Jump to content

Wi-fi - Protection From Internal And External Attacks?


PSparky

Recommended Posts

Hey there,

Been following the Hak5 shows and forums for quite some time now. Registered today since I've got a question that I'd like to ask:

In febuary im moving to another appartment for my study/work. Unfortunately, the only way to connect to the internet there, is via a corporate Wi-Fi network. I don't have any details about the security of the network yet. I only know that it's using a WPA2 encryption. I know that would pretty much cancel out a lot of external attacks but what about internal ones? For example, can a user who's connected to the Wi-Fi network intercept my passwords with a password/network sniffer? I know that I could use a VPN to encrypt my web traffic. But how reliable are these services and will they slow down my connection?

Also, can a user of the Wi-Fi network scan my host to check for vulnerabilities? In other words, how do I make sure that other users in the Wi-Fi network won't be able to recognize my host?

I'll soon get some more information about the security of the Wi-Fi network since I'm going to speak to the owner. But any suggestions at this point would be very welcome.

Link to comment
Share on other sites

If they have WPA2 in use, they are at least doing something right, but should also go RADIUS, but that would require students to make changes to their machines and have certificates for authentication. If someone else is on the same lan segment as you, you can't really stop them from intercepting your traffic, including the school itself, who might have a policy of deep packet inspection. Personally, I would make sure you have your firewall on, even if all you use is the windows firewall. Just make sure you configure it to block all common windows ports(if using windows) 135-139,445, 3389(RDP), etc. Turn off non-essential services under services.msc(server, computer browser, remote registry, SSDP, UPNP, DNS, remote desktop configuration, remote desktop services and a few others I can't rememnber). If you don't use IPv6 for anything, disable it completely, both under services, NIC settings, and under device manager(show hiddne items, go to network adapters and under the hidden, non-plug and play devices there are a few for Ipv6). Manually edit all your saved wifi connections, including the one for the school, to not connect automatically. They could use that against you, with something like a pineapple attack and impersonate any access point your machine probes for and it would automatically connect without your knowledge unless otherwise disabled. For connecting OUT of the schools network to the internet, SSH tunnel off of one of your own sites outside the schools network, or VPN to a home machine if you can set up a box at your parents, or use a paid VPN service would be the best ways to secure your traffic from anyone at the school trying to mitm or sniff your data.

As for scans, you won't be able to prevent scanning from people on the same network, but with a proper firewall setup you should be able to block any responses or at least stealth your ports. Even if your machine returns rst packets and show up as filtered in nmap, that doesn't make them vulnerable to attack, just means they can see what OS is in use if it responds with known ports. If all they wanted to do was see if you are on the network, a ping(evne if blocking icmp packets) would show your mac address and IP under their arp table. (arp -a in windows)

Link to comment
Share on other sites

Hey thanks for your reply.

Sorry if I wasn't clear enough. It's not the Wi-Fi @ my school but in the one signalling around my apartment. And thank you for your suggestions, they really make sense. I'll update with more technical information about the security of the hotspot soon. Any futhur advice would be really appreciated.

Link to comment
Share on other sites

Its difficult to guarantee security on a wifi connection, especially a shared one. There are a lot of variables outside our control, even wired connection for that matter.

I think morfir's suggestion is a good one. I actually have a 3G usb modem that I plugged into my EEE and I setup ICS on it using the pineapple. Much cheaper to do than buying a 3g router and net result is the same. Plus with the things I learned building pineapples I can somewhat painlessly monitor traffic passing through. I live in a building that has a shared connection for all residents and I prefer not to use that connection.

Link to comment
Share on other sites

On a side note, and I am just kidding, you could continuously deauthenicate all of your neighbors whenever you wanted to use the Internet to keep them off the AP for the time being.

You better hope your neighbor is not using a complex pass-phrase or you will be out of luck.

Link to comment
Share on other sites

Thanks for your suggestions. I have an Android phone so I could set-up a 3G hotspot. However I have like a 1,5GB data limit.

I'm thinking of switching between the networks depending on the things im doing on the web. For example logins on websites - on the 3G hotspot and regular surfing -- on the shared network. Does that make any sense? :P

Link to comment
Share on other sites

Thanks for your suggestions. I have an Android phone so I could set-up a 3G hotspot. However I have like a 1,5GB data limit.

I'm thinking of switching between the networks depending on the things im doing on the web. For example logins on websites - on the 3G hotspot and regular surfing -- on the shared network. Does that make any sense? :P

With a 1.5 GB data cap, I wouldn't recommend watching youtube or websites that have video contents or else you will exceeding your data allowance very quickly.

For normal internet browsing, like checking emails, updating status on the Facebook or reading news should be fine.

You will also need to find out, from your service provide, if they charge extra fees for exceeding your data allowance.

Edited by Infiltrator
Link to comment
Share on other sites

I pay 2.50 for every 500MB of bandwidth consumed on a prepaid plan. Plus it's always good to have a backup source of internet in case the building's wifi fails. Just go buy a modem for like 80 or 85 dollars off the internet, unlock it, then buy a sim from a provider. It isn't that slow either, I can download at 256 kbps steady, which is plenty for streaming videos and everyday browsing (although not enough to dl a high def movie).

Link to comment
Share on other sites

I pay 2.50 for every 500MB of bandwidth consumed on a prepaid plan. Plus it's always good to have a backup source of internet in case the building's wifi fails. Just go buy a modem for like 80 or 85 dollars off the internet, unlock it, then buy a sim from a provider. It isn't that slow either, I can download at 256 kbps steady, which is plenty for streaming videos and everyday browsing (although not enough to dl a high def movie).

Well I live in the Netherlands and the data sim prepaid pricing is just ridiculous. It's 0,33 eurocent per MB. Or you could go for a monthly payment and get 350MB's of data and pay 20 euros each month. So I don't think that gonna be an option :(

Link to comment
Share on other sites

Like I said before, I'm just frightened that someone could retrieve logins or attack my laptop to retrieve valueble files. I guess the best way to be safe is to just use the Wi-Fi network for normal web browsing, my phone to check mail/facebook etc and pentest my own laptop before I set-up a connection with that Wi-Fi network. What do you think?

Link to comment
Share on other sites

4G has reportedly been hacked now so I guess were never safe, but I'm sure theres no none with enough skill to hack 4G living right next to you so you should be safe : )

here's an article on the attack from Defcon ttp://www.extremetech.com/computing/92370-4g-and-cdma-reportedly-hacked-at-def-con

Edited by n1tr0g3n
Link to comment
Share on other sites

That's one of the things about wireless, that I don't like they are expensive to run, as well as the speeds may not always be the best and coverage is also another factor to consider.

Link to comment
Share on other sites

Well I live in the Netherlands and the data sim prepaid pricing is just ridiculous. It's 0,33 eurocent per MB. Or you could go for a monthly payment and get 350MB's of data and pay 20 euros each month. So I don't think that gonna be an option :(

damm, thats insane...

in Denmark i can get a mobile phone subscription with 16GB data, 16 hours of calls, unlimited sms & mms, and free calls within the provider for about 40$ or 31 euro a month...

and if i use more than 16GB of data they dont charge more,

they just set the speed to 64 Kbit rest of that month instead of 4 Mbit.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...