[Network Security Discussion]
*(How to protect yourself from MITMA's)
On 4/6/2016 11:41 AM, 3lfist wrote:
hey my internet connection drops out at random times and it's affecting my conference calls often. even you and i had problems before on skype. i'm not sure whats up here but i have to diagnose and solve this problem. can you help?
On 4/6/2016 5:23 PM, NodeEndo wrote:
On 4/6/2016 5:32 PM, NodeEndo wrote:
Just let me know when you're ready.
On Thu, Apr 7, 2016 at 4:50 AM NodeEndo wrote:
hey, you can let me know sometime tomorrow if you are still having issues with your skype connection or isp whatever... if it's just skype it could be your microphone or headphones causing an issue.... if you are using something like a bluetooth headset or something... that was what was causing the skype issues with me sometimes, if it's your isp wifi or something like that it could be your DNS provider, you'd have to just enter the ip to a different DNS than the default being assigned to you... http://www.online-tech-tips.com/cool-websites/free-dns-server/https://www.opendns.com/
The IP's are all the way at the bottom in orange.
with windows 10 you'd just go to the windows search by the start menu and type
View Network Connections and press enter.
then select the icon that indicates the connection that's active or 'partially' active
right click on it > properties > Inernet Protocol Version 4 (TCP/IPv4) -> Properties
select the radio button, Use the following DNS server addresses,
enter both that you find provided on the website
sometimes it fixes isp connection issues... it's usually if you're unable to request websites because it can't resolve to domain names,
however I can't promise.
let me know what's up k!
On 4/7/2016 3:54 AM, 3lfist wrote:
thanks for all that info :) and now my question for you is :
How do I determine where the connection is being cutting on and off?
before I make any changes I just want to isolate the area where this problem is happening. i think i need special tools for this. know any? i need to know if a program or virus on my laptop is doing this or if it's my ISP giving me bad service.
On 4/7/2016 4:15 PM, NodeEndo wrote:
hey homey :-), well did you try a windows tracert, or a linux traceroute ?
another thing is, you could indeed be dealing with MITMA, I first noticed back in 2013 when my signal was constantly dropping I did a tracert like I always have and noticed that the following IP after the first hop was all in * * * * astris and determined it was an outside source possibly intercepting and masking itself. It use to never do that... it would always display the destination addresses, and not only that but logically the connection would completely be stunted at that point if the destination was truely unreachable, it wouldn't have displayed the succeeding ip's afterwards. It just wouldn't make sense, the sensible thing a router would have done is the preceding router would redirect the traffic to an alternate route/node and would display the ip... obviously it was an interception, and since then... after 2013 you will find the * * * * node somewhere along the line between the path of source and target destination... it's quite obvious.
if you own a wifi router and you want to make sure no one has captured your MAC address and is spoofing it as there's which would entail your disconnect, the only way you can prove someone is doing that is installing Webmin+Squid on your computer and also if you have a linksys or netgear wifi router that has the correct model to flash the firmware with DDWRT you can configure DDWRT to capture any data being circulated through your router that you may not be aware of and redirect/forward it to Squid which would cache all the websites being visited and Webmin would allow you to literally see the log.http://www.dd-wrt.com/phpBB2/viewtopic.php?t=62222https://www.pinterest.com/nodeendo/network-security-tools/
I have annotated basic instructions of the process and links to the software that you may need.
another thing you may want to check and see is what active connections you have on your laptop and the ones that are 'LISTENING' by typing in: cmd in the windows search and right-clicking the Command Prompt (icon) then select 'Run as administrator' then type in
the /b switch|flag will only work with an admin instance and shows you the executable file names associated with the port #'s... over time you will begin to learn what ports or apps are normal and safe, if you see any filename you don't recognize do a google search on the port # to see if it's associated with any backdoor malware, if you're lucky enough depending on the sophistication of the malware you can sometimes literally prune it from your system by disabling, it in your windows services, type in Services into the windows search and just look for the shady program disable it... see if your problem becomes resolved... if it does, then you know.
if it's that simple you can then search for the file and delete it.
This is how I caught Tarik installing malware on my computer back in high school...
the software was using a port # of :6667 which is actually noramlly used for IRC i think but i found the strange program hopping around my task manager so.... then I later discovered what he was up to after he got caught.
research on the port numbers and services running on your OS and disable only the ones that you know you either don't need and are completely confident that they're not essential for you.
you can always test by first dropping the ports into the firewall first see what happens.
On Thu, Apr 7, 2016 at 10:40 PM NodeEndo wrote:
oh yeah, linux uses netstat & the equivalent for viewing processes like the task manager allows in windows, it would be,
just replace the <user_name> with either root or the actual username
ps -u <user_name>
-you may already know some of this stuff.
it's better if you just connect to the internet using a linux box because Webmin doesn't work for Windows 10.
I'm pretty confident it'll work for linux, anyways it's a great way to manage your entire os and programs both locally and if you ever need to remotely.
On Fri, Apr 8, 2016 at 5:24 PM 3lfist wrote:
very interesting. ok so I did netstat /b as admin. i see all regular programs with .exe (chrome, dropbox, slack, avastsvc). nothing wierd.
i'm concerned about what is going on with my router. MITMA also is a concern. some malware too.
can't believe Tarik did that. sneaky F.
On Fri, Apr 8, 2016 at 5:25 PM 3lfist wrote:
i dont have linsys or netgear. do you think getting a new router could help?
On Fri, Apr 8, 2016 at 5:38 PM 3lfist wrote:
did 'tracert google.com
' and i have 2 hops before i hit my ISP and right after that I hit google1.plix.pl
and after that there are 3 more hops.
longest time on a hope is 105ms, smallest <1ms
On Fri, Apr 8, 2016 at 5:42 PM 3lfist wrote:
pinged my network card and all is fine there
On Fri, Apr 8, 2016 at 5:45 PM 3lfist wrote:
pinged my router and it works. average time is around 30 ms
On Fri, Apr 8, 2016 at 5:49 PM 3lfist wrote:
is there a way someone can manipulate the data that tracert is sending back to me?
On Fri, Apr 8, 2016 at 5:57 PM 3lfist wrote:
werid, when i do 'ping test' I get 'Ping request could not find host test. Please check the name and try again.'
whats up with that?
On Fri, Apr 8, 2016 at 6:01 PM 3lfist wrote:
isn't 'ping test' the same as 'ping 127.0.0.1' ?
On Fri, Apr 8, 2016 at 6:02 PM 3lfist wrote:
this could be a DNS issue, right?
On 4/8/2016 9:19 AM, 3lfist wrote:
hmm. i have 2 hops before it goes to my ISP. check it
tracert 2 hops before ISP.PNG
I know 192.168.0.1 is my router but not sure what 172.16.30.XXX is. is this normal kind of? why would there be 2 hops before ISP?
On 4/8/2016 2:20 PM, NodeEndo wrote:
didn't work for me either because it isn't a domain name it doesn't end with a 2-3 letter .(ext like .tk, .org, .com), the ping executable on windows wasn't designed to parse a domain name without and extention other than, ping localhost, you may be thinking of something you'd be able to maybe do in like bower or npm, node... not sure...
localhost usually resolves to 127.0.0.1 but on mine it doesn't strangely, if I ping -a 127.0.0.1 I will resolve to my network username I assigned to my computer or your computer in your case.
try ping -a 172.16.30.XXX to see if a domain/dns resolves the -a switch usually converts the ip to echo back a domain name associated with it (Resolves addresses to hostnames).
usually the 2nd IP assigned after the first hop would be the ip assigned to your modem from your ISP. your tracert looks absolutely clean to tell you the truth.
here in the us, there will always be * * * * somewhere along the path between source and destination since 2013... I reported the issue back then to my ISP, a few months before the whole... datamining thing became public.http://www.dslreports.com/whois
Results I got:
org PRIVATE-ADDRESS-BBLK-RFC1918-IANA-RESERVED Internet Assigned Numbers Authority
because your IP is subnetted and I think since you're in poland I wouldn't be able to resolve any extra info about your IP from here, by using a website hosted in the US... dslreports.com....
The third hop is your ISP.
ping -a 80.238.113.XXX
Results I got:
org AS41676 JMDI Jacek Maleszko
but... it's still possible with a MITMA that you won't even notice any changes with addressing in the tracert path because it basically bridges using the MAC & | IP address of any source address and also the next hop, if it's done right it would go unnoticed.
another thing is any port that is listening on your computer can become vulernable even if it's stemmed from an app like chrome.exe or adobe flash update, or thunderbird email client, etc... with the right scanner that includes a vulernability in it's dictionary specific to any of the protocols used by one of those ports like a browser update, or other software update, (with the right doman certs) if they know your IP and have it being monitored for one of those ports they can probe one of those vulernable ports and then send you an update that could embed itself into the browser, if you could imagine something like socket.io
that is used for buildsystems like gulp.js, and knew how to do some crossdomain trickery with CURL or something.... they'd be able to see and control what's on your browser.... potentially.. anything can be possible and be invisible with a MITMA.
MITMA can be really bad because if and whoever the person that would be doing it, their internet activity would trace back to you as if it was your internet activity... they could be using your online ID's as a proxy to mask themselves and could do some real damage out there on the net, they could even frame you. I'm even worried at times if I'm being framed.https://www.youtube.com/watch?v=7FQO5jisQoI
The following video demonstrates where someone would be able to capture your http requests. If the results were forwarded it would just go to the MITM, and not to the actual destination where it's suppose to go (back to you) resulting in not receiving the expected results returned, kinda like a 1 way street. (that would happen usually if someone didn't know what they were doing, you'd get disconnects)https://www.youtube.com/watch?v=hI9J_tnNDCc
I suggest you get a new Router that has a model # compatible with DDWRT (make sure it has good ratings), usually when you buy a router like a linksys one the default firmware/software on it virtually caps the hardware's full potential. Like, when I bought mine I think I was only allowed to configure up to 12 devices, but with DDWRT it allows up to like 50... i think, not even sure maybe even 100, I haven't used it in awhile. You can do soooooo much more with it that you'd never be able to have done with a $20 router, it literally can make the value of it like $500.
I mean you may not even need it right now but it's good to consider having, it can really help you secure your connection or provide more abilities to monitor what could be going on, now or in the future. Just in case you do deal or are dealing with a MITMA, you can tap and redirect/forward any internet traffic circulating within the router and capture it with Squid and manage & monitor it with Webmin in real time, so you can protect and prove your case, by showing there's a ghost in the machine lol.... I mean it could be someone from across town with a long range antenna. Another way that's possible to collect and identify an outsider to prove your innocence is if you can capture the http/header's containing the browser/User Agent & version
, unless they're smart enough to spoof that too!https://curl.haxx.se/libcurl/c/CURLOPT_USERAGENT.html
here's a list of authentic oneshttp://www.useragentstring.com/pages/curl/
I bought a Linksys WRT54GS2 V1 after doing enough research into it's ratings and got it new off ebay for about $20.http://www.dd-wrt.com/site/support/router-database
I wouldn't recommend purchasing a used router for your own safety because you don't know if it's a hot device.
A MAC Address
"It is a unique identifier attached to almost most all networking equipment such as Routers, Ethernet cards and other devices. If you do not haveaccess to router admin interface (via telnet or webbased), use following method to find out router MAC address."
Just make sure you look at the reviews for a specific model on various websites like Amazon, or Newegg.com
You may be able to find a good deal on Newegg.comhttps://www.youtube.com/watch?v=TzvkWQYavok
On Fri, Apr 8, 2016 at 8:55 PM 3lfist wrote:
dude you scared me. !!!
On Fri, Apr 8, 2016 at 8:56 PM 3lfist wrote:
hah yes the arp spoofing video. i swear i saw that a while ago when i was interested in getting into hacking. nice.
On 4/8/2016 11:56 AM, 3lfist wrote:
i just wish there was a tool that did some kind of real time monitoring of my network. is that what squid is all about really?
On 4/8/2016 11:56 AM, NodeEndo wrote:
actually Squid was intended just for caching websites that you search/request via a client (your computer) onto a computer acting as gateway on your network, so that if you search for the same website that's already cached, it first detects if there were any changes made (file size) to the website on the remote hosting provider online so that if there were no changes it would instead use the data cached/stored on your network gateway and send it to your computer (client), saving bandwidth & load times, possibly even money on cellular connections. It just basically works like the browser history in your web browser but for your entire network. Also if let's say you download a large file like a new version of linux, and you wanted 4 other computers in within the companys' network to download the same file it'd only need to do it once, not 4 separate instances.
however with a combination of:
configuring your wireless router with DDWRT installed to forward any data being circulated within it (a transparent proxy) like the information provided in this link.http://www.dd-wrt.com/phpBB2/viewtopic.php?t=62222
but to Squid, it'll capture any traffic that you may not even know is circulating in it and forwarded through your modem to your ISP and back.
in addition to running Webmin you'd be able to actually view the log, the website and their contents... that'd be the only way to demonstrate that whatever internet activity is passing through your modem isn't yours'.
since it's wireless you would need the help of someone with a device that can literally monitor the wireless signal strength/attenuation to track the physical location, if it be one of your neighbors or across town. I know about this because when I reported it to my ISP a few years ago they sent some dude down with this device that had an antenna and it would create a sine wave sound with various frequencies depending on how far up and down the street he'd walk.