Wifi Monitoring?

[mcshooter]

i have a question that is hard to find on google so i asked it here.

This is strictly for wireless security purposes.

I have a wifi router and allot of people connect to it. i Know someone can connect to it and do a man in the middle attack.

but

what if they know the password or its unsecured and someone monitors and captures packets with lets say wireshark,can they get passwords and info? and how?

If so can other programs like ssl strip, ettercap etc... be used for this.

[digip]

If they have access to the router, and the router password, then they can do pretty much whatever they want, from stealing passwords, to ssl strip, etc. if stuff is passed in plain text(ftp, smtp/pop3, etc) then they can see that directly in wireshark.

Change your router to encryption such as WPA2. DO NOT USE WEP! If your router cant do WPA2, but can do WPA, at least use that with AES encryption and a strong password. You will need to set a password for both the router itself, and for WPA access. DO NOT MAKE THEM THE SAME THING. If they got the wpa password through attacks and it was the same as the default router admin password, they can change your DNS settings and phish all your stuff from cloned sites. Although, if they did manage to get on via WPA password, they could still probably attack your system. See if you router has AP Isolation so it separates the wireless from wired clients, making it so they can't see other computers on the router.

Also, if you don't share with friends and neighbors, then lock it down and use static IP addresses and turn off DHCP in the router and use either DHCP reservations, or mac address reservations. Not full proof, but an extra layer of defense if the attacker can't get on the network via DHCP, he would have to guess your IP subnet range to add himself. Use a subnet mask that limits the number of devices as well. For example, on my home network, I only allow 5 devices to connect and only have that many connected with no open slots for another user to get on.

[MethPervert]

If you have an 'out of the box' infrastructure setup then anyone authenticated with your access point can sniff your traffic; sslstrip is one way to sniff encrypted https passwords. there are three ways to protect yourself, kick all the clients, use a vpn, or if you have a supported router (WRT, Linksys) you can flash it with DD-WRT and setup multiple VLANs; i prefer the latter. you can set up public and private WLAN interfaces. Your router might already support VLANs, so check out the documentation. if not, here is a list of supported hardware for VLANs by DD-WRT: http://www.dd-wrt.com/wiki/index.php/VLAN_Support

Some more info: http://www.dd-wrt.com/wiki/index.php/Separate_WLANs

Edited May 6, 2011 by MethPervert

[Infiltrator]

I would definitely upgrade the encryption on your router to WAP or WAP2. Use very long and complex pass-phrase for your wireless encryption, as Digip suggested turn DHCP off or limit the pool of IP addresses from say 254, to the number of devices you have on your network.

AP isolation would be a good form for stopping wireless users from accessing your wired devices. If your wireless router does not support AP Isolation, you could look into upgrading the routers firmware to DD-WRT or Tomato or upgrade to a router that supports it.

Or if you have a switch capable of creating Vlans than use that, to segment and secure your network. Another way to maximize your wireless security, would be using WAP2 Enterprise and setting it up with Radius authentication server, where once uses have been authenticated and associated to the access point, they will be prompted for a username and password.

That will give the attacker a hard time and resulting his attacks less effective, as he will need to crack the two layers of security, the WAP2 and the Radius Authentication.

As long as you have WAP2 Personal enabled with a strong pass-phrase you should be secured.

[MethPervert]

Well i possibly misunderstood your initial problem. if you have a problem with unauthorised access then just upgrade to WPA-AES, both WPA and WPA2 support this. use at least a 15 character random password with upper, lower case, numbers and special characters. a trick i use is mnemonics.

example, think of a song:

Semolina pilchard, climbing up the Eiffel Tower.

Elementary penguin singing Hari Krishna.

Man, you should have seen them kicking Edgar Allan Poe.

sp,cutEt.EpshKmUsh$tkeap_W4lrus

easy to remember and not likely to be cracked unless you actually are the walrus.

any security measures over that is probably overkill, unless you are running a public service or you're opening up your network to other clients

[mcshooter]

Thanks forf the replys but my question was more along the lines of, can they capture crutial info without being connected to the network? If its unsecure or they have a password

Thanks all

[Infiltrator]

Thanks forf the replys but my question was more along the lines of, can they capture crutial info without being connected to the network? If its unsecure or they have a password

Thanks all

Since WEP is flawed, the attacker can capture crucial information, whether he has knowledge of the key or not.

With WAP its a little bit different, but can still be done.

[Jason Cooper]

Thanks forf the replys but my question was more along the lines of, can they capture crutial info without being connected to the network? If its unsecure or they have a password

Thanks all

If they are just listening in, which they can do with an unsecure network or one they have a pre-shared key (password) for, rather than actively intercepting with a man in the middle attack then there are 3 different types of data they will be able to capture.

Packet headers : They will get to see the source and destination information for each packet, as well as other bits of information stored in the packet headers, (Ethernet frame headers, IP Headers, TCP/UDP/ICMP/etc headers)

Clear text : Any protocols that don't use encryption will be passing their data in an unencrypted form (standard HTTP, SMTP, IMAP, POP3, FTP, etc). This could easily contain passwords, usernames and other important/confidential information.

Cipher text : Any protocols that use encryption properly will be passing their data in an encrypted form (HTTPS, IMAPS, SSH, SFTP, etc). To do anything with this information the attacker would have to be able to break the encryption in some way, which puts it out of the reach of most attackers.

It is important to note that even when using protocols that use encryption the packet headers will be available, they can't be encrypted or routers wouldn't be able to route the packets. This lets an attacker perform traffic analysis on any sniffed data, so they can see that you SSH into a box and how long you are on there, even if they can't see what you are doing while you are on there.

Traffic analysis can be very powerful, especially when combined with information gathered from protocols that don't use encryption. E.G. that box you SSH into may well be broken into as you use the same username and password on your router which you login to over HTTP.

[mcshooter]

Thanks allot all of yall answered my question perfectly!