Roger Harrison <RogerJHarrison2@aol.com> hath wroth:
>On Sun, 17 Jun 2007 00:34:07 -0700, Jeff Liebermann wrote:
>> Then the IP addresses are NOT visible and cannot be sniffed over the
>> air. Obscuring and limiting the IP addresses would be effective.
>> However, as I pointed out, a physical attack on any client will
>> extract a usable WPA key, which can then be used to decrypt a capture
>> file, and thus extract the necessary IP addresses.
>By "physical", do you mean hands'on access to the router & the PC machine?
Yes. If I can get my hands on the machine, I can extract enough
information to enable me to connect to your network. Simple things
like having the screen blanker demand a password will slow me down
considerably. However, if I can boot the machine with my favorite
cracker CDROM, I can bypass almost all the Windoze security features.
There are pleny of Linux boot CDROM's (and floppies) that will mount
an NTFS filesystem, and neatly extract the registry files. They can
also edit the registry which includes changing the administrator
>If it matters, I also change my "pre-shared key" weekly (it's just a long
>string of gibberish which I ad hoc write down on paper and then set my
>machines to every Sunday).
That's fine, but again, if I have physical access, I can extract the
key from the registry.
There may be another problem here. If the WPA key is short enough
that you can scribble it down, and pound it into several machines plus
your router, it must be fairly short. Be advised that short pass
phrases can be cracked by brute force. I believe that 20 characters
minimum is considered best practices.
Also, be sure to hide or destroy the paper you scribbled down the pass
phrase. My all time winning clueless customer would reassign
passwords monthly, and then post the list on a bulletin board so that
everyone was informed of the changes. It took a while to explain what
was wrong with that procedure.
>>>> 2. What's the LAN netmask?
>>>On the router, it is 255.255.255.0
>> So, you have 254 available IP addresses.
>Oh no! I did not realize that. I change both the router starting IP address
>and the router login address every Sunday. For example, I just changed to a
>starting IP address of 192.168.120.134 and I changed to a router login
>address of 192.168.200.134.
If you're going to do all that (not recommended) please read up on how
netmask and IP subnets operate. There are numerous calculators
online. You can't just pick an IP address at random. This looks
The router IP address must be within the netmask IP address range or
the client cannot connect. Most router firmware is smart enough to
inform you that you might be unable to connect if you plant it outside
the netmask range. However, some don't and you'll find yourself
unable to access the router. Punching the reset button will recover,
but you should save a settings back file to make recovery easier.
>One question: Do I have to use 192.168.xxx.xxx?
The available RFC1918 IP addresses are:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
If you pick anything outside of these ranges, you run the risk of
duplicating the address of some internet user or server. That's why
these were reserved for your use. They don't route anywhere.
Some routers will demand that you use one of these, because they have
preconfigured anti-spoofing filters with these addresses
pre-configured. If someone tries to pretend that they're on your
inside LAN, but is connected via the WAN (internet) port, these
filters will stop them. If you pick something outside of the
acceptable IP ranges, they won't.
>Can I use, for example,
>22.214.171.124 as my router login address and, for example,
>126.96.36.199 to 188.8.131.52 as my 3 available DHCP addresses?
No. Two problems. The first I explained in the previous paragraph on
the use of RFC1918 non-routeable IP addresses. The 2nd I explained a
bit earlier in that the IP address of the router MUST be within the
netmask range. If you use 184.108.40.206 as your router's IP
address, then the DHCP range must be between 220.127.116.11 and
18.104.22.168 for the default netmask of 255.255.255.0.
>Even so, what is the logic of the Linksys router question asking how many
>IP addresses I wish to limit it to while the netmask should have done that
254 usable IP addresses is a rather small sandbox to play inside if
you have a large network. Running out DHCP addresses to assign is a
common problem. By limiting the number of assignable IP's in the
pool, more devices can be accomidated. In other words, DHCP range
limiting was never intended to be some kind of security feature.
>I'm confused because you say a netmask of 255.255.255.0 allows way
>more than 3 IP addresses.
Correct. It allows 253 IP addresses plus one for the IP address of
the router plus another one is the broacast address. All DHCP does is
deliver a unique IP address, gateway, DNS servers, and a mess of other
junk depending on system, to the client. If the client already has a
static IP address, and knows the DNS servers and gateway IP, then they
don't need anything from the DHCP server. Again, DHCP is NOT a
>> I presume that you also change the IP address of the default gateway
>Yes. And the MAC address & hostname of BOTH the router and the windows PC's
>because I read a good hacker can see both the router and the pc behind the
Sorta. By sniffing the internet traffic, I can watch the sequence
numbers and deduce the number of clients hidden behind your NAT
router. However, unless you've left open IP ports, or your router has
a security problem, I cannot "see" anything behind your NAT router.
Sniffing the WAN side traffic will NOT show any internal MAC or IP
addresses as these appear as if everything were coming from the
routers WAN IP and MAC address. Try it. Plant a hub (not a switch)
between your router and your DSL or cable modem. Sniff with Wireshark
or Ethereal. See any MAC's or IP's from the LAN side of the router? I
>> I note that you do not mention changing the WPA shared key every week
>That's what started this whole thing actually. I learned I should change my
>pre-shared-key - and - while I was there, I figured I may as well change
>everything I could. I even changed all the beacon and interval numbers but
>then the router didn't work so I had to reset the router and go more slowly
>with the changes of everything I could.
Chuckle. My domain is LearnByDestroying.com. Welcome to the club. I
also like to change things to see what happens. Incidentally, when I
worked in engineering many years ago, the drafting department gave me
a "change everything" rubber stamp as a present.
As I said in my previous rant, your primary and probably sole real
security feature is the WPA or WPA2 shared key. That's should be the
only thing of importance here. If that's compromised, I can work
around all the other tricks you've mentioned.
>> You might want to look at the available tools to see what can be
>> (easily) accomplished.
>I tried airsnare to see if I could find out who was connecting to me, which
>installed ethereal and winpcap, but I can't get it to capture anything yet,
>not even things on my own network. So I must be doing something wrong.
If you did this on a Windoze machine, it won't work. The monitor or
promiscuous modes are conspicuously absent in Windoze NDIS drivers.
That's not a problem with Linux drivers, but you have to pick and
choose your hardware carefully. There is a wireless Windoze
However, if you used an ethernet port to do the sniffing, you should
have been able to see packets from the entire network with Windoze.
Another common problem, especially with AirSnare is that users try to
use an ethernet switch instead of a hub for sniffing. A switch will
only show traffic coming or going to/from the port that the sniffer is
plugged into. All other traffic never goes to this port. So, you see
nothing. Either use a hub, which is really a repeater that repeats
everything going into any port to all the other ports, or get a high
end ethernet switch that has a configurable monitor port.
>>>> 3. Where's the DHCP address pool?
>> So, with those settings, your DHCP address pool is
>> .100 through .102. However, because you don't have the netmask on
>> the LAN side set to something less than /24, an evil hacker (like me)
>> can easily set their client computah to use any of the *OTHER* 251 IP
>> addresses, which will work just fine.
>Oh. Should I use a different netmask to limit the "hidden" allowable IP
Yep. That's what I've been trying to explain for the last 3 messages.
Using DHCP to limit available IP's with a /25 netmask doesn't work.
>>>> 4. Is there a MAC address filter?
>> A few seconds sniffing will reveal the MAC addresses in use.
>> Ethereal, Wireshark, Kismet, and even Netstumbler will reveal
>> all the MAC addresses in use.
>You know, since I am on winxp, I tried Network Stumbler (actually the
>hacked netcrumbler which allows connections at the same time) and all I see
>is the MAC address of my access point. I do NOT see the MAC address of any
>client machines. Does netstumbler really provide the MAC addresses of the
No. Netstumbler is NOT a passive sniffer. It's an active probe that
sends probe request broadcasts which only the access points respond.
Netstumbler will not show clients. There are some kludges for Windoze
that do this, but I prefer to use a Linux LiveCD. I suggest using:
Boot it and run kismet, which is a passive sniffer. That should show
client MAC addresses (if you have a compatible wireless card).
>And, with Ethereal, when I say "Capture > Options > MyWirelessCard", and
>then "Capture > Start", all I get is a "Captured Packets" window that never
I'm not going to try and troubleshoot Ethereal or Wireshark via
newsgroup. See section 7 of the FAQ at:
>I can't believe I'm (accidentally) so secure that Ethereal can't capture my
>packets nor Netstumbler will find my windows pc MAC address. So, I must be
>doing something wrong.
I can't tell from here. I had plenty of trouble figuring out how to
use Ethereal and then Wireshark. After you start capturing packets,
your next headache will be filters or you'll be buried in too much
>>>> 5. Any 802.1x authentication? RADIUS authorization/authentication?
>>>I just use WPA2-PSK.
>> Then you have a problem.
>> the weak link is the encrypted WPA key stored on the client
>Oh no. I must research this radius thing. I am a home user. I thought
>Radius (whatever it is) was for office users. I must look this up. Thank
>you for the pointer.
RADIUS usually is for office use. It has many advantages, but it's
big and ugly. Too big for inclusion inside most cheapo routers. There
are some that have built in RADIUS servers, but most do not. Most home
users do not need the level of security you're attempting. Again,
encryption is your primary security device. RADIUS offers a method of
delivering unique encryption keys per session so you don't have to
screw with fabricating a shared key, protecting it, and changing it
erratically. In my opinion, you don't need it for home use. Just use
the WPA key and keep it well protected.
>>>> 6. Any secure tunnels (VPN)?
>>>No, I am not using VPN.
>> That's the way you get real security.
>I'm confused. I use VPN when connecting to my company but I thought VPN
>needed a client and a server. On a home network, if I used vpn, my PC would
>be the client but could the Linksys WRT54G router act as the server?
I wasn't thinking of it lack that. I actually do just that at one
clients. The wireless network is unencrypted and looks wide open.
However, to connect to the inside office network, you have fire up an
IPSec VPN client, which connects to a VPN gateway on the wireless LAN.
It's quite secure.
You could do something like that if you really want. I do but for
totally different reasons. I have a WRT54GS in both my palatial
office and house. They run DD-WRT V23 SP2 and SP3 respectively. Try
Both have PPTP VPN clients and servers. I often have the two routers
connect to each other, thus forming a VPN tunnel, which makes my
office and home network look like one big LAN. Very handy for working
at home. I also use the VPN PPTP termination for checking my email
when I'm on a laptop at a public hotspot. All the traffic is
encrypted by the tunnel, so hotspot sniffing is useless.
Incidentally, not all WRT54G routers can handle alternative Linux
firmware. Look on the serial number tag and disclose the hardware
revision number. See:
>> once they have the encryption key, the other security measures are little
>> better than putting a "do not enter" sign on the door. It wouldn't
>> stop even a beginner.
>I'll keep this in mind and try to secure my pre-shared keys and change them
>more often and make them even longer now.
I'm not getting through to you. Leave the encryption key alone for a
while. Change it every few months if you must. Forget about the
other methods of security by obstacle course. They only get in the
way. Use some form of monitoring to determine what your network is
doing and who is on it.
>> You didn't mention anything about logging. Putting a lock on the
>> door doesn't buy you much if you don't check the lock regularly.
>> That's what logging does. When something unusual appears on your
>> network, you would want to know about it. For simple Linksys
>> wireless, see AirSnare:
>I'm still trying to get AirSnare to work. It gives an error which I'm
>trying to figure out.
>> 4. If your wireless operations is only during business hours, setup a
>> timer to disable the wireless during off hours. The evil hackers
>> (like me) prefer operating under cover of darkness.
>Interesting. I never thought of that!
>This is a WONDERFUL discussion! I very much appreciate your expert (super
>expert in fact) advice!
You might want to read the FAQ for alt.internet.wireless.
FAQ for Wireless Internet: <http://Wireless.wikia.com>
FAQ for Wi-Fi: <http://wireless.wikia.com/wiki/Wi-Fi>
Wi-Fi How To: <http://wireless.wikia.com/wiki/Wi-Fi_HowTo>
Fixes to Wi-Fi Problems: <http://wireless.wikia.com/wiki/Wi-Fi_Fixes>
Jeff Liebermann email@example.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558