Network help!

When this rogue device connects is it using the 2.4Ghz or the 5Ghz or both?

It was only on 2.4ghz according to the router software thorough Netgear genie on my phone.

But I just looked and it's on the 5ghz now.

I've turned down everything, I've switched routers... What the hell am I missing?

Can I do anything about this?

Yes.

This is normal for many phones actually. It is a privacy feature in iPhones that the OS will use a different mac address each time it connects designed for public hotspots.

Random:

  • Many stock router firmwares are known to have backdoors, hence forums usually suggest using ddwrt/pfsense instead.
  • You cannot know that you are not paranoid.
  • Open WiFi is so a thing supported by the EFF. 3 NAT routers and guest WiFis are a way to do this securely.
  • So, you have disabled remote (WAN) management right?
  • I'm glad the whitlist approach seems to be working but...

It looks like some device that is currently connected to your network is running a script that attempts to log into your router and brute force the password. What MAC address is 192.168.0.194 associated with and what device on your network currently has it? This should be simple enough to check by leaving the authentication attempts screen on, and taking each device off the network 1 by 1. Then re-connecting the devices you took off until that is no longer happening to isolate the device.

How exactly and to what are your servers connected to? Do the servers have WiFi adapters?

Edit: typos

So you were using something else before the netgear r6050?

Dlink DIR-655

Disabling SSID often removes WPS capabilities as well. I'm kinda thinking it WPS exploitation as well.

Yeah there is a package for it and the gui isn't too bad. The only complaint I have is that you can't disable an authentication method, so if you only want to use TLS you can't disable everything else without editing the config file manually, but the config file will regenerate from the gui options whenever you make a change or just when it feels like it so it's not a great option. Other than that it's pretty good.

1 Like
  1. Using Android phones. But your comment could be valid there. But I've checked IPs and they all seem to be checked out as far as phones.

  2. I disabled remote WAN management in the GUI and clicked apply.

  3. 192.168.0.194 doesn't match any of my other equipment hooked up to my router via wireless or wired. I've checked them all.

  4. Server's don't have wireless, and are connected to a separate router that is connected to only one PC on that router and that is mine, through a separate USB ethernet adapter. I've disconnected it, and traffic hasn't changed on main router. So server's aren't part of the problem as far as I know

Disabled wifi on phones, and still no change.

Traffic switched to 5ghz band about ten minutes after I switched to whitelist... so it didn't work.

Will try this too...

Will update with a log in 10 minutes...

I dont know what to tell you on this one op. Neither one of those supports anything but stock firmware and in both cases the manufacturer made it so WPS is still on even when disabled in the firmware settings.

Disabling SSID broadcast could work but can prove to be a pain in the ass for getting some devices connected.

The only other options I can think of is to relocate the router to somewhere opposite in the house from where it sits currently to reduce the ability to receive the signal in the first place, or spend the money on one you can run custom firmware on. I have a shitty linksys e1200 that is supported by ddwrt. its 2.4ghz only but she gets the job done.

Eh that's fine by me, it's just for home use. Thanks for the, albeit incidental, insight.

If they keep trying to access admin login than i feel like they are brute forcing in through control web gui and finding password and getting in that way. Then no matter what he does they find there way in. I wonder if this thing has like telnet enabled no matter what and they are able to get in that way?

WPS doesn't have the capacity to operate without a broadcasting SSID so it should nuke WPS to remove broadcasting unless the firmware is buggered to hell.

That said @OP did you see my suggestion to also lower the power capacity of your wifi? If you turn it down a bit it won't broadcast as much outside your home and decrease your footprint, possibly eliminating the guys ability to connect.

Why not leave the router off for a while.

Like a couple of hours

Then turn it back on.

Then whoever is doing this might stop, because of the down time. They might think you moved?

But then again maybe not....

1 Like

because its likely being done via script and they have to do 0 work. Look up the pixie dust wps attack and youll see what I'm talking about.

1 Like

The top two are only after 4 minutes. And something has hit me. Notice whenever I log in? The requests STOP.
Otherwise, when I don't log in to the router, requests go out like a bat out of hell.

Does this guy/girl just not have a fucking life or something?

[admin login] from source 192.168.0.100, Tuesday, March 28,2017 14:32:51
[admin login] from source 192.168.0.100, Tuesday, March 28,2017 14:24:26
[admin login failure] from source 192.168.0.194, Tuesday, March 28,2017 14:00:14
[admin login failure] from source 192.168.0.194, Tuesday, March 28,2017 14:00:04
[admin login failure] from source 192.168.0.194, Tuesday, March 28,2017 13:59:54
[admin login failure] from source 192.168.0.194, Tuesday, March 28,2017 13:59:28
[admin login] from source 192.168.0.100, Tuesday, March 28,2017 13:48:34
[admin login] from source 192.168.0.100, Tuesday, March 28,2017 13:25:46
[admin login failure] from source 192.168.0.194, Tuesday, March 28,2017 13:00:10

You disabled the SSID Broadcast right?
You also changed the current WPA Key too right?

Yep, every time I make a change, i've been changing password.

SSID broadcast was already off?

@Yockanookany Yes, I've turned wifi down as far as I can go and get signal in the two rooms that are the most important. Bedroom and Livingroom.

Man, this persistance has got me wondering if @NetBandit hit the nail on the head.

Edit: did you try to set up freeradius?

What is that?