAC addresses. Check the Enable MAC Filter box for each computer and click Save. You'll be sent back to the Wireless Network Access screen, and the MAC addresses of each PC will be put in a box next to MAC 01, MAC 02, and so on. Click Save Settings. Now, only computers you specify will be allowed onto your network.
If you want to allow a new computer with a different MAC address onto your network, you need to add that MAC address. To find out the computer's network adapter's MAC address, at a command prompt type ipconfig /all and press Enter. The screen will display information. Look for the numbers next to Physical Address, such as 00-08-A1-00-9F-32. That's the MAC address. Copy that number into a MAC box on the Wireless Network Access screen, and that computer will be allowed to connect to your network. When you copy the number, don't include the hyphens.
7.5.4. Check Your Router Logs and Traffic
Your router keeps logs that track all the activity on your network. So, if you regularly check those logs, you can find out whether you've been targeted, or whether an intruder has made his way onto your network.
How you check the logs varies from router to router. But on many Linksys routers, you can examine both your incoming and outgoing logs. Log on to the router, click Administration, and then click Log. You'll see two buttons: Incoming Log and Outgoing Log.
Click Incoming Log to display a screen that shows the most recent inbound traffic, including the source IP where the traffic is coming from and the destination port number on a PC on your network. It's tough to decipher this screen, and there's not much immediately useful information here. Much more useful is the Outgoing Log, which shows all outbound traffic. It shows the LAN IP address of each piece of originating traffic, as well as the destination and the port number used. If you see unfamiliar destinations and LAN IP addresses, you have an intruder.
These two screens provide only a current snapshot of your network use, and they don't provide immediately useful information. But there's downloadable software that examines your router logs in much more detail and which can give you much useful information, including whether you're under attack, where the attack is coming from, the type of attack you're under, and similar information.
The best of the bunch is shareware, rather than freeware. Link Logger (http://www.linklogger.com) works with routers from Linksys, Netgear, and ZyXEL. When you run it, it automatically gathers information from your router logs, monitors your network, reports on what exploits and weaknesses are being targeted, and provides a wide range of reports and graphs. If you do find you're being attacked, it will list the attacker's IP address and computer name and identify the ports on his PC where the attack is coming from, as well as the IP address, computer names, and ports on your network being attacked, as shown in Figure 7-10. It will also specifically identify the type of attack.
Figure 7-10. The Link Logger Reports screen
So, for example, you can create a report, like the one shown in Figure 7-10, which lists for you all the attacks and alerts over a given period of time and includes a breakdown of the number of each type of attack.
7.5.5. Get Back at the Attacker
You can also use Link Logger to try to get back at your attackers, by asking that their ISPs investigate them and possibly take action against them. First you need to find out the attacker's ISP. Then, send an email to the ISP and include the log files in the message.
On the Link Logger main screen, scroll until you find an attack or group of attacks from the same person, as shown in Figure 7-11. (Each attack will have an icon of a skull and crossbones next to it.) Do a Whois search, which will match the IP address with its ISP. Then, do an ARIN Whois Database Search at http://network-tools.com by typing the IP address into the box near the bottom of the screen and pressing Enter.
Figure 7-11. Using Link Logger to find out the IP address and other information identifying an attacker
You'll see the name and contact information for the ISP, as shown in Figure 7-12.
Figure 7-12. Using this site to find out the attacker's ISP and to send the ISP an email, including the Link Logger log
Most of the time, it will also include an email address for the person you should contact if you discover you've been attacked by someone who uses the ISP. Often, it's an address such as email@example.com. (This is the address that would appear if the attacker uses the Comcast ISP.)
Now that you have the right email address, you need to send an email to it and paste log information into the email. Right-click the listing or group of listings that originated the attack and choose Copy. That will copy the log information to the Windows Clipboard. Paste the information into an email, and send it to the ISP of the attacker.
7.5.6. Hacking the Hack
Despite all your precautions, there's a chance that someone has broken into your network, or at least uncovered information about it. People who go war-driving [Hack #65] often tell the whole world about unprotected WiFi networks they've found. So, there's a chance that information about your network is listed on a publicly available web site, for all the world to see. If so, someone can use that information to try and get into your network.
First, you need to find out the MAC address of your router. It's often listed on one of your router's screens, but if you don't know it, it's easy to find. To find it, first go to the command line and ping your router's IP address. You'll find it in your router documentation. For a Linksys router, the IP address is 192.168.1.1. So, for a Linksys router, at the command line type the following and press Enter:
Strictly speaking, you don't need to ping the router. But it's a good idea to do it because when you ping it, the router's MAC address information will be put into your PC's Address Resolution Protocol (ARP) cache. Then it's easy to grab the information out of the cache.
After you ping your router, stay at the command prompt, issue the following command, and press Enter:
A screen like the one shown in Figure 7-13 will appear. Your MAC address will be listed directly under Physical Address.
Figure 7-13. Finding out your router's MAC address
Now that you know your router's MAC address, you can see whether information about your router is posted on a public web site. Go to http://www.wigle.net. Click the Search link on the lefthand side of the screen. You'll have to register at the site, but it's free, so before you search for your MAC address, fill out the registration information.
Once you've registered, log in, and the screen shown in Figure 7-14 appears. In the BSSID or MAC box, type in the MAC address of your router, making sure to put colons between the numbers, instead of the hyphens that Arp shows you. For example, you would type in a MAC address like this:
Figure 7-14. Checking the WiGLE web site to see whether a wireless network has been "outed"
Click Query. If a blank screen comes up, information about your network hasn't been posted to the site. But if your network is there, there will be a great deal of information about it, including its SSID, the channel it is broadcasting on, and other identifying information.
If your network is found, you should take quick action. Use the techniques in this hack and also turn on wireless encryption [Hack #69] .
7.5.7. See Also