Tell me more ×
IT Security Stack Exchange is a question and answer site for IT security professionals. It's 100% free, no registration required.
up vote 3 down vote favorite
1

Is it possible to detect failed logins on the hotspots you create with your windows/linux laptops? So you can detect some dumb brute force/guessing attempts? For example, a log like this:

TIME DATA - WIFI HOTSPOT LOGIN FAILED - MAC ADDRESS INTRUDER - PASSWORD THAT WAS TRIED

As for the password part, lets take wep for example:

  1. The client sends an authentication request to the Access Point.
  2. The Access Point replies with a clear-text challenge.
  3. The client encrypts the challenge-text using the configured WEP key, and sends it back in another authentication request.
  4. The Access Point decrypts the response. If this matches the challenge-text the Access Point sends back a positive reply.

Since you send the challenge yourself, in theory, you will be able to retrieve the plaintext challenge. It should be also be possible to get this response, when your own laptop is the access point, right? But than comes the questuion: what is the decryption algorithm?

share|improve this question
1  
There might be some confusion with your question. Do you want to detect failed attempts at connecting to your Access Point, failed logins onto your laptop, or more general intrusions? – schroeder May 5 '12 at 0:24
Also, what do you expect to be generating this data? Most wireless hotspots have built-in logging capability. Are you asking for more than what the hotspot is offering? – schroeder May 5 '12 at 0:26
You know you can connect to 3G/4G/wired network and share your connection through your wireless network card on your laptop right? I know about air crack and wpa2 handshake cracking, but I really need logs that are this accurate. You can see the successful login attempts, but not the failed ones with this level of detail. – user101579 May 5 '12 at 5:55
You really need to edit your question to make this clear. I completely missed that this was the setup. What software are you using to create the hotspot? – schroeder May 5 '12 at 15:14
Why would you even consider using WEP?!!! – curiousguy Aug 24 '12 at 7:18

2 Answers

up vote 5 down vote

I don't see how this is helpful for home use. The error "MAC ADDRESS INTRUDER", is even less useful because that is not a real security measure, its trivial to spoof your mac address. WEP cracking is greatly sped up by packet injection which can be detected, but that isn't as helpful as just using WPA. The attack against WPA is offline, so an IDS isn't really going to help. In these these cases, the problem is relying upon a broken security system and logging this isn't very helpful.

You could install Linux on an old Desktop and use snort. Snort can detect some wireless attacks. But more importantly, snort has general purpose IDS rulesets.

share|improve this answer
Yeah, I know that, but there are not really other reliable ways to identify computers at wifi level than Mac addresses at the time. 90% of the people use wpa2, including me. And yes, I know about air crack and wpa2 handshake cracking, but I really need logs that are this accurate. You can see the successful login attempts, but not the failed ones with this level of detail. – user101579 May 5 '12 at 5:48
Can snort log those failed attempts with the tried passwords? – user101579 May 5 '12 at 6:05
4  
@user101579 Faild password attempts are a sign that everything is great, because if an attacker is using that method then they are clueless. The real attack is an offline brute force of the PSK handshake, which nothing can detect. – Rook May 5 '12 at 7:44
up vote 3 down vote

I don't think this is helpful for most users.

Think through the whole process: Who is going to read these logs? What are they going to do with the information? Answers: Let's be realistic; in almost all cases, no one is ever going to read the logs. If by chance someone did read the log, even if they saw one of these log messages, there's nothing they could do. What are they going to do? Turn off the access point, and have no Internet? Not realistic.

And, of course, as others have mentioned, many of the most serious attacks against wireless networks are completely offline attacks that will not be visible to the access point and cannot be detected by the access point, so logging is useless to detect them, because there's nothing to log.

So I think there is no realistic use case for this functionality -- which is probably why doesn't tend to be present in existing access points.

share|improve this answer

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Not the answer you're looking for? Browse other questions tagged or ask your own question.