geekhack
geekhack Community => Other Geeky Stuff => Topic started by: cheeseds on Fri, 28 January 2011, 16:43:47
-
In my Computer science class the network was acting up and being slow and what not, being a competent geek I immediately started snooping trying to find out what was causing it. Low and behold the network was being ARP poisoned (http://www.watchguard.com/infocenter/editorial/135324.asp) by someone in that class room (every room has its own router). After a quick visual scan of all the laptops in the room; i sit in the back of the room, paranoid like that I guess, turns out the guy IN FRONT of me doing a Man-in-the-middle attack (http://en.wikipedia.org/wiki/Man-in-the-middle_attack)! a challenger approaches! I quickly type in a number of off the cuff websites and they all appear on his screen, now the fun starts i start up a packet sniffer and start logging data on what this guy is doing. After about 5 minutes of logging data I type in my address bar "I know what your doing". guy freaks the **** out shuts down his laptop and sits there the rest of the time eyes forward.
Now is where the quandary comes in I happen to know this guy is all buddy buddy with some of the ITS department guys, I fear if I approach ITS with this information they will either say I falsified the logs (there only text files for god sake) or worse, they kick ME out of school for using a packet sniffer.
here is my plan that I have come up with, send the logs straight to the ITS department head, comp sci head, dean of students, etc etc. im doing this because he is intercepting and reading all the traffic from 30 to 150 people depending on what class he is in, not to mention any traffic he gets in the dorms. i doubt he got anything important, most people just facebook in there anyways, but its the spirit of the thing that's wrong.
other novel way of going about this have been discussed; including and not limited to, next class or next time he does it raise my hand and ask the prof "who do we know if some one is ARP poisoning us RIGHT NOW", taping him on the shoulder and saying "those be my packets you cant have them", or a variant of the previous jumping up and screaming "HE IS TAKING ALL YOUR PASSWORDS", or my personal favorite hit him with a shoe....hard.
any other novel (or serious) suggestions for handling this problem would be nice.
-
Can you capture your screen while you catch him in the act and mail it out anonymously?
Failing that, an icepick and a hearty battle cry works.
-
how about:
plant some information that he'd be eager to tell his IT buddies about... and make sure he sniffs it. the information should be such that when he reveals it to his buddies, it will incriminate him.
perhaps an anonymous tip to the IT department ahead of time will also help.
beware, it sounds like he already knows your MAC address :-/
-
Setup an anonymous honeypot. Catch him trying to login with a password he gets from the MITM. When he logs in, show the time/date/mac/ip of his machine. And/or give the logs of the honeypot to ITS. Orrrrrr, startup a Nessus box and do some educational research.
-
Failing that, an icepick and a hearty battle cry works.
THERE CAN ONLY BE ONE HIGHLANDER! *icepick to computer*
Setup an anonymous honeypot. Catch him trying to login with a password he gets from the MITM. When he logs in, show the time/date/mac/ip of his machine. And/or give the logs of the honeypot to ITS. Orrrrrr, startup a Nessus box and do some educational research.
that's a great idea the only problem is i don't think he is stupid enough to try it again in that class again
-
Depending how large this school is, you may well find those people tasked with investigating such incidents are not the same as those who polish the keyboards in the labs. And the relevant people are pretty unlikely to be "buddies" with students and eager to get to work with the soldering iron and pliers (not really - the soldering iron and pliers in my bottom drawer are just for show).
Besides which just because this guy is friendly with the support technicians doesn't mean they're friendly with him. The professional way of dealing with an obsequious little **** ... sorry I meant customer, is to smile and grit your teeth.
-
I think that you should get someone you know and trust to verify your evidence logs to see that they are complete and can not be refuted. Not only must you be 100% sure about your evidence when you present it, you must be able to present it to the tech staff so that they will be 100% convinced. Presenting it to your friend will also be an exercise so that you will be prepared for the presentation to the tech staff. Preferrably, your friend should be someone who is super-anal and super-righteous.
-
Depending on your school, you might want to talk to a prof about it, and let them handle it.
I know at both my undergrad (Xavier), and my current school (IU), things like this gained more traction if a prof brought it forward to the relevant authorities.
And if you pick the prof in your department who teaches networking, it would go a long way to convincing the ITS folks that this isn't made up. If nothing else, said professor would be able to help you verify your evidence.
-
Failing that, an icepick and a hearty battle cry works.
FOR REDMOOOOOOND!!!!
Alternatively,
FOR OPEN SOURCE SOFTWARE LICENSED UNDER GPL!!!!!
-
This isn't a moral quandary. A moral quandary is a situation in which you have to choose between two rights or two wrongs; this is a situation where the right decision is clear, but you're not sure how to implement that decision.
Just sayin...
-
At this point you don't know where this guy falls, if he's trying to steal serious information, and could wind up in jail for it, or is just messing around, or trying to protect the class himself. If it's the worse case and he's actually looking for stuff like bank account information to steal from people you might not want to expose yourself at all.... On the other hand if people are able to track logs of server activity, or is watching the activity on the server themselves you could be in a bad spot yourself...
You might consider going to, or at least calling the real police about it if you think you won't get a fair hearing from campus police.
I'd be sort of wary of the situation at this point...
I think it's important that you do think over the situation, maybe try to watch the guy to see if he tries it again, or stops.
Stealing someone's passwords isn't illegal or wrong in my mind, let alone using the tools that allow you to. Security testers use those tools to do penetration testing on networks, and that's exactly what you did, and him as well really at this point. Their actions aren't illegal. To be a good network security person you have to be knowledgeable and be able to use the tools and security methods that the hackers use to be sure you're safe. It would take someone who doesn't know anything about the subject to react against you for ferreting the guy out.
I don't see the problem with coming forward if you think this guy isn't doing anything serious. I think this depends also on where you live what the laws on this sort of thing might be. But normally it's what he might do with them that is illegal. You might do some research on exactly what is illegal in your area. In the end though you don't have any evidence that he's doing anything other than being a white hat at this point and trying to point out the insecurity himself. You need to find out that he's actually logging into other peoples accounts and damaging them somehow. He might just be looking for a way to cheat in class or something, which would be a concern for a teacher.
Man in the middle attacks are script kiddie stuff that practically anyone can perform, and everyone using a wireless device should be aware of it. It's why you'd never find me logging into my email or anything important in a crowded wi-fi hotspot. Youtube is full of how to's of how to do this type of attack. He might just be playing around to see what is possible at this point, which is no big deal.
One options might be to go to him, and tell him, that he should turn himself in to the teacher, and or either he come forward that people need to be more mindful of security in the class, and that more than likely everyone's passwords in the class have been stolen, or you will. Or you can maybe do it anonymously somehow as well.
If people have money being stolen from their bank accounts or something really serious that way you can limit your involvement.
You might find this page interesting. This is as of 2005, and I can't find anything newer that says it's illegal.
http://www.packetsniffers.org/bitbucket/legality_of_wardriving.htm
Concerning packet sniffers, " My philosophy: they are bombarding you with 2.4GHz radiation, if you choose to collect it with an antenna and decode the modulation, it's your own business."
Edit: After considering what you said that he's friends with the IT department, my feeling is that he's probably a white hat, and I'd ignore it unless you see him trying it again, or find out that someone in the class's bank account suddenly got emptied, or he gets nailed for plagarism or something.
The fact that he was visibly slowing down the network shows that he's fairly inexperienced and doesn't really know how to cover his tracks well. He might get caught on his own. If you noticed it, hopefully someone else in IT will as well. The situation might sort itself out.
-
Also consider that you scared him ****less when you announced you knew what he was up to. You didn't say who you were. He might not pull this again.
-
other novel way of going about this have been discussed; including and not limited to, next class or next time he does it raise my hand and ask the prof "who do we know if some one is ARP poisoning us RIGHT NOW", taping him on the shoulder and saying "those be my packets you cant have them", or a variant of the previous jumping up and screaming "HE IS TAKING ALL YOUR PASSWORDS", or my personal favorite hit him with a shoe....hard.
I only wanted to mention that this is serious business in India. Really. I could tell you a story or two. *wink*