Michael Zaleski on 24 Jun 2015 23:29:06 -0700


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Home wifi access point & router recommendation


+1

As I understand, the key that gets generated is (generally) based on a few factors including the BSID and the password and those two are (generally) the only opportunities a user can add 'salt to the seed.' 

The popular, though not only, attack against wpa2 seems to be capturing the 4 way hand shake between a device and AP (deauth if needed) then brute forcing they key via dictionary attack or rainbow tables.

Rainbow tables are pre-computed, often by farms to distribute the computations.  The idea being that you dont need an exact password match, just one that will produce a matching hash.

For the dictionary you need an exact match and there's plenty of applications that will do the usual substitutions:  numbers/symbols for letters, add exclamation points at the end

The argument as I understand it is that instead of using something short, but with guess/predict-able substitutions, it's better to use more characters as it makes it less likely to show up in a dictionary. 

k1tten5 - is short, predictable and open to many iterations such as ki773ns, k1773N5 and k1tt3nz ...all of which are kinda easy to enumerate.

myki77ensarespecialbecuasetheybelong7ome is arguably more difficult to crack

As Keith said, "make it personal to you," to which I would add "and try not to make it obvious."

For wpa2 you get a max of 63 characters, how you use them is up to you.

Speaking of kittens, if you know anyone that's interested in adopting one, there's at least 3 that could use good homes. 

On Wed, Jun 24, 2015 at 10:42 PM, Keith C. Perry <kperry@daotechnologies.com> wrote:
Just a technical point about WPA2 (and yes you should force the use of WPA2 because that uses 256 bit AES.  WPA is NOT completely RSN rated even with TKIP- it was a stop gap measure until 802.11i was ratified and that protocol is CCMP which is part of AES).  Your passphrase is run through a key expansion algorithm called PBKDF2.  Its essentially a MAC (cryptographic hash) generator.  Regardless of what you enter, in the case of WPA2, the key generated is going to be 256 bits and then salted to further prevent attacks.

With that in mind you still need to be "smart" about passwords but the best thing to do is use a clever passphrase that means something to you and only you.  In that regard, I've heard minimums of 6 characters are good.  I would say 12 but really, anything reasonable you come up with is going to be longer- probably much longer.

BTW,  LUKS encryption also use that algorithm 



~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Keith C. Perry, MS E.E.


From: "Michael Zaleski" <michael.zaleski@gmail.com>
To: "Philadelphia Linux User's Group Discussion List" <plug@lists.phillylinux.org>
Sent: Wednesday, June 24, 2015 10:15:03 PM
Subject: Re: [PLUG] Home wifi access point & router recommendation

Some routers have enabled rate limiting, that just means an attacker has to send a trickle of traffic rather than a fire hose worth. I suppose slowing down an attack is better nothing, but still, it doesn't mitigate the problem. Also be sure to use as long as password as possible for wpa2, longer is better than more complicated. And be sure to disable remote management too.

On Jun 24, 2015 9:09 PM, "brent saner" <brent.saner@gmail.com> wrote:

I really with Google Inbox let you properly inline-reply.

http://www.howtogeek.com/176124/wi-fi-protected-setup-wps-is-insecure-heres-why-you-should-disable-it/ is a good introduction to the evils of WPS.

Pay close attention, though- some models give you an option to disable WPS, but *it does nothing*. Nada. Zilch. Exploits against the WPS spec still work fine.

And honestly, I wouldn't even trust the button method either- if someone (aherm.) happened to have a static station and a good card with an external antenna attached (say, an alfa awus036neh, and a directional 9 or 15dB antenna pointed at your AP....), they can push auth packets at your router till the cows come home. As soon as you press that little button, guess whose auth packets get there first? Hint: not who you want.

That's why I always, always flash with OpenWRT. And why I *always* pentest new wireless kit before putting it live on my network.

On that note, would anyone want a wifi pentesting preso or anything like that?


On Wed, Jun 24, 2015, 19:52 Rich Freeman <r-plug@thefreemanclan.net> wrote:
On Wed, Jun 24, 2015 at 5:31 PM, Michael Zaleski
<michael.zaleski@gmail.com> wrote:
> Yes, WPS is bad, even if the router does rate limiting,  UPnP is also not
> too safe.

Note that some routers let you turn off WPS, in which case having the
feature is harmless.  Also, if you can at least turn off the PIN side
of WPS then you're fine - the push-button part of WPS is secure, well,
aside from the window of opportunity it creates.  The problem is that
routers rarely let you have the one without the other, and if PIN mode
is enabled you are very unsafe.

Also, if your router isn't updated I'd be wary of heartbleed.  I
believe some routers use openssl for WPA2 key exchange, and this could
be vulnerable.  However, I've seen very little attention given to this
so I'm not certain about the risk here.

--
Rich
___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug


___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug