This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Strange “Hacker-like” Websites in First Sniff?

0

Running WS for the first time on my own WLAN. After enabling WinCap via Run WS As Admin, I noticed many "Hacker-like" websites using DNS protocol. Sites include: anonscm.Debian.org, home.regit.org, lunuxgurus.com, think-future.De, Linuxwireless.org, aircrack-ng.org, hpl.HP.com, osxdaily.com, 802.11ninja.net, Virtualit.cc, fuellogix.com, both micro-logics and micro-logix.com, gravatar.com, Javascriptkit.com and others. My question is: Did I expose my system when Running WS As Admin or do sites like this just "roam" the internet looking for vulnerabilities? Or has my system been compromised in the past and I'm just seeing the traffic with WS?

Thanks for your advice,

asked 02 Jun '14, 22:54

SeaDude's gravatar image

SeaDude
11112
accept rate: 0%

Not all of the sites you list are "hacker-like" in the "people who break into networks" sense of "hacker", although some could be considered "hacker-like" in the "programmers writing cool software" sense of "hacker":

  • hpl.hp.com is the domain name for HP Labs, and they're not "hacker-like" in the first sense, unless, for example, optimizing optical waveguides involves breaking into networks. :-)
  • linuxwireless.org is the web site for the people working on the 802.11 stack for Linux; I suppose Linux OS developers are "hackers" in the latter sense, but not necessarily in the former sense.
(04 Jun '14, 02:21) Guy Harris ♦♦

I apologize for the characterization of the sites I found while sniffing my home network. I visited most of the sites and was impressed by what I found. I just want to know why and how these "savvy programmers'" websites are somehow involved with my WLAN.

(04 Jun '14, 07:56) SeaDude

2 Answers:

0

Sounds like your wlan is open to everybody.

Some questions:

  • is your wlan encrypted? If so, how: WEP, WPA, WPA2?
  • Do you have to enter a passphrase to connect to the wlan? If so: Is it a strong passphrase (i.e. test, 12345, john, dude, etc. are not strong passphrases)
  • Do you regularly surf to websites that have a lot of ads in them?

Regards
Kurt

Regards
Kurt

answered 03 Jun '14, 14:33

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 03 Jun '14, 14:43

Kurt,

  • Yes WLAN is encrypted with WPA2
  • Yes have to enter a PSK (pre-shared key) to access. The password could be a bit stronger.
  • I'd consider myself a pro-surfer (don't click anything; only download what i'm looking for; no porn, etc)

I live in a single family residential area (no apts, condo's, etc). I can't imagine there is a large enough population to have multiple people accessing my WLAN. I will start WS and change the password on the WLAN to see if the DNS messages cease. Any further thoughts?

(03 Jun '14, 15:14) SeaDude

Changed my WLAN PW to something ridiculously hard. Took a capture of before/during/after. Didn't see anymore "suspicious" (to the untrained eye) activity.

Any further thoughts on this? I'm a bit stunned that my network was cracked/hacked/etc.

(03 Jun '14, 19:09) SeaDude

Did you see those requests from your own IP address or from another IP address? Can you post the capture file at Google drive, dropbox or cloudshark.org?

(03 Jun '14, 22:45) Kurt Knochner ♦

Kurt, here (https://www.dropbox.com/s/4czrum0bj7p5cjc/FirstSniff) is the WLAN grab. It was my first, pardon the format. If you search the text for "DNS" and FindNext, you will see the sites I mentioned. I have the grab that I captured before/during/after router password reset. I didn't see any suspicious activity during that time.

(04 Jun '14, 15:08) SeaDude

0

There are only DNS requests for "Hacker" sites from the following IP address: 192.168.2.12

  25029 1745.774340000 192.168.2.12          192.168.2.1           DNS      80     Standard query 0xd2d7  A blog.aircrack-ng.org
  25030 1745.774562000 192.168.2.12          192.168.2.1           DNS      84     Standard query 0x8bb8  A download.aircrack-ng.org
  25031 1745.774945000 192.168.2.12          192.168.2.1           DNS      80     Standard query 0x0502  AAAA blog.aircrack-ng.org
  25032 1745.774992000 192.168.2.12          192.168.2.1           DNS      81     Standard query 0xc4ea  A forum.aircrack-ng.org
  25033 1745.775039000 192.168.2.12          192.168.2.1           DNS      84     Standard query 0x6f4c  AAAA download.aircrack-ng.org
  25034 1745.775323000 192.168.2.12          192.168.2.1           DNS      81     Standard query 0x3437  AAAA forum.aircrack-ng.org
  23832 1680.741756000 192.168.2.12          192.168.2.1           DNS      74     Standard query 0xada8  A www.mocavo.com
  23833 1680.742217000 192.168.2.12          192.168.2.1           DNS      74     Standard query 0x3418  AAAA www.mocavo.com

Is 192.168.2.12 the IP address of your PC? Please check the MAC address and compare it to the value in the capture output.

ipconfig /all (find 192.168.2.12) and the MAC address of that interface
compare it to 9c:d2:1e:61:c0:f3

If the MAC address is yours, you must have been surfing to those sites. If that IP address is not yours, you should check who else on your network could have access the internet (wife, spouse, kids, granny, pets, etc.).

BTW: There are only 3 IP addresses in the capture output

192.168.2.12: requested all those "Hacker" sites (maybe your own PC)
192.168.2.11: did almost nothing. The system announced itself as Victoria-PC
192.168.2.1: your Belking Router

There have been ARP requests to two other IP addresses, but they did not reply (maybe smartphones, once connected to the network).

192.168.2.5
192.168.2.8

So, to me it looks like you were surfing to those web sites yourself, maybe without knowing it. If you go to one of those sites that are heavily loaded with ads, you would see that access pattern, because every embedded ad will trigger a DNS request and the download of some content (images, html, css, etc.).

I don't think your WLAN has been hacked. Why the whole thing stopped after you reset the wlan password, remains unclear.

Regards
Kurt

answered 05 Jun '14, 13:19

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Kurt,

Thanks for spending the time to look through that text file and find this information.

Yes, the MAC address and IP address are of my computer. I have never visited those sights nor was I surfing them while capturing the packets with WS. I installed WireShark, turned on CPF (in the vulnurable "Run As Administrator" style), saw these sites being accessed, and visited ask.wireshark.com to create this thread.

  1. Has my system been compromised?
  2. How can my computer surf sites without me (ha, wow that sounds funny).
(05 Jun '14, 15:48) SeaDude

turned on CPF

what is CPF?

Has my system been compromised?

I don't know. Maybe you should run some malware scanner on that system.

How can my computer surf sites without me (ha, wow that sounds funny).

maybe it was bored and needed some distraction ;-))

(05 Jun '14, 16:33) Kurt Knochner ♦

I meant NPF driver. I started it by running WS as administrator which is supposedly risky.

I'll run a malware scanner.

This machine is NOT bored! HA!

Well, this has been a very strange event indeed. To see such activity on my WLAN without an explanation is unnerving. I'd hate to go through an entire refresh of my laptop. BOo.

(06 Jun '14, 20:07) SeaDude