Thread: First time home wireless - how to match PC to router - setup question
View Single Post
  #28 (permalink)  
Old 06-17-2007, 07:34 AM
Jeff Liebermann
Guest
  
Posts: n/a
Default Re: First time home wireless - how to match PC to router - setup question
Roger Harrison <RogerJHarrison2@aol.com> hath wroth:

>On Sat, 16 Jun 2007 21:16:21 -0700, Jeff Liebermann wrote:
>> You left out far too many conditions and considerations:
>Thank you for asking. I will try to faithfully answer the questions.
>
>> 1. Is the link encrypted?
>I'm not sure what that means. I'm not using VPN if that's what you're
>asking, but I am using standard WPA2-PSK authentication & AES data
>encyption as set up on the router and windows xp machine.

Then the IP addresses are NOT visible and cannot be sniffed over the
air. Obscuring and limiting the IP addresses would be effective.
However, as I pointed out, a physical attack on any client will
extract a usable WPA key, which can then be used to decrypt a capture
file, and thus extract the necessary IP addresses. In short, unless
you have WPA2-RADIUS and very good physical control over the clients,
IP address limiting is not going to do much.

>> 2. What's the LAN netmask?
>On the router, it is 255.255.255.0 and the router IP address is set to
>192.168.100.100 and changed weekly.

So, you have 254 available IP addresses. Even if you limit the DHCP
address pool to a very small number of IP addresses, an working IP
address can be easily found and configured.

I presume that you also change the IP address of the default gateway
weekly. I suppose that this security by moving target will mostly
work because most evil hackers (like me) will not think that anyone
would go through so much effort. Again, as I pointed out in my
previous description, a physical attack on the client will extract the
WPA2 shared key, which can then be used to decrypt the capture file,
which will reveal the IP address selection of the week. I note that
you do not mention changing the WPA shared key every week, so once the
evil hacker has your WPA key, extracting the IP addresses are trivial
and routine.

You might want to look at the available tools to see what can be
(easily) accomplished.
<http://www.wirelessdefence.org/Contents/Aircrack-ng_WinMain.htm>
<http://www.aircrack-ng.org>

>> 3. Where's the DHCP address pool?
>I'm not sure what this means. On my Linksys router, there is a setting for
>"Maximum Number of DHCP Users" which I've set to "3". Is that the DHCP
>pool?

Yes. It also should have a starting DHCP address, which is usually
192.168.1.100. So, with those settings, your DHCP address pool is
..100 through .102. A client connecting with DHCP will get one of
these 3 IP addresses. However, because you don't have the netmask on
the LAN side set to something less than /24, an evil hacker (like me)
can easily set their client computah to use any of the *OTHER* 251 IP
addresses, which will work just fine.

>> 4. Is there a MAC address filter?
>Yes. I currently have DEADBEEFCAFE, 0BADFEEDBEEF, & 00BADCODEFAD as my
>three MAC addresses on my windows computers and the MAC address filter in
>the router is set to only accept those three MAC addresses and they are
>changed weekly.

Changed weekly? On both the client and on the router? Well, that's
fine but completely useless, even with encryption. By necessity, all
the MAC addresses are exposed in the 802.11 headers. They are not
encrypted. A few seconds sniffing will reveal the MAC addresses in
use. Ethereal, Wireshark, Kismet, and even Netstumbler will reveal
all the MAC addresses in use. All I have to do is wait until one
particular device is not being used, and I just borrow their MAC
address.

>> 5. Any 802.1x authentication? RADIUS authorization/authentication?
>I do not have the "Enable IEEE 801.1x authentication for this network" set
>in the Windows network application for the wireless network. Neither do I
>have Radius for my home network. I just use WPA2-PSK.

Then you have a problem. I rarely attack a system directly. In this
case, the weak link is the encrypted WPA key stored on the client
computer. See WZCook:
<http://www.wirelessdefence.org/Contents/Aircrack-ng_WinWzcook.htm>
for how it's done. I have a USB dongle setup to extract the necessary
keys. It's a bit slower than I prefer, but it will do the job in
about 10 seconds, most which is plug-n-play taking forever to
recognize the USB dongle.

>> 6. Any secure tunnels (VPN)?
>No, I am not using VPN.

That's the way you get real security. I know of several corporate
LAN's that do not use any encryption on the wireless end. You can
connect, but the gateway goes nowhere. If you want to enter the
corporate LAN, it's through a VPN tunnel.

>> In my never humble opinion, the only real security available is WPA or
>> WPA2 encryption. Even that has a problem in that shared keys can be
>> extracted from the client machines.
>I am using WPA2-PSK so shared keys can be extracted, I guess.

Correct. It's not a weakness if you have good physical control over
the client machines. However, a bit of social engineering or
subterfuge, and I've got the key. For the small number of machines
you operate, it's fairly easy to replace the WPA shared key. However,
for monster corporate WLAN systems, with huge number of clients,
that's just not going to work. That's another reason why RADIUS
authorization (passwords) and authentication (802.1x and EAP) are so
nice. There's no shared key and the security is enhanced by it being
random, messy, and unique.

>Given this information, how can anyone connect to my network when the only
>three available DHCP addresses are in use by my three PCs?

Not anyone. Someone would need to know what you're doing for
security, how it works, what you're doing to maintain it, and roughly
what you have for hardware and firmware. For a casual hacker, just
the encryption key will stop them due to lack of time. However, once
they have the encryption key, the other security measures are little
better than putting a "do not enter" sign on the door. It wouldn't
stop even a beginner.

Let me offer some (free) advice.

1. Your WPA key is your primary security. Do everything you can to
protect it. All the other filters and obstacles are worthless and
only cause complications. For example, how much work is it to add an
additional user or laptop?

2. If you can't run your own RADIUS server, then subscribe to an
online RADIUS service. For example:
<http://radiuz.net>
There are others, but it's late and I'm too lazy to dig through my
mess of bookmarks.

3. You didn't mention anything about logging. Putting a lock on the
door doesn't buy you much if you don't check the lock regularly.
That's what logging does. When something unusual appears on your
network, you would want to know about it. For simple Linksys
wireless, see AirSnare:
<http://home.comcast.net/~jay.deboer/airsnare/>

4. If your wireless operations is only during business hours, setup a
timer to disable the wireless during off hours. The evil hackers
(like me) prefer operating under cover of darkness.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Reply With Quote