November 28, 2014
 
 
RSSRSS feed

Foil Wireless Poachers and Have Fun Doing It (Part 2)

Killing and Slaying

  • January 31, 2007
  • By Carla Schroder

Last week we learned some fun ways to mess with the minds of wireless freeloaders, and introduced ourselves to some methods for finding out who is on our networks. Today we're going to learn some different ways to kick unwanted visitors off networks, and how to see exactly who is lurking on our airwaves.

Who says computer geeks are mild-mannered, non-violent wimps? Why, we have all manner of violent commands at our fingertips. Like whowatch, kill, tcpkill, and cutter. Ph34r us!

whowatch is for monitoring logins in realtime, and kicking users off specific hosts. Suppose you're logged into the fileserver in an SSH session, and you want to see who else is logged in. Just run the whowatch command as root. You'll see an ncurses display showing a list of users:

2 users: (1 local, 0 telnet, 0 ssh, 1 other)    load: 0.02, 0.12, 0.12

(init)         pinball   tty2      -bash
(kdm)          carla     :0      -

Oy, you exclaim! Pinball should not be logged into the fileserver! Pinball should not even have a login account on the fileserver! This is very bad! What shall I do?

First of all, stop panicking. Use the Up/Down arrow keys to navigate to Pinball, then hit Enter. You'll see this:

2 users: (1 local, 0 telnet, 0 ssh, 1 other)   load: 0.12, 0.36, 0.29
(init)         pinball   tty2
 6972   - /bin/login --
 6975    `- -bash

Select the line with the lowest process number by using the arrow keys, and hit Ctrl+K to kill Pinball. Then you'll see this:

2 users: (1 local, 0 telnet, 0 ssh, 1 other)   load: 0.29, 0.34, 0.28
(init)         pinball   tty2
User logged out

Ha. Take that, Pinball. The Enter key toggles between the selected user and the list of users. Press F9 to expose the top menus. Obviously you now need to figure out how an unauthorized user was able to log into your server, repair the breach, and look for rootkits or other nasties. You might even need to rebuild the whole system. But at least you found out there was an intruder, which is always a good thing to know.

Sitemap | Contact Us