Thread: wireless router password security
View Single Post
  #9 (permalink)  
Old 05-11-2008, 11:58 PM
bz
Guest
  
Posts: n/a
Default Re: wireless router password security
"Sebastian G." <seppi@seppig.de> wrote in
news:68kcijF2sbr7oU1@mid.dfncis.de:

> bz wrote:
>
>> "Sebastian G." <seppi@seppig.de> wrote in
>> news:68jrooF2t4jo8U1@mid.dfncis.de:
>>
>>> bz wrote:
>>>
>>>> "Kyle T. Jones" <Email@reallyrealdomain.net> wrote in
>>>> news:fvvj3k$a5m$1@aioe.org:
>>>>
>>>>> Sebastian G. wrote:
>>>>>> Kyle T. Jones wrote:
>>>>>>
>>>>>>
>>>>>>> http://www.howtodothings.com/compute...o-protect-a-li
>>>>>>> nk sy s-wrt54g-router-using-wap-and-wep
>>>>>>>
>>>>>> But please omit the step where disabling SSID broadcast. It doesn't
>>>>>> change anything about the security, doesn't make your network
>>>>>> invisible at all, but
>>>>>> surely creates a lot of trouble with your client accidentially
>>>>>> trying to connect to someone else's network.
>>>>> Good point.
>>>> I don't follow the logic. Disabling SSID makes it more difficult for
>>>> someone to connect to my wireless router (WEP turned on also).
>>>
>>> Actually it makes them easier to accidentally to connect to your
>>> network instead of another SSID-disabled network.
>>
>> HOW? They need to know my router's SSID. It has an SSID, it just
>> doesn't broadcast it.
>
>
> We're talking about MAC layer connections. First you connect on the MAC
> layer, eventually guided by a known SSID, and then the connection
> partners negotiate about the actual connection parameters.

Hmmm. From what I can gather from reading the IEEE 802.11 working doc
80.11 2007.pdf from the IEEE web site, neither one of us has been using
the right terminology. It looks like both my router and my laptop network
devices are STAs, one(the laptop) is an STA client, the other is an
AP(access point) STA. They can be 'associated' or 'disassociated'.
"Before a STA is allowed to send a data message via an AP, it shall first
become associated with the AP."

And they talk to each other over PHY (the physical layer).
"STAs may be hidden from each other".
"IEEE 802.11 is required to look like a wired network to higher layers."

It appears that the SSID is used as part of the associate request at the
MAC level.

It is going to take me a while to read through the 1232 pages of the
document.

Perhaps you can save me some trouble and tell me how my router STA is
supposed to respond to active probing (is that legal in this
jurisdiction?) when bulletin broadcasting is turned off and how the
wardriver even knows my STA is here. Assuming, of course, that the
wardriver passes when I am not using my network but my router is turned
on.

>> It DOES respond when my WiFi card says 'hey, (MyRouterSSID), I want to
>> connect to you, doesn't it?
>
>
> It also responds to "hey, nameless router, let's setup an encrypted
> session. If you can decrypt what I sent, and it shows your SSID, then
> we're partners. If not, then let's try it again."


>
>
> And the Node number is the MAC address combined with the channel number.

What is this called?

>
>> If Node#1 isn't broadcasting anything, I need to know its name to
>> contact it, (and the channel/frequency it listens on).
>
>
> Hey, nameless routers on channel 7. Give me some random identifiers.
> Hey, router SOME_RANDOM_IDENTIFIER on channel 7, let's try setting up a
> session.

Hey, computer owner, I see the following access points. Which one do you
want me to establish an association with? [I do NOT see any of the SSIDs
that you have previously told me to talk to.]

>>>> They will have to wait until I have a connection in progress and
>>>> sniff that to find the router's SSID.
>>>
>>> This would require cracking the encryption.
>>
>> Agreed.
>
>
> And as such the SSID is obviously a public parameter. If you broadcast
> the SSID, they would still have to crack the encryption to get access.

And cracking the encryption takes either
1) collecting lots of encrypted transmissions [about a days worth]
or
2) a very lucky guess. [would 'normally' take weeks of guesses to hit.]

> If you don't broadcast the SSID, well, then they have to break the
> encryption or the currently nameless network, and if they were
> successful, they would also immediately find the SSID. That is, the SSID
> would always end up with them if they break it, and would be useless
> anyway if they don't break it.
>
> And breaking it doesn't require the SSID.


>
>>> They can simply send packet to the router
>>
>> HOW do they send a packet to the router? They don't even know it is
>> there.
>
>
> They can clearly see how it sends beacon requests on a fixed channel
> with a pseudo-unique identifier, and also with its MAC addressing

Where do I find this in the specs?

>
>> It isn't broadcasting.
>
>
> It is. It just doesn't broadcast INVITE requests.

Where do I find this in the specs?

>
>> It does NOT respond to a transmission unless it is addressed to it.
>
>
> And you can address either be its channel, its channel and a
> pseudo-unique identifier delivered upon request, or by its MAC address.

If it isn't broadcasting, I would need to send a probe request on each
channel asking 'who hears me'? If it is broadcasting, all I need to do is
listen for a while [on all channels].

>> I don't think there is a 'all routers please broadcast' command for
>> IEEE 802.11, but I could be wrong.
>
>
> There is.

What is it called?

>
>> I know that such a command exists on wired
>> ethernet but would not expect it on wireless.
>
>
> Why not? After all it's an ISO/OSI stack protocol. Heck, it even has an
> Ethernet emulation layer.

Yes but that should be at a higher layer, shouldn't it?
It should EMULATE not duplicate.

But I must admit that the specs are a bit confusing.

>>> Your laptop tries to connect to the other router on the MAC layer,
>>> tries to establish an association, with the SSID, and fails.
>>
>> My laptop knows the SSID because I configured it to talk to
>> (MyRouterSSID), doesn't it?
>
>
> This is for association setup that only happens after you have
> negotiated on
> the MAC layer. After all, how should this work? You can't identify
> which
> router is yours (since it doesn't broadcast the SSID), and you're
> supposed to choose to which one you want to talk to.

I would think that it knows its own ID and listens for calls addressed to
that ID, properly encrypted, on the proper channel. I would expect it to
ignore improper calls, those not addressed to it and those not properly
encrypted.

>> The router can run its beacon, saying 'This is MyRouterSSID' every 100
>> ms(or other time interval, as configured)
>
>
> Well, then it would be broadcasting the SSID...

Yep. But broadcast can be turned off, and I have done so now.

>
>> or it can sit there and just listen for calls such as
>
>
> nameless router, I'm nameless laptop. Let's talk encrypted.
> encrypted("is this your SSID?"). No, damn. OK, everyone, who is here? Ah
> you! Hello nameless router... (and you wouldn't even notice that you're
> always talking to the same).

Why not encrypted(MyRouterSSID) this is encrypted(MyLaptopSSID). Do you
copy??? Over (repeat until answer received or timeout period has expired,
then report: No (MyRouterSSID) heard. Here is a list of APs heard. Do you
want to talk to one of them?

.....

>
>>> OK, you can connect to (NAMELESS NETWORK), (NAMELESS NETWORK) or
>>> (NAMELESS NETWORK). Now which one is it?
>>
>> I don't try to connect to (nameless network), I try to connect to
>> (MYROUTERSSID)
>
>
> And how would you find this one if you have disabled SSID broadcasting?

It is ALWAYS listening for proper calls. It just doesn't say
HEY any STA, this is (MyRouterSSID) listening for properly encrypted calls
on this channel. Go ahead.

>
> > and if I can't find (MYROUTERSSID) then I don't get a
>
>> connection unless there is a network with an SSID that I have
>> previously configured for connection.
>
>
> Right. But you may also not get a connection even if your router is
> among these, since you're only trying to talk to the other ones. A
> wonderful way to shoot yourself in the foot.

I have not seen any such problem yet.
Now at my office, we have two wireless networks and IF I allow my laptop
to connect to ANY network AND if the secure net is down, my laptop will
talk to the insecure routers. But it is pretty easy to remove the
configuration for the insecure net from the list of permitted networks.
Then, if the secure net is down, I don't get any connection.

>
>> I just tried an experiment. I turned off the SSID broadcast on my
>> wireless router (It was on).
>> I turned off my network card.
>> I started netstumbler and turned on my card. I could not see my
>> wireless router. (net stumbler prevents connection).
>> There were no broadcasts from the Wireless MAC address.
>
>
> But you could see a SSID-less network, couldn't you?

I could see MINE, after I established connection to it.
I did NOT see it by just listening.

I would need to fire up a computer that had not previously connected to my
router and see what it reports.

I just tried my SMC usb wireless adapter on my laptop but I seem to have
problems finding drivers.

>> I shut down stumbler and cycled my WiFi card off and back on.
>> It established contact with my wireless router. It DID see a neighbors
>> OPEN router that broadcasts its SSID the first time I powered it on and
>> would have connected, if I allowed it to do so, however I doubt it
>> would connect to anything that does NOT broadcast an SSID.
>
>
> Like your very own router? Hm?

So to test the idea I really need two AP STAs (non broadcasting) plus at
least one STA client.

I will check with our campus wireless experts and see what they say about
your idea.

>> My Dell network card manager sees only one (nonbroadcasting) in its
>> monitoring window.
>
>
> Which might be yours, or someone else's.

It was mine.

>> But I don't see anyone else running with broadcast off (and am unlikely
>> to do so with these tools).
>
>
> Maybe you're living far away from civilization? Heck, just on my weekly
> 2hour train+bus tour I can catch hundreds of network.

They are broadcasting their SSID.

How would you know anything about those that don't?

>
>> Are you assuming OPEN routers running with default SSIDs but with
>> broadcast turned off?
>
>
> I suggest adjusting the SSID to clearify the purpose of your network,
> thereby exactly fulfilling its functionality, f.e. PRIVATE. And to make
> sure to not duplicate any existing name of a nearby network. That is,
> your network is clearly visible to both you and outsiders, but they
> should understand that it's your private network, so you could hold them
> legally responsible if they try to interfere with it. And you can
> clearly identify it as yours.

I think that deliberately using someones wireless without their express
permission could be expensive. That is regardless of whether they have
taken any steps to secure their router.

As for getting caught... it happens. It may not be likely but it does
happen.






--
bz

please pardon my infinite ignorance, the set-of-things-I-do-not-know is an
infinite set.

bz+csm@ch100-5.chem.lsu.edu remove ch100-5 to avoid spam trap

Reply With Quote