My work computer got hacked today.

[Brian]

I noticed a wordpad file on the desktop of the host computer titled "you should read this". It said roughly "thanks for the free inet access. You should probaly tighten up your security and change your netgear router from the default password"

I thought it was kind of neat actually, glad it was a benign hacker though. Some guy maybe 1,000 miles away knows what peice of hardware we have nailed up in the supply closet.

What did he mean by "free inet access"? He must have access to hack in right?

We changed the password.

I want to put some stuff on my comp just to screw with anyone who hacks it. Like an entire 40 gig hard drive filled with nothing but thousands of identical copies of a .wav file of a sheep bleating.

 

[shanek]

Luckily, the majority of hackers are this benign sort. As for what the "free inet access" means, is it a wireless router? If so, then having the default password and no security on your wireless network means that he just got within range of your WAP, and used that to get out on the internet. If that's the case, then not only should you change your router's password (which you did), you should also change the wireless ID on both the router and your wireless cards and turn off broadcasting. Enabling WEP is another good idea.

Either way, make sure your local computers have their own firewalls (such as ZoneAlarm). Even with all of the above precautions, wireless networks are quite hackable and, moreso than the free internet access, you want to worry about these people getting access to your computer. When they connect wirelessly, they're on the same side of your router's firewall as you are so it won't offer any protection in such a case.

 

[ShowMe]

you should also change the wireless ID on both the router and your wireless cards and turn off broadcasting.

Changing the ID won't do any good. NEtstumbler & Kismet (the two most popular war driving utilities) read the ID. And Windows XP will connect to the network if you tell it to, if you don't have WEP enabled.

Enabling WEP is another good idea.

Probably the best idea, if you must go with wireless. But if there is a hacker that lives in the area then he's going to use Airsnort to find the encryption. (Um...from what I hear....yeah, that's it...)

Either way, make sure your local computers have their own firewalls (such as ZoneAlarm).

If you're on a Windows network you'll have Zonealarm set up to allow NetBIOS, so using ZoneAlarm won't help much, I fear.

Even with all of the above precautions, wireless networks are quite hackable and, moreso than the free internet access, you want to worry about these people getting access to your computer. When they connect wirelessly, they're on the same side of your router's firewall as you are so it won't offer any protection in such a case.

Best bet is to toss the wireless router, or use RADIUS if you must use wireless. As soon as they get past your firewall and onto your network proper all bets are off.

 

[Brian]

Jesus. How close did this guy have to be to the building? Was he roaming around the neighborhood with a pringles can?

Thanks for the info, it is wireless. I'll pass this on to our IT guy.

 

[Jim_MDP]

Jeez Brian, tell him if the hardware was powered up longer than ten minutes with the factory password… well, put it this way, I think I've still got a file around with the default passwords for a couple hundred routers/hubs. It's easy to find.

And Shanek… I guess you never went back into D_B's 'hacker' thread. I left an offer there for you.

 

[shanek]

Changing the ID won't do any good. NEtstumbler & Kismet (the two most popular war driving utilities) read the ID.

They can only read it if you're broadcasting it. You'll notice I told him to turn off broadcasting. And without broadcasting, they'll just try the default ID and get in anyway unless you changed that.

Now, they could still get the ID when you transmit something on the line, which is where WEP comes in. WEP is hackable, but it takes a bit of time.

If you're on a Windows network you'll have Zonealarm set up to allow NetBIOS, so using ZoneAlarm won't help much, I fear.

No, ZoneAlarm will pretty much nix any incoming connections unless you have a piece of software running that you've explicitly told it to be a server. NetBIOS just gives you computer names. It doesn't really get you into anything. The connection happens at a different layer.

 

[shanek]

Jesus. How close did this guy have to be to the building?

Depending on a lot of stuff: the materials in your building, the location of the WAP, the strength of the transcievers, etc., usually you can connect to a wireless network by getting within about 200 feet.

 

[AlienX]

In the UK it's called War Chalking from the fact that people used to (and still do) leave markings to indicate good places to use somebody elses wireless network.

I worry about the legal implications, people are convicted of wrongdoing purely by tracing things back to their source. If someone is using your wireless network for illegal purposes then there is a risk you could be convicted of something you didn't do.

Wireless has it's uses but IMO if you can use cables easily then do so, they are quicker and obviously more secure. I've looked at wireless myself but due to it being much slower and the reduced security and the fact that what I use now works anyway.. well I couldn't justify it (It would be nice for my laptop.. but thats the point it's just nice and not a requirement). Yes wireless does have it's place but i've seen a few networks where I just think to myself .. WHY?

AX

 

[ShowMe]

And without broadcasting, they'll just try the default ID and get in anyway unless you changed that.

Missed the "turn off broadcasting" aspect. Sorry about that.

No, ZoneAlarm will pretty much nix any incoming connections
unless you have a piece of software running that you've explicitly told it to be a server. NetBIOS just gives you computer names. It doesn't really get you into anything. The connection happens at a different layer.

If you have port 135 (NetBIOS) open, then you're vulnerable.

If someone takes the time to configre Zonealarm correctly it's certainly going to keep out the riff raff. Cripes, a decent password, a good firewall and a virus scanner are going to prevent 99% of the problems.

Just for giggles I think I'll load up ZA on my test network and see what type of enumeration I can get, once I'm on the network proper.

 

[shanek]

If you have port 135 (NetBIOS) open, then you're vulnerable.

But ZoneAlarm by default doesn't allow port 135 traffic over untrusted networks; so unless you've deliberately set up your local wireless network as a trusted network they won't be able to get in through it. And you'd still need the IP address anyway, which is the point.

 

[ShowMe]

But ZoneAlarm by default doesn't allow port 135 traffic over untrusted networks; so unless you've deliberately set up your local wireless network as a trusted network they won't be able to get in through it. And you'd still need the IP address anyway, which is the point.

Which was my point. ZA doesn't have a way to set up ports (that I know), it goes by IP address. And in Windows you don't need the IP address if you have the computer name, you can just check an administive share via the run command.


If it's on a server it's going to be interesting trying to configure to allow it to work. From a workstation it may not be too bad, though I wold suspect the system administrator would have something to say about it. Especially if the virus updates can't be pushed down to the system.

 

[shanek]

Which was my point. ZA doesn't have a way to set up ports (that I know), it goes by IP address.

No, it goes by programs. As long as you haven't told the program to run as a server, that port is blocked. Allowing a program to run as a server opens whatever port(s) that program needs.

And in Windows you don't need the IP address if you have the computer name, you can just check an administive share via the run command.

But that's not NetBIOS; that's file and print sharing.

 

[patoco12]

Jesus. How close did this guy have to be to the building? Was he roaming around the neighborhood with a pringles can?

Thanks for the info, it is wireless. I'll pass this on to our IT guy.

You have an IT guy? It's time to get a new IT guy if he was paid to set up your wireless router.

I would also make sure you don't have a VNC server running on your computer. The hacker could have installed it, set it to run silently, and then set up your router to forward some ports to your computer.

 

[ShowMe]

No, it goes by programs. As long as you haven't told the program to run as a server, that port is blocked. Allowing a program to run as a server opens whatever port(s) that program needs.

It goes by both, actually. You set up a "Trusted Network" via IP numbers, either a range or a single IP number.

[

But that's not NetBIOS; that's file and print sharing.

Some hacking 101:

NetBIOS is set up on ports 137 (name) and 139 (session). I did mention port 135 in an earlier post, this was incorrect.

If port 139 is open (ie, you've set up your network as a "trusted network" ) then you can set up a null session. This null session can be used to gather a wealth of information.

If port 137 is accessible then you can enumerate the netbios rather easily using the net view command.

So...if you're on a network that is listed as "trusted" (by gaining access to a wireless router with default passwords, for instance) you can find out a machine name without any special hacking tools. And if it's a Windows 2000 machine that has been set up so that the machine Administrator account (not the domain Administrator account...two different things there) doesn't have a password all the hacker has to do from his machine is run the command

\\machinename\c$

And input Administrator as the name, with no password....and s/he has access to your C$ drive. To the point where they can put a nic elittle message on your desktop.

On Windows 2000 it's pretty easy to set up a defense against this, but most folks don't even know it's a problem. You can set "Restrict Anonymous", but if it's set too high then you run into 3rd party connectivity problems, or major connection problems if you're in a mixed environment (see Microsoft areticle Q143474, or read the RFC's 1001 and 1002 for more details).

Honestly, I think we're both saying much the same thing. My point is that setting up a personal firewall on an internal network is going to cause problems; chances are good your System Administrators are going to be pretty ticked off if you add one & it's not set up correctly. If you set it up so that your network is a trusted network, and someone gets into your network, it won't do you much good.

The major problem here is that a System Administrator added a wireless network with esssentially zero protection. Any firewalls or protections they had were useless, and immediately compromised. Adding a personal firewall may have helped, but it would have had to have been set up in such a way that it allowed Windows communication with systems that were "known", and rejected those that were "unknown".

A strong password, and Restrict Anonymous would have done this far more effectively than a personal firewall.