Tell me about wireless security please? [Archive] - Glock Talk

PDA

View Full Version : Tell me about wireless security please?


hapuna
06-04-2004, 12:51
OK I have not been able to actually see the programs on TV but I have seen a lot of the teasers for the shows discussing the risk of working in a wireless environment. One of the teasers had someone sitting in an internet cafe saying that they could see everything that was being done on another persons computer.
What should I be doing to sensible secure my stuff??? I also have a wireless router at home. Is there something I should be doing here also to make sure that the casual hacker can't get in?
All ideas greatly appreciated.:)

whizz
06-04-2004, 15:11
wireless security
Oxymoron?

physicsdevil
06-04-2004, 15:25
Here are the basics:

- Change your default WAP login/password and make your password sufficiently complex.
- Change your SSID periodically.
- Disable SSID broadcast.
- Use some semblance of encryption (WEP/EAP).
- Limit the number of DHCP addresses that your WAP assigns, or better yet, disable DHCP entirely.
- Limit the size of your internal network to just what you need.
- Limit connectivity by MAC address.

Obviously, I can't give you specifics without knowing what kind of WAP you have.

Hope this helps...

David_G17
06-04-2004, 19:25
google "airsnort"

;)

HerrGlock
06-04-2004, 19:55
What physicsdevil said plus change your WEP key about every month or every other month. It takes about a month to get enough packets to break the encryption from a normal household.

Look for the highest WEP possible, 128 Bit +. There will be another encryption technique but it'll be a while before it's as well used as WEP.

DanH

gudel
06-05-2004, 09:49
some wireless clients would not connect if the access point's ssid is turned off. there's no point turning dhcp off since i can just connect to your router anyway if i stick in static ip.

in addition to what physicsdevil already said, if you do turn off dhcp and your router has client filtering, block tcp/udp port from 1 to 65535 of the ip range that you don't use.

even if the guy can associate with your wireless router, he wouldn't be able to do much. if he does use the ip that already in use, that'll pretty much give you the warning on screen :)

i have four APs, great signal through out the house :) i see this all the time in my router log, people try to logon to my router, and people try to join. they all got denied.

but if i see some guy hanging out across the street looking suspicous, specially with a laptop or some antenna in it, they just might meet Mr. 12GA ;f

you can also use 255.255.255.248 subnet, that should make only 6 usable IP addresses.

BikerGoddess
06-05-2004, 10:03
Hmm, but what if you're at one of those hotspot thingies?

Laura

hapuna
06-05-2004, 12:23
Yes it looks like a lot of good advice for my home wireless network which is great(and none of which I am using). I will get on that.
But back to Laura's question re the hotspot type scenario?
Thanks for all the advice so far.

gudel
06-05-2004, 13:58
Originally posted by BikerGoddess
Hmm, but what if you're at one of those hotspot thingies?

Laura

what about it?

HerrGlock
06-05-2004, 14:08
Originally posted by BikerGoddess
Hmm, but what if you're at one of those hotspot thingies?

Laura

If you're talking about Starbucks or some other place with wireless as a feature, don't do anything personal, don't type in your password to anything, don't put any financial information at ALL.

Treat it as if you are in the middle of grand central station and writing on a large chalk board. What would you write up there? Not much.

DanH

gudel
06-06-2004, 10:29
anyone here use RADIUS?

HerrGlock
06-06-2004, 17:25
Originally posted by gudel
anyone here use RADIUS?

Yes. But not with wireless.

DanH

grantglock
06-07-2004, 10:04
I intentionally leave my access point wide open to anyone who wants to use it. That said I do know how to encrypt my important things if i need to.

HerrGlock
06-07-2004, 10:24
Originally posted by grantglock
I intentionally leave my access point wide open to anyone who wants to use it. That said I do know how to encrypt my important things if i need to.

and I intentionally leave an access point wide open for anyone who wants to use it...

Of course, it doesn't go anywhere but an enclosed network and a packet sniffer...

;j

DanH

physicsdevil
06-07-2004, 11:52
Originally posted by gudel
some wireless clients would not connect if the access point's ssid is turned off.


I'd say that's the point if you're trying to protect your internal network. :) Actually, even though the SSID can still be seen if you're sniffing, this is a commonly accepted method to eliminate low-hanging-fruit by making it more difficult to connect to your network for those who are unfamiliar with it.


there's no point turning dhcp off since i can just connect to your router anyway if i stick in static ip.


Except for the fact that a potential attacker wouldn't likely know your internal network range. This is especially true if you limit the size of your network (unfortunately most WAPs default to a /24). Besides, I don't want anyone within range or my WAP to be able to pull an IP address. At the very least, they can take up IPs that would otherwise go to legitimate clients. It's also a lot easier to limit the activity of legitimate clients if they're assigned static IPs.


in addition to what physicsdevil already said, if you do turn off dhcp and your router has client filtering, block tcp/udp port from 1 to 65535 of the ip range that you don't use.


This is a possibility, but it's easier to resize your network and enable MAC filtering.


you can also use 255.255.255.248 subnet, that should make only 6 usable IP addresses.


Assuming that he only *needs* 6 IP addresses. :)

BikerGoddess
06-07-2004, 14:32
Originally posted by gudel
what about it?
I've not used one, but I'm assuming that they don't let you set up the AP for them... ;Q Any security tips for those situations?

Laura

HerrGlock
06-07-2004, 14:49
Originally posted by BikerGoddess
I've not used one, but I'm assuming that they don't let you set up the AP for them... ;Q Any security tips for those situations?


Yeah. Only go to https websites and/or set yourself up a proxy at home that uses https and use it exclusively.

DanH

gudel
06-08-2004, 09:19
Originally posted by physicsdevil
I'd say that's the point if you're trying to protect your internal network. :) Actually, even though the SSID can still be seen if you're sniffing, this is a commonly accepted method to eliminate low-hanging-fruit by making it more difficult to connect to your network for those who are unfamiliar with it.

[B]

Except for the fact that a potential attacker wouldn't likely know your internal network range. This is especially true if you limit the size of your network (unfortunately most WAPs default to a /24). Besides, I don't want anyone within range or my WAP to be able to pull an IP address. At the very least, they can take up IPs that would otherwise go to legitimate clients. It's also a lot easier to limit the activity of legitimate clients if they're assigned static IPs.

[B]

This is a possibility, but it's easier to resize your network and enable MAC filtering.

[B]

Assuming that he only *needs* 6 IP addresses. :)

you seem to argue everything i say.
try this, if you're actually setting up other people's computer, and their wlan can't connect because you turn off the ssid, you can't say, "oh, my wifi card's kungfu is better than yours, which is why you can't connect; therefore i want you to buy the $80 card". it's just doesn't work like that.
i invite you to come on down my house and try to break in the wlan.

gudel
06-08-2004, 09:25
Originally posted by grantglock
I intentionally leave my access point wide open to anyone who wants to use it. That said I do know how to encrypt my important things if i need to.

i have a commie worker from poland, he believes internet access should be free and everything should be shared and free (just as about anything else, free books, free software) but he hates guns (just like a lefty/commie he is! ;f). he set up a rogue AP at work, which i quickly took down.

physicsdevil
06-08-2004, 10:20
Originally posted by gudel
you seem to argue everything i say.
try this, if you're actually setting up other people's computer, and their wlan can't connect because you turn off the ssid, you can't say, "oh, my wifi card's kungfu is better than yours, which is why you can't connect; therefore i want you to buy the $80 card". it's just doesn't work like that.
i invite you to come on down my house and try to break in the wlan.

Please don't take my replies as being adversarial. I'm simply trying to offer up help based on my knowledge and experiences.

As a matter of fact, in my experience, I have *never* had trouble connecting to a WAP with SSID broadcast disabled. I don't broadcast on my home AP, and none of my laptops have any problem connecting via Windows (perhaps due to WinXPs excellent wireless management) or Linux. I'm just using a plain ol' Linksys 802.11b WAP/router and generic Orinoco gold WiFi cards. At work, we're using an even more generic WAP that one of the other security guys brought from home...everyone there seems to be able to connect with no problem.

It seems that our experiences are just different, as you appear to work more on the PC side of things, and I work more on the server/network side.

lomfs24
06-10-2004, 19:18
Originally posted by HerrGlock
and I intentionally leave an access point wide open for anyone who wants to use it...

Of course, it doesn't go anywhere but an enclosed network and a packet sniffer...

;j

DanH

Come on Dan, you can do better than an enclosed network with a packet sniffer. How about a closed network, packet sniffer and a webserver and you control where that clients get directed. Let you imagination run on that one for a while. I have a pretty good plan that I just have to build now.

lomfs24
06-10-2004, 19:27
Originally posted by physicsdevil
I'd say that's the point if you're trying to protect your internal network. :) Actually, even though the SSID can still be seen if you're sniffing, this is a commonly accepted method to eliminate low-hanging-fruit by making it more difficult to connect to your network for those who are unfamiliar with it.

[B]

Except for the fact that a potential attacker wouldn't likely know your internal network range. This is especially true if you limit the size of your network (unfortunately most WAPs default to a /24). Besides, I don't want anyone within range or my WAP to be able to pull an IP address. At the very least, they can take up IPs that would otherwise go to legitimate clients. It's also a lot easier to limit the activity of legitimate clients if they're assigned static IPs.

[B]

This is a possibility, but it's easier to resize your network and enable MAC filtering.

[B]

Assuming that he only *needs* 6 IP addresses. :)

Several problems. You say that an stealthed network name can be found by sniffing. This is true. But you say that someone wouldn't be able to tell the range of your network. This is not true. If you are sniffing you can find network names, IP addresses, ranges, MAC addresses, number of clients, their MAC's, their IP, Router maker, client hardware makers and a whole host of other "useful" info.

If I can find MAC addresses that kind shoots MAC filterintg out of the water too. I just have to spoof my MAC address and "Viola" I am on.

Simple truth, if there is a wireless network, there is a way to break it. WEP probably takes the longest to break but even that is not fool proof.

HerrGlock
06-11-2004, 03:23
Originally posted by lomfs24
Come on Dan, you can do better than an enclosed network with a packet sniffer. How about a closed network, packet sniffer and a webserver and you control where that clients get directed. Let you imagination run on that one for a while. I have a pretty good plan that I just have to build now.

Oh I've got all kinds of goodies in there. Remember, if someone gets into a network, they will expects a mail server, a couple of desktops, some file servers, and a handful of other servers. If they aren't there, it's not worth trying to crack ;j

DanH

Nigel_C
06-14-2004, 07:14
I worked with Cisco when the Aironet product was first Released.
The Chipset is made by Radiata ( now cisco).

When the first big furror came out about wireless security,the White Paper that came from Cisco, distributed to SEs basically said that inorder to crack WEP you needed at least 15 minutes of data.

Simple fix, Set your WEP key to reney every 5 minutes..or every minute if you like.

Manage your address space. I think the Cisco stuff will work with a Radius or Tacacs box now but I'm not sure.

I hate Wireless...

physicsdevil
07-17-2004, 09:26
Originally posted by lomfs24
Several problems. You say that an stealthed network name can be found by sniffing. This is true. But you say that someone wouldn't be able to tell the range of your network. This is not true. If you are sniffing you can find network names, IP addresses, ranges, MAC addresses, number of clients, their MAC's, their IP, Router maker, client hardware makers and a whole host of other "useful" info.

If I can find MAC addresses that kind shoots MAC filterintg out of the water too. I just have to spoof my MAC address and "Viola" I am on.

Simple truth, if there is a wireless network, there is a way to break it. WEP probably takes the longest to break but even that is not fool proof.

Sniffing the bulk of the information you've suggested requires that you've already penetrated the network in some matter. I was proceeding under the assumption that the aforementioned basic security measures were already taken (i.e. WEP/WPA).

Sniffing some of that information also assumes a certain network config. Network addressing for example (used for determining an IP range) is an *optional* field in an IP packet header. Also, you can't accurately determine the number of clients on a network by passive sniffing. That's like saying you can determine the number of cars in your town by counting them as they pass by on main street. It doesn't account for systems wired to the network, passive (IDS?) systems connected via a span port, or a number of other scenarios.

"spoofing" a mac address doesn't get you on to a network. *changing* your mac address to match a valid one does...but it's not that easy if you want to be able to access network resources. You also have to be able to remove the system with the "real" mac address from the network, and keep it off (possibly via DoS or some similar attack). Of course, this is all easily detected by an IDS via sequence number analysis.

ronin_asano
07-17-2004, 10:03
Originally posted by physicsdevil
Sniffing the bulk of the information you've suggested requires that you've already penetrated the network in some matter. I was proceeding under the assumption that the aforementioned basic security measures were already taken (i.e. WEP/WPA).

Sniffing some of that information also assumes a certain network config. Network addressing for example (used for determining an IP range) is an *optional* field in an IP packet header. Also, you can't accurately determine the number of clients on a network by passive sniffing. That's like saying you can determine the number of cars in your town by counting them as they pass by on main street. It doesn't account for systems wired to the network, passive (IDS?) systems connected via a span port, or a number of other scenarios.

"spoofing" a mac address doesn't get you on to a network. *changing* your mac address to match a valid one does...but it's not that easy if you want to be able to access network resources. You also have to be able to remove the system with the "real" mac address from the network, and keep it off (possibly via DoS or some similar attack). Of course, this is all easily detected by an IDS via sequence number analysis.

i'm not that familiar with wpa yet, but wep will do nothing to keep a passive scanner from getting the ip addresses and mac addresses of the clients currently on the network, and it will also not protect the ssid.

all of that is sent in clear text. no network penetration of any kind is required, you just need to be in range of the targeted network.

spoofing a mac address *can* and does get you on to the network, when windows machines are involved.

check out the following excerpt (http://www.oreillynet.com/lpt/a/4081) from the O'reilly book Wireless Hacks. it provides an overview of how simple it is to crack a wep network and begin using it.

of course, the section of the book is more detailed, but i think you get the idea from that link.

as far as intrusion detection goes, most home users have no clue what that is. they aren't even running any type of encryption, nor have they taken even the simplist of security measures. they are not likely to detect a hacker.

that said, a hacker is not likely to go after such 'easy pickings' either.

physicsdevil
07-17-2004, 11:03
Originally posted by ronin_asano
i'm not that familiar with wpa yet, but wep will do nothing to keep a passive scanner from getting the ip addresses and mac addresses of the clients currently on the network, and it will also not protect the ssid.

all of that is sent in clear text. no network penetration of any kind is required, you just need to be in range of the targeted network.

Right. When I was talking about network range, I meant that there's no easy way to determine the size of the network without the optional IP headers set. Relevant quotes from the article: "Kismet could not reveal the IP range, because it didn't have the WEP key." and "AirSnort was successful in finding the WEP key (t8$Gc) after only 3.4 million packets." and "I think this was a particularly lucky run, as many people have reported having to log a couple of gigabytes of data before AirSnort could guess the key." He was also purposefully generating traffic within his wireless network for this test.


spoofing a mac address *can* and does get you on to the network, when windows machines are involved.

check out the following excerpt (http://www.oreillynet.com/lpt/a/4081) from the O'reilly book Wireless Hacks. it provides an overview of how simple it is to crack a wep network and begin using it.

This is just a terminology issue. Spoofing your MAC address is not the same as changing your MAC address. They're two different things used to perpetrate two different types of attacks. Notice that the word "spoof" wasn't mentioned in the article? That's because he "changed" his MAC address: "ifconfig eth1 hw ether 00:30:65:1E:81:9B" MAC address spoofing is usually used in MitM style attacks.

As far as duplicate MAC addresses, that was my bad. My WAP/router will detect dupe MAC addresses and shut them down for a pre-determined period of time. I had assumed that most WAPs had the same functionality.



as far as intrusion detection goes, most home users have no clue what that is. they aren't even running any type of encryption, nor have they taken even the simplist of security measures. they are not likely to detect a hacker.

that said, a hacker is not likely to go after such 'easy pickings' either.

Just because somebody proclaims themselves a "hacker", doesn't mean (s)he is smarter than a "user". There are educated and un-educated users. Just like there are hackers and h@x0rs. Here's an IDS that's pretty much ready-to-go. It's a single exe installer for Windows: http://www.engagesecurity.com/products/eaglex/

ronin_asano
07-17-2004, 12:03
Originally posted by physicsdevil
Right. When I was talking about network range, I meant that there's no easy way to determine the size of the network without the optional IP headers set. Relevant quotes from the article: "Kismet could not reveal the IP range, because it didn't have the WEP key." and "AirSnort was successful in finding the WEP key (t8$Gc) after only 3.4 million packets." and "I think this was a particularly lucky run, as many people have reported having to log a couple of gigabytes of data before AirSnort could guess the key." He was also purposefully generating traffic within his wireless network for this test.


you have to have packets to capture to get anything.



This is just a terminology issue. Spoofing your MAC address is not the same as changing your MAC address. They're two different things used to perpetrate two different types of attacks. Notice that the word "spoof" wasn't mentioned in the article? That's because he "changed" his MAC address: "ifconfig eth1 hw ether 00:30:65:1E:81:9B" MAC address spoofing is usually used in MitM style attacks.


spoofing is not mentioned in the link i posted, but it is covered in the section of the book that text is taken from.



As far as duplicate MAC addresses, that was my bad. My WAP/router will detect dupe MAC addresses and shut them down for a pre-determined period of time. I had assumed that most WAPs had the same functionality


right. windows is too 'stupid' to realize it's a problem. i would think any 'professional' network would have that protection, and home products should have it. and it should be on by default. i'm not sure if my netgear router does it, but i don't recall it being mentioned anywhere, so i don't think it does..




Just because somebody proclaims themselves a "hacker", doesn't mean (s)he is smarter than a "user". There are educated and un-educated users. Just like there are hackers and h@x0rs. Here's an IDS that's pretty much ready-to-go. It's a single exe installer for Windows: http://www.engagesecurity.com/products/eaglex/

agreed. however i think you will concede that most windows users are clueless about this kind of stuff or they know just enough to be dangerous, ie, they set up the wireless lan in their home with all of the out of the box defaults in place for whatever product they are using. that's easy pickings.

physicsdevil
07-17-2004, 12:05
Originally posted by ronin_asano
agreed. however i think you will concede that most windows users are clueless about this kind of stuff or they know just enough to be dangerous, ie, they set up the wireless lan in their home with all of the out of the box defaults in place for whatever product they are using. that's easy pickings.

Hey! I use Windows too! :)

HerrGlock
07-17-2004, 12:16
Originally posted by physicsdevil
Hey! I use Windows too! :)

There's a 12 step program available whenever you care to go ;f

DanH