How anyone can get your WiFi password

[ruppmeister]

I was just looking at the Ubi EdgeRouters and they are very impressive for very little money. Thanks for sharing. Might just have to pick me up one in the end for split network, VPN access, and QoS.

 

[nayr]

yes they are very impressive little devices, it has no problem routing 1Gbps traffic across subnets.. typically performance like that is only found in routers that use a few hundred watts of power and cost a small fortune.

it runs a version of vyatta linux, which is based upon debian.. so you can apt-get install freeradius, move /etc/freeradius to /config/freeradius and symlink it back to /etc/freeradius, this way you can do a firmware upgrade and it wont wipe out your radius configuration.

Its a little too much router for most people, alot of stuff is not exposed to the webui and has to be configured from the command line.. and that can be beyond most people's abilities.

 

[ahgray]

Another option for a router would be any old PC as long as it has two network ports, or you can use USB to ethernet (like seriously even 10 year old) and PFSense. Easily one of the most powerful solutions there is and its free. https://www.pfsense.org/

 

[nayr]

I replaced my pfSense router with the EdgeRouter some years back, in order to get Multi-Gigabit routing speeds required running on a P4 3.6GHz.. it does not support multi-core threading on network traffic so you need a single core with a very high clock speed.. and even then it was over 80% load transferring files from one network to another at wire speeds.

just the electricity I've saved in the last few years not running that power hungry pfSense router has likely paid for the EdgeRouter outright..

Most people's internet speeds are getting fast enough that an old 10 year old PC wont be able to route there internet traffic without being a bottleneck.. running pfSense on a low commodity PC often maxes out at ~50Mbps, my internet is twice that fast.. and go look at the hardware requirements for obtaining Gigabit speeds.. You have to provide a ton of horsepower to get Gigabit subnet routing and 100Mbit VPN..

If your putting your WiFi on a diffrent subnet, then all traffic to your LAN has to be processed by the router.. without a decent router you wont be able to reach full wireless speeds to your LAN.. My WiFi network is capable of transferring files @ 500Mbps anywhere on my property without a problem.

I care alot about speed, I can regulairly achieve 360MB/s (2880Mbps) transferring files to and from my NAS and thats over cat6, Ive got a pair of fiber channel connections to the NAS from a pair of servers and they have 20Gbps throughput.

 

[ruppmeister]

That is one intense network you have there @nayr. And I agree with you about the power use alone being able to pay for device upgrades this day in age. There is something to be said for the newest hardware and its ability to perform at break neck speeds on very little electricity.

BTW - congratulations to @nayr for becoming a Legendary Member here on ipcamtalk.

 

[pcmcg]

Interesting thread. I'm trying to understand the security implications on this one. As far as I know this MITM attack does not impact SSL connections unless the CA cert is compromised. Most of my devices are hard wired except phones, tablet, and printers so the only traffic on my wifi would be minimal web browsing. Thoughts?

 

[nayr]

depends on what you have on your LAN.. if you have IPCameras, Home Automation & Security devices on the network they are no longer protected by any firewalls...

Most IPCameras dont use SSL by default, so I could grab your credentials.. presuming I cant use a widely known back door login.

the primary purpose I had when making this thread was to give the users here with WiFi Cameras a good dose of reality.. especially when used indoors with microphones.

 

[JDWX]

As common knowledge as this is said to be, I just took some Cisco route/switch/wireless classes and most people in them didn't have a clue of the dangers, lol... You'd be surprised at the amount of people who are oblivious to it all. I appreciate the post Nayr!

 

[NVR]

If I see two SSID with the same name that would alone raise a red flag for me. Your device by default will connect to the SSID with a stronger signal, so if your creating a fake SSID, more then likely it will not connect to that, unless you are sitting in the victims house.

Any SSL such as financial sites, ebay paypal, chase, Discover, site will refuse to open once it detects an MIM attack. The victim will get a page cannot be displayed.

 

[nayr]

If I see two SSID with the same name that would alone raise a red flag for me. Your device by default will connect to the SSID with a stronger signal, so if your creating a fake SSID, more then likely it will not connect to that, unless you are sitting in the victims house.

Any SSL such as financial sites, ebay paypal, chase, Discover, site will refuse to open once it detects an MIM attack. The victim will get a page cannot be displayed.

You wont see two SSID's with the same name, they will show up as a single network unless your running a wifi scanner.. case in point I have 4 access points with the same ID right now and no device has ever showed the wireless network listed more than once.

As I outlined in the first post I can keep sending deauthentication packets to your device, this is used by networks with multiple access points to force wireless devices to roam to the next closest access point.. If I send a spoofed deauth from your AP nearly all clients will try the next available access point.. and that will be the evil twin. Not to mention I have access points that are several times more powerful than almost all consumer access points, one of these with a directional antenna will easily be the stronger signal even from pretty great distances.

And yes your banking sites will be mostly safe even with a compromised network, but your cameras dont utilize SSL for authentication and those will be trivial.. There have been many SSL exploits in the past where a Man in the Middle can trick SSL handshakes into falling back to insecure cyphers that are easily broken and would throw no alerts.

 

[alastairstevenson]

high OpenSSL 'ChangeCipherSpec' MiTM Vulnerability

Like this from a recent scan I did against a certain brand of camera.

 

[NVR]

You wont see two SSID's with the same name, they will show up as a single network unless your running a wifi scanner.. case in point I have 4 access points with the same ID right now and no device has ever showed the wireless network listed more than once.

As I outlined in the first post I can keep sending deauthentication packets to your device, this is used by networks with multiple access points to force wireless devices to roam to the next closest access point.. If I send a spoofed deauth from your AP nearly all clients will try the next available access point.. and that will be the evil twin. Not to mention I have access points that are several times more powerful than almost all consumer access points, one of these with a directional antenna will easily be the stronger signal even from pretty great distances.

And yes your banking sites will be mostly safe even with a compromised network, but your cameras dont utilize SSL for authentication and those will be trivial.. There have been many SSL exploits in the past where a Man in the Middle can trick SSL handshakes into falling back to insecure cyphers that are easily broken and would throw no alerts.

But they are going onto your spoofed network your not going onto theirs, and if theyre on your network, they wont be able to even get a login page since the cameras are on their network, and if they think they are local, they will use a local ip not external ip, if they type that into your network they will get nothing. And if already logged into your spoofed AP, why would they retype their WPA security key for you to grab? Theyre already in. Every password and user sniffed has to be typed in, I cant see why they would type their WPA key again if they are already onto your spoofed network.

 

[badmop]

You will spoof a WPA key request, and whatever they type it will accept and let them proceed.. It's just a front to grab whatever they type in, hopefully they type their WPA key correctly the first time.

But they are going onto your spoofed network your not going onto theirs, and if theyre on your network, they wont be able to even get a login page since the cameras are on their network, and if they think they are local, they will use a local ip not external ip, if they type that into your network they will get nothing. And if already logged into your spoofed AP, why would they retype their WPA security key for you to grab? Theyre already in. Every password and user sniffed has to be typed in, I cant see why they would type their WPA key again if they are already onto your spoofed network.

 

[MartyO]

So I'm about deploy wireless cameras at a new location.

1)They will run off their own router
2)This Router can only be configured wired, wireless access to it not allowed
3)All cameras loggin information and PWD, SSID choice and PW key (wpa2) are done prior to arriving at location.

Can this network be broken into or just jammed?

 

[copex]

There is only one way to get someones WPA passcode and that is to phish it or crack it, it not as easy as the OP makes out and normally requires some form of social engineering. upto date anditvirus / mailware / firewall enabled & complex passcodes will make life dificult for the attacker, using a vpn on any network you dont own is hightly recommended.

there is no magic heres my wifi key, only the hash is passed and both devices need to now the key, you would probbly have just as much succcess using a WPS attack.......

 

[copex]

So I'm about deploy wireless cameras at a new location.

1)They will run off their own router
2)This Router can only be configured wired, wireless access to it not allowed
3)All cameras loggin information and PWD, SSID choice and PW key (wpa2) are done prior to arriving at location.

Can this network be broken into or just jammed?

yes but this will help....

Use complex passcode wpa2-AES dont use TKIP your wirless key should be as long as the routers / devices will allow and contain no dictonary words, dissable WPS, change the default user names on the router / device if they allow this, set the firewall to only allow access to the ports requires for both inbound and outbound trafice.

If all you have connected is say 4 ip cammeras then all the hack can accsess is the cammeras the impact is privacey intrusion.

hope it helps

 

[MartyO]

yes but this will help....

Use complex passcode wpa2-AES dont use TKIP your wirless key should be as long as the routers / devices will allow and contain no dictonary words, dissable WPS, change the default user names on the router / device if they allow this, set the firewall to only allow access to the ports requires for both inbound and outbound trafice.

If all you have connected is say 4 ip cammeras then all the hack can accsess is the cammeras the impact is privacey intrusion.

hope it helps

So I the only way someone can get into the camera network is thru guessing (cracking) SSID password?

 

[copex]

So I the only way someone can get into the camera network is thru guessing (cracking) SSID password?

useing wpa they would have to Butforce the password, if WPS is enabled on the router attacking the WPS could allow access, getting one of the cameras to connect to a rouge AP will allow access to the camera, depending on the camera it maybe possible to hack out the wifi passcode.

 

[MartyO]

useing wpa they would have to Butforce the password, if WPS is enabled on the router attacking the WPS could allow access, getting one of the cameras to connect to a rouge AP will allow access to the camera, depending on the camera it maybe possible to hack out the wifi passcode.

When you say Butforce, you mean crack it or is Butforce something else, thnks in advance.

 

[copex]

When you say Butforce, you mean crack it or is Butforce something else, thnks in advance.

Yes.... https://en.wikipedia.org/wiki/Password_cracking