Tuesday, October 3, 2023
 Popular · Latest · Hot · Upcoming
rated 0 times [  19] [ 0]  / answers: 1 / hits: 18417  / 2 Years ago, sat, june 12, 2021, 11:42:52

I am very paranoid about wireless connections and someone stealing my broadband bandwidth, which could lead to worse things.

My question is, how can I detect if my broadband bandwidth is being stolen?

I have a Belkin SURF+ N300 wireless router.

Ideally, it would be cool if I would get alerted automatically, but if that is not possible, then a manual process would be fine.

More From » wireless


I've got three ideas for you. They all have their share of complexity and you can mix and match as you see fit. The first is probably the easiest, but least robust (on its own).

1. Passive MAC detection

The standard way would be to keep track of the MAC addresses that are requesting DHCP addresses from the router. Most routers provide an "Attached Devices" style screen that will tell you who's connecting.

This isn't automatic, but you could (fairly easily) script some Bash/Python to pull the router page down, parse out the MAC addresses and check them against a list of known/allowed MAC addresses.

The problem here is nothing is instant. You rely on the router to update its page and you have to poll this frequently. Some routers won't like this. I have a crappy Edimax router that crashes if you load more than 10 pages in a minute (pathetic!) so this might not work.

MAC addresses are also woefully spoofable. macchanger for example, will let you spoof your MAC address in one command. I think even Network Manager will let you do it. If somebody doesn't want to be detected, they'll monitor network traffic and spoof one of the valid (known) devices.

2. Active Sniffing

This is where we rip the wheels off and dig in. You'll need a spare wireless something-or-other in a place that can intercept traffic to/from the router (ideally quite close to it).

In short, you hook up airodump-ng and you watch people connected to your network. It should be possible to script this output so when a new device shows up and starts using your network, you can instantly do something.

The idea would be that you run this on boot (as root):

airmon-ng start wlan0
airodump-ng --bssid 00:1F:9F:14:6F:EB -w output --output-format csv mon0

Replace the BSSID with your access point's.

This writes an auto-incrementing file that can be parsed on a regular basis. The version above write a comma-separated value file which is quite basic but if you're happy with XML (Python can make it pretty simple) you might want to look at the netxml output format for airodump.

Either way, this gives you regular information about which devices are using the network (and how much traffic they're sending too). It's still just as fallible as using the router's ARP table, but it's live.

While you're in promiscuous mode, if your script does pick up a client it thinks shouldn't be on the network, you could use tcpdump to trawl the packets and log exchanges of interest (HTTP requests, etc). It's more programming but it can be done.

3. Fingerprinting with nmap

Another method is to sweep the network for clients with nmap. Normally, you might think, this wouldn't help you too much, if somebody is blocking pings, it might not show up.

I suggest you use this in conjunction with either of the two other methods. 1 will give you the IP address so you can nmap directly. 2 won't give you an IP but it will let you know how many clients nmap should expect to find, at that exact moment in time. Make sure all your devices are pingable.

When nmap runs (eg sudo nmap -O it will try to find hosts and then it will do a port-scan on them to work out what they are. Your check-list should include how each of your devices should respond to nmap.

If you want to go one further, you could run a simple server on each of your computers. Just something that accepted a connection and then dropped it. In short: Something for nmap to look for. If it finds it open, it's probably your computer.

4. Secure your network better

You should actually do this first if you're worried. Use WPA2/AES. Never use WEP (cracks in about five minutes).

If you're still worried somebody might find out the key (WPA2 takes a lot of data and computational time to crack), move to a RADIUS model. It's an authentication framework that sets up a one-time key for each user. PITA to set up though.

But which to do..?

If I weren't happy with things, I'd probably manually watch airodump. If I still wasn't happy, I'd start fingerprinting things I saw. Somewhat difficult (by no means impossible) to script though.

The easiest to script is going to be router-scraping with fingerprinting from nmap. Short and simple.

[#44140] Sunday, June 13, 2021, 2 Years  [reply] [flag answer]
Only authorized users can answer the question. Please sign in first, or register a free account.

Total Points: 414
Total Questions: 130
Total Answers: 117

Location: Sudan
Member since Tue, Sep 15, 2020
3 Years ago