dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
6815
share rss forum feed

dave
Premium,MVM
join:2000-05-04
not in ohio
kudos:8
reply to StuartMW

Re: tracing a mac address

Is it related to that 'password safe' product?

Keep-Ass.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 recommendation

reply to horacebork
said by horacebork:

also, my wifi is set to not broadcast. not sure how someone picked up the network name.

You might want to read this

Myth vs. reality: Wireless SSIDs

Using WPA2 with a longish password (mine is 63-chars of pseudo-random upper/lower case, digits and symbols) is your best protection. The other stuff doesn't really help, insofar as security, but can still be useful IMO.

BTW do you have WPS (Wi-Fi Protected Setup) enabled? That is breakable.

WiFi Protected Setup Flaw Can Lead to Compromise of Router PINs
--
Don't feed trolls--it only makes them grow!

SpHeRe31459
Premium
join:2002-10-09
Sacramento, CA
kudos:2
Looks like Apple has WPS, but doesn't use it by default and they removed it from their setup wizard in more recent versions.

quote:
It seems the picture is getting clearer with every post and I think we can say that using Apple's routers is safe with respect to the current WPS-threat as long as one does not choose to run the optional "Add Wireless Clients..." function (Menu "Base Station" in Airport Utility).
Sheesh, Apple makes technical details so hard to find... People weren't even sure if it did WPS initially since they of course used a different name instead of WPS, and then they've removed the feature from their setup tool, but you can still get to it from older version of the tool, etc. etc.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
said by SpHeRe31459:

Sheesh, Apple makes technical details so hard to find...

Well that is consistent with their whole philosophy of hiding technical details so the "average user" can use the product (whatever it is).
--
Don't feed trolls--it only makes them grow!


horacebork
Premium
join:2011-03-17
09001

3 edits
reply to StuartMW
re: depressing info about unbroadcast ssid - got it
re: 63 char wpa2 password - next on my list [edit] done.

--
".. the sofa has just vanished." ".. well, that's one mystery less."


horacebork
Premium
join:2011-03-17
09001
Reviews:
·Time Warner Cable
·voip.ms
reply to SpHeRe31459

So wait you statically assign IPs, yet you left DHCP on?

right. there are still a couple of devices that i cannot assign static ip on the device itself.
the apple tv is one of them. i could reserve a static ip for it's mac address, i suppose ..

is there a way by disabling dhcp that i can prevent an outside machine from gaining a compatible ip address on my lan?

--
".. the sofa has just vanished." ".. well, that's one mystery less."


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric
reply to horacebork
This topic, although old, is still relevant when securing a wireless router;

»Harden your router/AP in five steps
--
Buckle Up. It makes it harder for the aliens to suck you out of your car.

SpHeRe31459
Premium
join:2002-10-09
Sacramento, CA
kudos:2
reply to horacebork
said by horacebork:

So wait you statically assign IPs, yet you left DHCP on?

right. there are still a couple of devices that i cannot assign static ip on the device itself.
the apple tv is one of them. i could reserve a static ip for it's mac address, i suppose ..

is there a way by disabling dhcp that i can prevent an outside machine from gaining a compatible ip address on my lan?

Seems to me like you pretty much already hit on what you can do. Reserve the MAC address of those devices that can't be set statically (manually). Then set the DHCP pool to exactly the number of devices that must use DHCP.

I don't know of any TCP/IP enabled device that cannot be manually assigned. I'm pretty sure to be a TCP/IP enabled device the specifications mandate that it must expose a method for manual assignment.

For example: with a simple Google search of "apple tv static ip address" I immediately found instructions for setting a static IP address for Apple TV...

Menu >> Settings
General
Network
Configure TCP/IP
Choose Manually
Enter your desired IP


EGeezer
zichrona livracha
Premium
join:2002-08-04
Midwest
kudos:8
Reviews:
·Callcentric
said by SpHeRe31459:

Reserve the MAC address of those devices that can't be set statically (manually). Then set the DHCP pool to exactly the number of devices that must use DHCP.

That'll work nicely unless someone tries to spoof one of the MAC addresses. Then, as they say, results may be unpredictable.
--
Buckle Up. It makes it harder for the aliens to suck you out of your car.

SpHeRe31459
Premium
join:2002-10-09
Sacramento, CA
kudos:2
Right, it's sort of the best that can be done in that situation. I would think that it's pretty slim chances that someone is going to try that hard to mess with some random person's wireless network that was probably just seen while wardriving around or something.


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2

1 edit
reply to EGeezer
said by SpHeRe31459:

Reserve the MAC address of those devices that can't be set statically (manually). Then set the DHCP pool to exactly the number of devices that must use DHCP.

I've been doing exactly this for years. I also have some static IP's (set in the device) that are outside the pool. If someone manages to spoof any one of my IP's then I have more serious issues
--
Don't feed trolls--it only makes them grow!


horacebork
Premium
join:2011-03-17
09001
reply to horacebork
withdrawn - known mac address attached to network.


horacebork
Premium
join:2011-03-17
09001
Reviews:
·Time Warner Cable
·voip.ms

1 edit
reply to StuartMW

Using WPA2 with a longish password (mine is 63-chars of pseudo-random upper/lower case, digits and symbols) is your best protection. The other stuff doesn't really help, insofar as security, but can still be useful IMO.

could you put a little more meat on the bones here? i am wondering what happens if someone sees traffic with an 8 char key vs traffic with a 63 char key.

how does the snooper know the difference, and what do they see so they can decrypt the key and gain access to the router?

is there some way i can see the encrypted key on my router?
am i even asking the correct question?

[edit] does the ssid have anything to do with the wireless security?

--
".. the sofa has just vanished." ".. well, that's one mystery less."


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
said by horacebork:

how does the snooper know the difference, and what do they see so they can decrypt the key and gain access to the router?

They don't. Encrypted traffic is encrypted traffic.

The difference is that its much easier to brute-force or use a dictionary attack on an 8 characters pass-phrase (especially if it's a word) rather than a longer pseudo-randomly generated one.

is there some way i can see the encrypted key on my router?

If you mean the actual binary key (vs the "pass-phrase") used for encryption some devices allow you to see that (mine does but not in it's web page).

does the ssid have anything to do with the wireless security?

Not really. Hiding your SSID prevents less sophisticated people from trying to connect to your network but that's about it.

--
Don't feed trolls--it only makes them grow!

evoxllx

join:2007-06-07
Winter Park, FL
reply to horacebork
yes


horacebork
Premium
join:2011-03-17
09001
Reviews:
·Time Warner Cable
·voip.ms
reply to StuartMW
i used to have an 8 character password on my wpa2 wifi.
it was very randomized and no dictionary attack could crack it.
brute force, quite possibly, i suppose - just keep sending random sequences to the router until something works.
start the brute force with 8 char sequences and go from there.

re: ssid - here's a quote off a page »cybercoyote.org/classes/wifi/wpa2.shtml

Due to the naive design of WPA2, the name of your network is the starting point for hackers. It is broadcast in the clear, and it's easy to look up your encryption key on widely available rainbow tables if your SSID is simple. The more random your network name, the better. Treat your WiFi network name as you would a password. Make it complex and avoid using any whole words. Maximum length for an SSID is 32 characters.

not sure if it's just nonsense or what. my ssid is kinda short.
--
".. the sofa has just vanished." ".. well, that's one mystery less."


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
As I recall, and I'm not 100% sure, but I think the WPA2 binary encryption key is a one function with the SSID and the pass-phrase as inputs. If so that's why knowing the SSID helps somewhat. But as you now know the SSID, whatever it is, is easily learned as it is transmitted in the clear (broadcasting enabled or not).
--
Don't feed trolls--it only makes them grow!


horacebork
Premium
join:2011-03-17
09001
Reviews:
·Time Warner Cable
·voip.ms
then the ssid is somewhat useful, but even if it's long, it's still 'in the clear', so a long-ish one could help, but not much.
it would seem to me that the web link i referenced is somewhat misguided wrt long ssid names.
--
".. the sofa has just vanished." ".. well, that's one mystery less."


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
reply to horacebork
said by horacebork:

is there a way by disabling dhcp that i can prevent an outside machine from gaining a compatible ip address on my lan?

that will not enhance your security. As long as the device is on an unused ip address on the subnet, it can communicate with other devices on the lan. DHCP makes it easier, but not impossible by a long shot.
--
* seek help if having trouble coping
--Standard disclaimers apply.--


AVD
Respice, Adspice, Prospice
Premium
join:2003-02-06
Onion, NJ
kudos:1
reply to horacebork
a lot of misinformation floating around. I learned a lot on the wireless security forums. »Wireless Security
--
* seek help if having trouble coping
--Standard disclaimers apply.--


StuartMW
Who Is John Galt?
Premium
join:2000-08-06
Galt's Gulch
kudos:2
reply to AVD
said by AVD:

that will not enhance your security.

Agreed. The best you can do (and what I have) is to use firewall rules, in your router, to try and restrict IP's (and log their activity) you know shouldn't be present. It's not foolproof however.
--
Don't feed trolls--it only makes them grow!