Hello, I have a intriguing problem, partially qubes-related. I have a
"intruder" in my wifi network. I have no idea how to physically localise
that offensive antenna, but that is not a qubes subject (if you have any
ideas, they are welcome!). Of course I can just change the SSID and pwd,
but this is not the whole point:
When I portscan the offensive object using nmap (all ports are
filtered.) it counter-fires and kills off my mirage-firewall! That is
fancy. The network structure is
and nmap runs in dispVM. I am quite surprised and willing to "play" a
bit with this enemy, but I would need some help. In particular: How can
I log packets while scannning? Is there a way to find out how/why the
mirage firewall (0.7) dies? That suggests a weakness which is relevant
to many of us! Cheers, Bernhard
Hello, I have a intriguing problem, partially qubes-related. I have a
"intruder" in my wifi network. I have no idea how to physically localise
that offensive antenna, but that is not a qubes subject (if you have any
ideas, they are welcome!). Of course I can just change the SSID and pwd,
but this is not the whole point:
When I portscan the offensive object using nmap (all ports are
filtered.) it counter-fires and kills off my mirage-firewall! That is
fancy. The network structure is
and nmap runs in dispVM. I am quite surprised and willing to "play" a
bit with this enemy, but I would need some help. In particular: How can
I log packets while scannning? Is there a way to find out how/why the
mirage firewall (0.7) dies? That suggests a weakness which is relevant
to many of us! Cheers, Bernhard
Your firewalls might interfere with the nmap replies and thus everything
is shown as filtered.
I did it in sys-net but they remain "filtered". That is not a
firewall-artefact.
Maybe nmap causes the mirage death. That wouldn't be a good job by
mirage though and should be reported as bug to the dev.
I thought that, too. How would verify it is really nmap? As a test, I
scanned two phones in my wifi (in the same dispVM), without any trouble,
using the same command. I re-scanned the offensive object, 181 seconds
later mirage is dead again. Fascinating.
P.S: I will see if I can use my phone as AP honypot using the same SSID
& pwd to find that antenna using signal strength (the idea is that I can
move it), but usually that is very hard, due to natural "shadows" and
reflections.
If mirage died due to incoming packets, you should see the offensive payload with e.g. wireshark.
The attack couldn't be on a lower layer as that is handled by your wifi driver in sys-net only.
In companies triangulation tends to be used to find wifi attackers IIRC. So you're likely on the right path.
Maybe nmap causes the mirage death. That wouldn't be a good job by
mirage though and should be reported as bug to the dev.
I thought that, too. How would verify it is really nmap? As a test, I
scanned two phones in my wifi (in the same dispVM), without any trouble,
using the same command. I re-scanned the offensive object, 181 seconds
later mirage is dead again. Fascinating.