We’ve all been there. Your roommate is finally out of the house and you have some time alone. Wait a minute… your roommate never said when they would be back. It would be nice to be warned ahead of time. What should you do? [Mattia] racked his brain for a solution to this problem when he realized it was so simple. His roommates have been warning him all along. He just wasn’t listening.
Most Hackaday readers probably have a WiFi network in their homes. Most people nowadays have mobile phones that are configured to automatically connect to these networks when they are in range. This is usually smart because it can save you money by not using your expensive 4G data plan. [Mattia] realized that he can just watch the wireless network to see when his roommates’ phones suddenly appear. If their devices appear on the network, it’s likely that they have just arrived and are on their way to the front door.
Enter wifinder. Wifinder is a simple Python script that Mattia wrote to constantly scan the network and alert him to new devices. Once his roommates are gone, Mattia can start the script. It will then run NMap to get a list of all devices on the network. It periodically runs NMap after this, comparing the new host list to the old one. If any new devices show up, it alerts with an audible beep and a rather hilarious output string. This type of scanning is nothing new to those in the network security field, but the use case is rather novel.
With all the noise about Conficker turning your computer into liquid hot magma on April 1st, there’s actually some positive news. Researchers from the HoneyNet Project have been following the worm since infections started in late 2008. They recently discovered an easy way to identify infected systems remotely. Conficker attempts to patch the MS08-067 vulnerability during infection. A flaw in the patch causes the machine to respond differently than both an unpatched system and an officially patched system. Using this knowledge, the team developed a proof of concept network scanner in python to find infected machines. You can find it in [Rich Mogull]’s initial post. [Dan Kaminisky] has packaged it as an EXE and has instructions for how to build the SVN version of Nmap, which includes the new signature. Other network scanner vendors are adding the code as well.
In conjunction with this detection code, the team has also released the whitepaper Know Your Enemy: Containing Conficker. It discusses ways to detect, contain, and remove Conficker. They’ve combined this with a tool release that covers Conficker’s dynamic domain generation among other things.
Midnight Research Labs has just published a new tool. Depant will scan your network and check to see if services are using default passwords. It starts by performing an Nmap scan to discover available services on the network. It organizes these services by speed of response. Using Hydra it does brute force password checking of these services with a default password list. The user can supply an alternate list for the first phase or an additional list to be used in a followup check. Depant has many different options for configuring your scan and will certainly help you find that rogue piece of hardware on your network that someone failed to set up securely.
[Irongeek] has been working on changing the OS fingerprint of his Windows box. Common network tools like Nmap, P0f, Ettercap, and NetworkMiner can determine what operating system is being run by the behavior of the TCP/IP stack. By changing this behavior, you can make your system appear to be another OS. [Irongeek] started writing his own tool by checking the source of Security Cloak to find out what registry keys needed to be changed. His OSfuscate tool lets you define your own .os fingerprint file. You can pretend to be any number of different systems from IRIX to Dreamcast. Unfortunately this only works for TCP/IP. Other methods, like Satori‘s DHCP based fingerprinting, still work and need to be bypassed by other means. Yes, this is just “security through obscurity”, but it is something fun to play with.