PSparky Posted January 16, 2012 Share Posted January 16, 2012 Hey there, Been following the Hak5 shows and forums for quite some time now. Registered today since I've got a question that I'd like to ask: In febuary im moving to another appartment for my study/work. Unfortunately, the only way to connect to the internet there, is via a corporate Wi-Fi network. I don't have any details about the security of the network yet. I only know that it's using a WPA2 encryption. I know that would pretty much cancel out a lot of external attacks but what about internal ones? For example, can a user who's connected to the Wi-Fi network intercept my passwords with a password/network sniffer? I know that I could use a VPN to encrypt my web traffic. But how reliable are these services and will they slow down my connection? Also, can a user of the Wi-Fi network scan my host to check for vulnerabilities? In other words, how do I make sure that other users in the Wi-Fi network won't be able to recognize my host? I'll soon get some more information about the security of the Wi-Fi network since I'm going to speak to the owner. But any suggestions at this point would be very welcome. Quote Link to comment Share on other sites More sharing options...
digip Posted January 16, 2012 Share Posted January 16, 2012 If they have WPA2 in use, they are at least doing something right, but should also go RADIUS, but that would require students to make changes to their machines and have certificates for authentication. If someone else is on the same lan segment as you, you can't really stop them from intercepting your traffic, including the school itself, who might have a policy of deep packet inspection. Personally, I would make sure you have your firewall on, even if all you use is the windows firewall. Just make sure you configure it to block all common windows ports(if using windows) 135-139,445, 3389(RDP), etc. Turn off non-essential services under services.msc(server, computer browser, remote registry, SSDP, UPNP, DNS, remote desktop configuration, remote desktop services and a few others I can't rememnber). If you don't use IPv6 for anything, disable it completely, both under services, NIC settings, and under device manager(show hiddne items, go to network adapters and under the hidden, non-plug and play devices there are a few for Ipv6). Manually edit all your saved wifi connections, including the one for the school, to not connect automatically. They could use that against you, with something like a pineapple attack and impersonate any access point your machine probes for and it would automatically connect without your knowledge unless otherwise disabled. For connecting OUT of the schools network to the internet, SSH tunnel off of one of your own sites outside the schools network, or VPN to a home machine if you can set up a box at your parents, or use a paid VPN service would be the best ways to secure your traffic from anyone at the school trying to mitm or sniff your data. As for scans, you won't be able to prevent scanning from people on the same network, but with a proper firewall setup you should be able to block any responses or at least stealth your ports. Even if your machine returns rst packets and show up as filtered in nmap, that doesn't make them vulnerable to attack, just means they can see what OS is in use if it responds with known ports. If all they wanted to do was see if you are on the network, a ping(evne if blocking icmp packets) would show your mac address and IP under their arp table. (arp -a in windows) Quote Link to comment Share on other sites More sharing options...
PSparky Posted January 16, 2012 Author Share Posted January 16, 2012 Hey thanks for your reply. Sorry if I wasn't clear enough. It's not the Wi-Fi @ my school but in the one signalling around my apartment. And thank you for your suggestions, they really make sense. I'll update with more technical information about the security of the hotspot soon. Any futhur advice would be really appreciated. Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted January 16, 2012 Share Posted January 16, 2012 Its difficult to guarantee security on a wifi connection, especially a shared one. There are a lot of variables outside our control, even wired connection for that matter. I think morfir's suggestion is a good one. I actually have a 3G usb modem that I plugged into my EEE and I setup ICS on it using the pineapple. Much cheaper to do than buying a 3g router and net result is the same. Plus with the things I learned building pineapples I can somewhat painlessly monitor traffic passing through. I live in a building that has a shared connection for all residents and I prefer not to use that connection. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted January 16, 2012 Share Posted January 16, 2012 On a side note, and I am just kidding, you could continuously deauthenicate all of your neighbors whenever you wanted to use the Internet to keep them off the AP for the time being. You better hope your neighbor is not using a complex pass-phrase or you will be out of luck. Quote Link to comment Share on other sites More sharing options...
PSparky Posted January 17, 2012 Author Share Posted January 17, 2012 Thanks for your suggestions. I have an Android phone so I could set-up a 3G hotspot. However I have like a 1,5GB data limit. I'm thinking of switching between the networks depending on the things im doing on the web. For example logins on websites - on the 3G hotspot and regular surfing -- on the shared network. Does that make any sense? :P Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted January 17, 2012 Share Posted January 17, 2012 (edited) Thanks for your suggestions. I have an Android phone so I could set-up a 3G hotspot. However I have like a 1,5GB data limit. I'm thinking of switching between the networks depending on the things im doing on the web. For example logins on websites - on the 3G hotspot and regular surfing -- on the shared network. Does that make any sense? :P With a 1.5 GB data cap, I wouldn't recommend watching youtube or websites that have video contents or else you will exceeding your data allowance very quickly. For normal internet browsing, like checking emails, updating status on the Facebook or reading news should be fine. You will also need to find out, from your service provide, if they charge extra fees for exceeding your data allowance. Edited January 17, 2012 by Infiltrator Quote Link to comment Share on other sites More sharing options...
bobbyb1980 Posted January 17, 2012 Share Posted January 17, 2012 I pay 2.50 for every 500MB of bandwidth consumed on a prepaid plan. Plus it's always good to have a backup source of internet in case the building's wifi fails. Just go buy a modem for like 80 or 85 dollars off the internet, unlock it, then buy a sim from a provider. It isn't that slow either, I can download at 256 kbps steady, which is plenty for streaming videos and everyday browsing (although not enough to dl a high def movie). Quote Link to comment Share on other sites More sharing options...
PSparky Posted January 18, 2012 Author Share Posted January 18, 2012 I pay 2.50 for every 500MB of bandwidth consumed on a prepaid plan. Plus it's always good to have a backup source of internet in case the building's wifi fails. Just go buy a modem for like 80 or 85 dollars off the internet, unlock it, then buy a sim from a provider. It isn't that slow either, I can download at 256 kbps steady, which is plenty for streaming videos and everyday browsing (although not enough to dl a high def movie). Well I live in the Netherlands and the data sim prepaid pricing is just ridiculous. It's 0,33 eurocent per MB. Or you could go for a monthly payment and get 350MB's of data and pay 20 euros each month. So I don't think that gonna be an option :( Quote Link to comment Share on other sites More sharing options...
PSparky Posted January 18, 2012 Author Share Posted January 18, 2012 Like I said before, I'm just frightened that someone could retrieve logins or attack my laptop to retrieve valueble files. I guess the best way to be safe is to just use the Wi-Fi network for normal web browsing, my phone to check mail/facebook etc and pentest my own laptop before I set-up a connection with that Wi-Fi network. What do you think? Quote Link to comment Share on other sites More sharing options...
n1tr0g3n Posted January 18, 2012 Share Posted January 18, 2012 (edited) 4G has reportedly been hacked now so I guess were never safe, but I'm sure theres no none with enough skill to hack 4G living right next to you so you should be safe : ) here's an article on the attack from Defcon ttp://www.extremetech.com/computing/92370-4g-and-cdma-reportedly-hacked-at-def-con Edited January 18, 2012 by n1tr0g3n Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted January 22, 2012 Share Posted January 22, 2012 That's one of the things about wireless, that I don't like they are expensive to run, as well as the speeds may not always be the best and coverage is also another factor to consider. Quote Link to comment Share on other sites More sharing options...
httpCRASH Posted January 23, 2012 Share Posted January 23, 2012 Well I live in the Netherlands and the data sim prepaid pricing is just ridiculous. It's 0,33 eurocent per MB. Or you could go for a monthly payment and get 350MB's of data and pay 20 euros each month. So I don't think that gonna be an option :( damm, thats insane... in Denmark i can get a mobile phone subscription with 16GB data, 16 hours of calls, unlimited sms & mms, and free calls within the provider for about 40$ or 31 euro a month... and if i use more than 16GB of data they dont charge more, they just set the speed to 64 Kbit rest of that month instead of 4 Mbit. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.