First time home wireless - how to match PC to router - setup question

How would you match up the seemingly different NAMES for security protocols
between my PC and my wireless router?

I am hooking up my first wireless PC at home and I am confused about which
matching settings to use on the wireless router and the wireless PC.

HERE ARE THE AVAILABLE WIRELESS ROUTER OPTIONS:
a. Security Mode = Disabled, WPA Personal, WPA Enterprise, WPA2 Personal,
WPA2 Enterprise, Radius, or WEP
b. WPA Algorithms = AES, TKIP, or TKIP+AES

HERE ARE THE AVAILABLE WINDOWS WIRELESS PC OPTIONS:
a. Network Authentication = Open, Shared, WPA, or WPA-PSK
b. Data Encryption = AES, or TKIP

Given those choices, which would YOU choose for the router and for the PC?

I tried this settings but it didn't work:
ROUTER = WPA2 Personal, TKIP
PC = WPA-PSK, TKIP

And I tried this settings but it didn't work either:
ROUTER = WPA Personal, AES
PC = WPA-PSK, AES

Given what choices I have, what's the most secure WORKING combination I
should use?

Re: First time home wireless - how to match PC to router - setup question

On Sat, 09 Jun 2007 20:00:44 GMT, Julie Bove wrote:
> I am hooking up my first wireless PC at home and I am confused about which
> matching settings to use on the wireless router and the wireless PC.
>
> HERE ARE THE AVAILABLE WIRELESS ROUTER OPTIONS:
> a. Security Mode = Disabled, WPA Personal, WPA Enterprise, WPA2 Personal,
> WPA2 Enterprise, Radius, or WEP
> b. WPA Algorithms = AES, TKIP, or TKIP+AES
>
> HERE ARE THE AVAILABLE WINDOWS WIRELESS PC OPTIONS:
> a. Network Authentication = Open, Shared, WPA, or WPA-PSK
> b. Data Encryption = AES, or TKIP

I finally got it to work using AES and WPA.

The only problem is I found articles saying to use TKIP and not AES.
http://www.microsoft.com/windowsxp/using/networking/expert/b owman_03july28.mspx

Do you know if TKIP or AES is more secure?

Re: First time home wireless - how to match PC to router - setup question

Julie Bove hath wroth:

>On Sat, 09 Jun 2007 20:00:44 GMT, Julie Bove wrote:
>> I am hooking up my first wireless PC at home and I am confused about which
>> matching settings to use on the wireless router and the wireless PC.
>>
>> HERE ARE THE AVAILABLE WIRELESS ROUTER OPTIONS:
>> a. Security Mode = Disabled, WPA Personal, WPA Enterprise, WPA2 Personal,
>> WPA2 Enterprise, Radius, or WEP
>> b. WPA Algorithms = AES, TKIP, or TKIP+AES
>>
>> HERE ARE THE AVAILABLE WINDOWS WIRELESS PC OPTIONS:
>> a. Network Authentication = Open, Shared, WPA, or WPA-PSK
>> b. Data Encryption = AES, or TKIP

>I finally got it to work using AES and WPA.
>
>The only problem is I found articles saying to use TKIP and not AES.
>http://www.microsoft.com/windowsxp/using/networking/expert/ bowman_03july28.mspx

That article is old and from 2003. MS has since then added WPA2
support to XP. See:


However, I prefer TKIP because I've had some odd problems with AES.
Most AES implimentations are in hardware. I keep blundering into a
few odd "drivers" that have implimented AES encryption in software
which slows things down considerably. At this time, a long (>20 char)
pass phrase, with no dictionary words included, is quite safe with
TKIP. However, if you have reasonably modern hardware, I wouldn't
worry about it and stay with AES.

>Do you know if TKIP or AES is more secure?

WPA2 with AES encryption is more secure from decryption than TKIP.

For the best currently available, you'll need a RADIUS server, which
delivers user and session unique random WPA encryption keys. This
eliminates the potential for leaking a shared key. Note that it's
quite easy for an evil hacker (like me) to extract a shared key
directly from your PC.



--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Re: First time home wireless - how to match PC to router - setup question

On Sat, 09 Jun 2007 16:27:29 -0700, Jeff Liebermann wrote:

> That article is old and from 2003. MS has since then added WPA2
> support to XP. See:
>

I'm confused. I have my Windows XP set to update everything so I SHOULD
have that WPA2 update from Microsoft at
http://support.microsoft.com/kb/893357 but I DO NOT SEE WPA2 as an option
in my "wireless zero" interface.

All I see are options for "Open", "Shared", "WPA", & "WPA-PSK".

Do you know if WPA-PSK is the same as WPA2 or are they different?

Re: First time home wireless - how to match PC to router - setup question

On Sat, 09 Jun 2007 16:27:29 -0700, Jeff Liebermann wrote:

> For the best currently available, you'll need a RADIUS server, it's
> quite easy for an evil hacker (like me) to extract a shared key
> directly from your PC.
>

Oh my! And I live just north of Santa Cruz besides! I noticed that my
router, a linksys wrt54g, has the capability of that thing which you call
"radius".

How do I know if my Windows XP SP2 can support the radius method?

Re: First time home wireless - how to match PC to router - setup question

"Julie Bove" wrote in message
news:SlHai.26555$JZ3.12141@newssvr13.news.prodigy.net...
> On Sat, 09 Jun 2007 16:27:29 -0700, Jeff Liebermann wrote:
>
>> That article is old and from 2003. MS has since then added WPA2
>> support to XP. See:
>>
>
> I'm confused. I have my Windows XP set to update everything so I SHOULD
> have that WPA2 update from Microsoft at
> http://support.microsoft.com/kb/893357 but I DO NOT SEE WPA2 as an option
> in my "wireless zero" interface.
>
> All I see are options for "Open", "Shared", "WPA", & "WPA-PSK".
>
> Do you know if WPA-PSK is the same as WPA2 or are they different?

You have to match the router settings with your own computer network
hardware settings. Does your wireless NIC support WPA2? You can only use
the higher of the settings that both peices of hardware(router and NIC)
support. In other words even though the router might support WPA2 + AES the
wireless network card in your computer might only support WPA-PSK, etc. If
your network card is much older it might only support WEP.

Re: First time home wireless - how to match PC to router - setup question

Julie Bove hath wroth:

>On Sat, 09 Jun 2007 16:27:29 -0700, Jeff Liebermann wrote:
>
>> That article is old and from 2003. MS has since then added WPA2
>> support to XP. See:
>>
>
>I'm confused. I have my Windows XP set to update everything so I SHOULD
>have that WPA2 update from Microsoft at
>http://support.microsoft.com/kb/893357 but I DO NOT SEE WPA2 as an option
>in my "wireless zero" interface.

You probably already have this update. Download and install Belarc
Advisor:

It will supply a list of updates, supplements, bug fixed, debris,
junk, and other stuff that Microsoft installs. It's quite a list. It
also marks what's missing and what failed to install. Also, a list of
every piece of hardware, and every software package and version. Very
handy.

>All I see are options for "Open", "Shared", "WPA", & "WPA-PSK".

Well, maybe you don't have the supplement installed. See:



>Do you know if WPA-PSK is the same as WPA2 or are they different?

Very different. You're also mixing a few things.

WPA is a temporary kludge thrown together by the Wi-Fi Alliance in an
attempt to do damage control after the WEP fiasco. The encryption is
TKIP/MIC/PPK/IV. The IEEE then adopted the standard as IEEE-802.11i
also known as WPA2. They then threw in a mess of authentication
protocols. AES/CCMP encryption was adopted for WPA2.

This might help fill in some of the details:

The bottom line is that they're similar in function, but quite
different in implementation.

Ignoring authentication, the relevant combinations available in your
Linksys WRT54G are:
WPA-PSK or WPA-Personal
WPA-RADIUS or WPA-Enterprise
WPA2-PSK
WPA2-RADIUS

You probably won't be using the RADIUS server versions unless you have
an external RADIUS server to handle logins, passwords, and encryption
keys. So, that leaves WPA-PSK (pre-shared key) and WPA2-PSK. Your
choice.

Just to confuse things, the many router firmware implimentations have
an automatic setting for WPA, where it will automagically select
either TKIP or AES encryption, depending on the capeabilities of the
client. It's usually called "WPA2-PSK Mixed" or "WPA-RADIUS Mixed".
This way, you don't have to select one or the other. The router will
work with any of the WPA or WPA2 mutations. You didn't specify your
WRT54G hardware version or firmware version, so I can't check if yours
offers this selection.

A RADIUS server would be nice, but overkill for the typical home user
as it involves either a replacement router, or another box that's on
24 hours per day.

As for authentication protocols, that's usually handled by the client
computah. See:

for a large shopping list.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Re: First time home wireless - how to match PC to router - setup question

On Sat, 09 Jun 2007 18:54:25 -0700, Jeff Liebermann wrote:

> So, that leaves WPA-PSK (pre-shared key) and WPA2-PSK.
> Your choice.

Oh my. I THOUGHT I had all the latest windows xp patches but I didn't have
the Microsoft KB 893357 WPA2/WPA2-PSK additive patch you had suggested.
http://support.microsoft.com/kb/893357

This Microsoft KB893357 patch added TWO new options to my wireless zero
control panel (WPA2, & WPA2-PSK) so now my options are more even.

HERE ARE THE AVAILABLE WIRELESS ROUTER OPTIONS:
a. Security Mode = Disabled, WPA Personal, WPA Enterprise, WPA2 Personal,
WPA2 Enterprise, Radius, or WEP
b. WPA Algorithms = AES, TKIP, or TKIP+AES

HERE ARE THE NEWLY AVAILABLE WINDOWS WIRELESS PC OPTIONS:
a. Network Authentication = Open, Shared, WPA, WPA-PSK, WPA2, or WPA2-PSK
b. Data Encryption = AES, or TKIP

So I think I'll go with:
ROUTER: WPA2 Personal
WINDOWS: WPA2-PSK

The only problem left is that I'm assuming "WPA2 Personal" is the same as
"WPA2-PSK". Is it?

Re: First time home wireless - how to match PC to router - setup question

On Sat, 9 Jun 2007 20:47:18 -0500, Jbob wrote:

> You have to match the router settings with your own computer network
> hardware settings. Does your wireless NIC support WPA2?

After installing the Microsoft patch http://support.microsoft.com/kb/893357
the WINDOWS wireless NIC now supports WPA2 & WPA2-PSK.

The ROUTER supported WPA2-Personal & WPA2-Enterprise.

Can I now match the WINDOWS "WPA2-PSK" with the ROUTER "WPA2-Enterprise"?

I am thoroughly confused.

Julie

Re: First time home wireless - how to match PC to router - setupquestion

Jeff Liebermann wrote:

> That article is old and from 2003. MS has since then added WPA2
> support to XP. See:
>
>
kb893357 has been replaced by kb917021 if you have XP SP2
http://support.microsoft.com/?kbid=917021

This is also linked to in this page:-
http://www.microsoft.com/technet/network/wifi/wrlsxp.mspx

"Wireless Client Update for Windows XP with Service Pack 2"

Re: First time home wireless - how to match PC to router - setup question

On Sun, 10 Jun 2007 09:09:48 +0100, kev wrote:

> Jeff Liebermann wrote:
>
>> That article is old and from 2003. MS has since then added WPA2
>> support to XP. See:
>>
>>
> kb893357 has been replaced by kb917021 if you have XP SP2
> http://support.microsoft.com/?kbid=917021
>
> This is also linked to in this page:-
> http://www.microsoft.com/technet/network/wifi/wrlsxp.mspx
>
> "Wireless Client Update for Windows XP with Service Pack 2"

Oh my! The reference article helps greatly!
http://www.microsoft.com/technet/network/wifi/wrlsxp.mspx

In that article, it basically says "WPA2-Personal" uses "PSK" so now I
*finally* have a correlation on the router side with the PC side!

ROUTER = WPA2-Personal, TKIP + AES (which the article says also uses PSK)
WINDOWS = WPA2-PSK, TKIP (with the patch listed in KB893357 & KB917021)

Finally, if you see this message, then I have a match between the 802.11g
abbreviations used on the router side and the newly patched 802.11i
abbreviations used on the Windows XP SP2 PC side!

May I ask why they all don't just use the same abbreviations?

Julie

Re: First time home wireless - how to match PC to router - setup question

Julie Bove hath wroth:

>The only problem left is that I'm assuming "WPA2 Personal" is the same as
>"WPA2-PSK". Is it?

Correct. The names have been changed to confuse the innocent.

WPA2-PSK and WPA2-Personal are the same thing.
WPA2-RADIUS and WPA2-Enterprise are the same thing.


--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Re: First time home wireless - how to match PC to router - setup question

On Sun, 10 Jun 2007 03:11:37 -0700, Julie Bove wrote:

[snip]

> Oh my! The reference article helps greatly!
> http://www.microsoft.com/technet/network/wifi/wrlsxp.mspx
>
> In that article, it basically says "WPA2-Personal" uses "PSK" so now I
> *finally* have a correlation on the router side with the PC side!
>
> ROUTER = WPA2-Personal, TKIP + AES (which the article says also uses PSK)
> WINDOWS = WPA2-PSK, TKIP (with the patch listed in KB893357 & KB917021)
>
> Finally, if you see this message, then I have a match between the 802.11g
> abbreviations used on the router side and the newly patched 802.11i
> abbreviations used on the Windows XP SP2 PC side!
>
> May I ask why they all don't just use the same abbreviations?

The abbreviations are mostly the same, the main difference is
that some vendors think "Personal" is a better word than PSK,
or 'pre-shared key'.

As far as I know, there is no other official name for PSK than
PSK. I've done some unsuccessful attempts to locate the origin of
this "personal" terminology. Would appreciate it if anyone could
provide some insight on this... I'd like to know who to blame :)


- Eirik

Re: First time home wireless - how to match PC to router - setup question

eirik@mi.uib.no (Eirik Seim) hath wroth:

>The abbreviations are mostly the same, the main difference is
>that some vendors think "Personal" is a better word than PSK,
>or 'pre-shared key'.
>
>As far as I know, there is no other official name for PSK than
>PSK. I've done some unsuccessful attempts to locate the origin of
>this "personal" terminology. Would appreciate it if anyone could
>provide some insight on this... I'd like to know who to blame :)
>- Eirik

Can I guess?

Personal and Enterprise are all over the Wi-Fi.org web site. For
example, see:

Searching the web pile, PSK appears in one press release (probably an
accident) and in the glossary, which points to WPA-Personal. I
suspect (not sure) that they will not issue certification unless the
product uses their terminology.

PSK and RADIUS are all over IEEE-802.11i-2004 which is the controlling
document for WPA2.


My guess(tm) is that the Wi-Fi alliance is more consumer oriented than
the acronym infested IEEE. I'm guilty of using them interchangeably,
depending on whom I'm addressing.



--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Re: First time home wireless - how to match PC to router - setup question

On 10 Jun 2007 14:29:57 GMT, Eirik Seim wrote:

> The abbreviations are mostly the same, the main difference is
> that some vendors think "Personal" is a better word than PSK,
> or 'pre-shared key'.

Wow! Why didn't the world provide me this secret decoder ring *before* I
confusified myself and everyone else! LOL!

Seriously, before you, I hadn't known that "Security Mode = WPA2 Personal"
on my Cisco router is actually the same thing as "Network Authentication =
WPA2-PSK" in my patched Windows XP PC. Am I the only one to not get with
the program?

While this hidden 1:1 translation knowledge simplifies things greatly, I
wonder aloud whether the same kind of inverted translational logic applies
to the encryption algoritm too???

For example, I've set my corresponding router & windows settings to:
a. ROUTER: WPA Algorithms = TKIP+AES
b. WINXP: Data Encryption = TKIP

The convoluted reason I did this was that I was told TKIP is better but
having TKIP plus AES "seemed" more secure to me. Am I ditzing out again?

Or should I have just chosen a router "wpa algorithm" of TKIP and a Windows
XP "data encryption" of TKIP?

Does setting the router to "TKIP+AES" buy me anything over setting the
router to just "TKIP"?

Julie

Re: First time home wireless - how to match PC to router - setup question

On Sun, 10 Jun 2007 08:52:48 -0700, Jeff Liebermann wrote:

> My guess(tm) is that the Wi-Fi alliance is more consumer oriented than
> the acronym infested IEEE. I'm guilty of using them interchangeably,
> depending on whom I'm addressing.

Oh yeah! I researched (as in searched again) the google 'pile' using the
fact that I now knew the answer (that "PSK" is the same as "Personal") and
now, indeed, I can see that the dummy and wikipedia guides (my first stop
shopping) do say that "personal" is the *same* as "psk" (even though the p
stands for something else entirely).

http://www.dummies.com/WileyCDA/DummiesArticle/id-4766.html
"WPA Personal is equivalent to WPA-PSK, which is used by many
wireless access points. WPA Enterprise requires that a RADIUS
server be running on your network, something your home network
is not likely to have."

http://en.wikipedia.org/wiki/WPA2
"Pre-shared key mode (PSK, also known as personal mode) is
designed for home and small office networks"

If I would *hazard* a guess, I might infer that the friendlier-sounding
"Personal" description arose for the Macintosh community while the
acronym-lased "PSK" was relegated to the Windows clientelle based on some
search results such as that at
http://security.itbusinessnet.com/articles/viewarticle.jsp?i d=89612
"WPA-PSK (Windows) and WPA-Personal (Mac) Encryption ... In this
first section we look at WPA-PSK (Windows) Encryption ...
Next Page: WPA-Personal (Mac) Encryption ..."

Does my guess pan out that "Personal" was originally styled for Macintosh
computers while the more gruff acronym "PSK" was for Windows PCs?

Julie

Re: First time home wireless - how to match PC to router - setup question

On Sat, 09 Jun 2007 18:54:25 -0700, Jeff Liebermann wrote:

> Just to confuse things, the many router firmware implimentations have
> an automatic setting for WPA, where it will automagically select
> either TKIP or AES encryption, depending on the capeabilities of the
> client. It's usually called "WPA2-PSK Mixed" or "WPA-RADIUS Mixed".

I'm going to guess that's why my router has a setting for "TKIP+AES" in
addition to "AES" and "TKIP" separately???

Julie

Re: First time home wireless - how to match PC to router - setup question

Julie Bove hath wroth:

>Does my guess pan out that "Personal" was originally styled for Macintosh
>computers while the more gruff acronym "PSK" was for Windows PCs?
>Julie

Nope. Wi-Fi is platform agnostic. If anything, Unix and Linux would
be the most favored operating system of the standards producers. I'm
going to preserve my sanity and NOT lookup when the first mention of
either term appeared. My foggy memory seems to recall that WPA-PSK
was first used, which later mutated into WPA-Personal, as apparently
required for router certification.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Re: First time home wireless - how to match PC to router - setup question

On Sun, 10 Jun 2007 17:05:23 GMT, Julie Bove wrote:
> On 10 Jun 2007 14:29:57 GMT, Eirik Seim wrote:
>
> > The abbreviations are mostly the same, the main difference is
> > that some vendors think "Personal" is a better word than PSK,
> > or 'pre-shared key'.
>
> Wow! Why didn't the world provide me this secret decoder ring *before* I
> confusified myself and everyone else! LOL!
>
> Seriously, before you, I hadn't known that "Security Mode = WPA2 Personal"
> on my Cisco router is actually the same thing as "Network Authentication =
> WPA2-PSK" in my patched Windows XP PC. Am I the only one to not get with
> the program?

I first ran into the "personal" and "enterprise" terms while
configuring my girlfriends new iBook a year ago. I had no idea
what they really meant, and I had worked professionally with
wireless networks for a few years... so no, you're not the only
one.

> While this hidden 1:1 translation knowledge simplifies things greatly, I
> wonder aloud whether the same kind of inverted translational logic applies
> to the encryption algoritm too???
>
> For example, I've set my corresponding router & windows settings to:
> a. ROUTER: WPA Algorithms = TKIP+AES
> b. WINXP: Data Encryption = TKIP
>
> The convoluted reason I did this was that I was told TKIP is better but
> having TKIP plus AES "seemed" more secure to me. Am I ditzing out again?
>
> Or should I have just chosen a router "wpa algorithm" of TKIP and a Windows
> XP "data encryption" of TKIP?
>
> Does setting the router to "TKIP+AES" buy me anything over setting the
> router to just "TKIP"?

I think a quick and dirty history lesson is in order... :)

First came 64 bits WEP, then 128 bits WEP, both of which were
more than reasonably flawed. The chosen way of implementing
WEP allowed an attacker to deduce the key after a certain
amount of sniffed traffic.

To fix this, WPA emerged as an interim solution until the
industry could agree on something better. That version was
more or less WEP with dynamic keys and integrity checking.
The protocol WPA uses for managing the dynamic keys is called
TKIP.

Then came WPA2, or 802.11i, where the older RC4 encryption
algorithm were replaced by AES. AES is widely regarded as
stronger than RC4. WPA2 was designed to use 802.1x authentication
(what is commonly called "Enterprise"; requires quite a bit
more administration and an authentication server), and also
the less secure PSK mode ("Personal", pre-shared key). TKIP
is still supported, but AES does the same job better.

So in the end, if you are running a business and/or have
a server that could be used for issuing 802.1x certificates
and as a suitable authentication server (RADIUS, et al), I
would recommend WPA2 with 802.1x (sometimes refered to as EAP).

And if you're in a regular home with no dedicated or suitable
servers, go for the WPA2 with AES and PSK. No TKIP. Choose a
long and complex (@¤!#", etc) key, put it on a memory stick
and use copy and paste to configure every client computer.


- Eirik

Re: First time home wireless - how to match PC to router - setup question

On 10 Jun 2007 19:43:36 GMT, Eirik Seim wrote:
> And if you're in a regular home with no dedicated or suitable
> servers, go for the WPA2 with AES and PSK. No TKIP. Choose a
> long and complex (@¤!#", etc) key...

Thanks to all of you, here is what I ended up with, after taking in all of
the (sometimes conflicting) advice.

1. Wireless ROUTER is set to WPA2 Personal "Security Mode"
2. Wireless ROUTER is set to AES "WPA Algorithm"
3. WinXP PC is patched to Microsoft KB917021 level
4. Newly patched WinXP PC is set to WPA2-PSK "Network Authentication"
5. Newly patched WinXP PC is set to AES "Data Encryption"
6. Preselected key is set as "Four score & seven years ago"
7. ROUTER SSID is set to not broadcast (adds very minimal protection)
8. MAC Address Filtering is turned on (adds very minimal protection)
9. DHCP is set to allow only the number of available computers (useful?)

Does setting the number of allowed DHCP clients equal to the number of
available computers afford me any protection from intrusion?

That is, if I have three computers and I set the DHCP range from
192.168.1.1 to 192.168.1.3 - doesn't that protect me from intrustion by a
fourth computer?

Re: First time home wireless - how to match PC to router - setup question

On Sun, 10 Jun 2007 21:07:43 -0700, Julie Bove wrote:

[snip]

> Does setting the number of allowed DHCP clients equal to the number of
> available computers afford me any protection from intrusion?
>
> That is, if I have three computers and I set the DHCP range from
> 192.168.1.1 to 192.168.1.3 - doesn't that protect me from intrustion by a
> fourth computer?

Unfortunately not. Anyone who would manage to break the other
security features will surely know how to set an IP address
manually.

To achieve what you want (no available addresses for an attacker),
you'd have to think of subnetting. By narrowing your network
address range with a smaller network mask, you could prevent
more than 6 (sorry, 3 or 4 is not an option) stations from beeing
on your network simultaneously.

By changing the mask from 255.255.255.0 to 255.255.255.248, and
assuming a router address of 192.168.1.1, you would get the range
192.168.1.2 to 192.168.1.6, with 192.168.1.7 beeing your new
broadcast address (which used to be 192.168.1.255).

Unless you already know subnetting (or find it easy), I'd rather
recommend using an access-list to limit access. You mentioned
Cisco earlier,

access-list 1 permit ip host 192.168.1.1 any
access-list 1 permit ip 192.168.1.0 0.0.0.1 any
access-list 1 permit ip any host 192.168.1.7 any

, will permit traffic from 192.168.1.1-192.168.1.3, and deny
the rest. The last of the three lines allow broadcast traffic.
Not sure if that's required.


- Eirik

Re: First time home wireless - how to match PC to router - setup question

Post removed (X-No-Archive: yes)

Re: First time home wireless - how to match PC to router - setup question

On 11 Jun 2007 14:13:26 GMT, John Gray wrote:
> > Does setting the number of allowed DHCP clients equal to the number of
> > available computers afford me any protection from intrusion?


> Not really, I hope. Where do you live? We could be driving by right
> now.(NOT)

>> That is, if I have three computers and I set the DHCP range from
>> 192.168.1.1 to 192.168.1.3 - doesn't that protect me from intrustion by
>> a fourth computer?
>>
>
> Perhaps, but only if all three computers are left on all the time.
> Otherwise, if your other security settings don't stop unauthorized
> computers from connecting (and it should), that IP would be available for
> DHCP assignment.

How can someone set an IP address manually?

Re: First time home wireless - how to match PC to router - setup question

On Sat, 16 Jun 2007 01:38:16 -0700, Roger Harrison
wrote in
:

>On 11 Jun 2007 14:13:26 GMT, John Gray wrote:
>> > Does setting the number of allowed DHCP clients equal to the number of
>> > available computers afford me any protection from intrusion?
>
>> Not really, I hope. Where do you live? We could be driving by right
>> now.(NOT)
>
>>> That is, if I have three computers and I set the DHCP range from
>>> 192.168.1.1 to 192.168.1.3 - doesn't that protect me from intrustion by
>>> a fourth computer?
>>
>> Perhaps, but only if all three computers are left on all the time.
>> Otherwise, if your other security settings don't stop unauthorized
>> computers from connecting (and it should), that IP would be available for
>> DHCP assignment.
>
>How can someone set an IP address manually?

Properties for the network connection.

--
Best regards, FAQ for Wireless Internet:
John Navas FAQ for Wi-Fi:
Wi-Fi How To:
Fixes to Wi-Fi Problems:

Re: First time home wireless - how to match PC to router - setup question

On Sat, 16 Jun 2007 15:29:20 GMT, John Navas wrote:
>>>> That is, if I have three computers and I set the DHCP range from
>>>> 192.168.1.1 to 192.168.1.3 - doesn't that protect me from intrustion by
>>>> a fourth computer?
>>How can someone set an IP address manually?
> Properties for the network connection.

Hmmm... I've never heard of "security" by limiting the available IP
addresses ... so there MUST be a fatal flaw in my argument ... but here it
is...

a. Assume the "bad guys" CAN change their IP address (a la John Navas'
suggestion) ... but also assume the following conditions ...

b. The Wireless router is assigned to an "arbitrary" range, say the 3 IP
addresses can be assigned to a limited contiguopus range that the "bad
guys" don't (yet) know (e.g., 192.168.145.128 to 192.168.145.120).

c. Assume that all three PCs are on the network so there are now zero
available IP addresses.

My security question:
How can the bad guy get in given those three assumptions above?

If we can't figure out how (and of course, if we can't do it ourselves),
then we've just uncovered an heretofore unknown wireless security method
that has never before been seen in print!

Re: First time home wireless - how to match PC to router - setup question

On Sat, 16 Jun 2007 15:29:20 GMT, John Navas wrote:
>>>> That is, if I have three computers and I set the DHCP range from
>>>> 192.168.1.1 to 192.168.1.3 - doesn't that protect me from intrustion by
>>>> a fourth computer?
>>How can someone set an IP address manually?
> Properties for the network connection.

Hmmm... I've never heard of "security" by limiting the available IP
addresses ... so there MUST be a fatal flaw in my argument ... but here it
is...

a. Assume the "bad guys" CAN change their IP address (a la John Navas'
suggestion) ... but also assume the following conditions ...

b. The Wireless router is assigned to an "arbitrary" range, say the 3 IP
addresses can be assigned to a limited contiguopus range that the "bad
guys" don't (yet) know (e.g., 192.168.145.128 to 192.168.145.130).

c. Assume that all three PCs are on the network so there are now zero
available IP addresses.

My security question:
How can the bad guy get in given those three assumptions above?

If we can't figure out how (and of course, if we can't do it ourselves),
then we've just uncovered an heretofore unknown wireless security method
that has never before been seen in print!

Re: First time home wireless - how to match PC to router - setup question

Roger Harrison hath wroth:

>On Sat, 16 Jun 2007 15:29:20 GMT, John Navas wrote:
>>>>> That is, if I have three computers and I set the DHCP range from
>>>>> 192.168.1.1 to 192.168.1.3 - doesn't that protect me from intrustion by
>>>>> a fourth computer?
>>>How can someone set an IP address manually?
>> Properties for the network connection.
>
>Hmmm... I've never heard of "security" by limiting the available IP
>addresses ... so there MUST be a fatal flaw in my argument ... but here it
>is...
>
>a. Assume the "bad guys" CAN change their IP address (a la John Navas'
>suggestion) ... but also assume the following conditions ...

They can. It's very easy to change the clients IP address manually.
It's also very easy to change the clients MAC address. That makes it
very easy to spoof any client that is only authenticated by its IP and
MAC addresses.

>b. The Wireless router is assigned to an "arbitrary" range, say the 3 IP
>addresses can be assigned to a limited contiguopus range that the "bad
>guys" don't (yet) know (e.g., 192.168.145.128 to 192.168.145.120).

IP addresses are NOT exposed in encrypted packets, so such security by
obscurity will work if the link is encrypted. However, without
encryption, the IP address range that's in use is easily extracted by
sniffing.

>c. Assume that all three PCs are on the network so there are now zero
>available IP addresses.

You have two things going at the same time here. DHCP IP assignment
and Netmask. One does not "assign" the router to an arbitrary range
of IP's. It's done with Netmask using well known subnet masking
rules. That limits the available IP's that can be used to connect to
the router including blocking those that are manually assigned by the
client.

The DHCP range must by necessity be within the available IP range of
the Netmask. It can be smaller than the netmask range, but not
larger. (It also shouldn't include the router LAN IP address and the
broadcast address, as those can't be used by clients).

If you chose NOT to use Netmask, and leave it at the default /24,
you'll have 254 available IP addresses to chose from. You can set the
DHCP range for any smaller amount of IP's, and evil hackers like
myself can easily select an IP address that is *OUTSIDE* of the DHCP
range, and get a connection.

>My security question:
> How can the bad guy get in given those three assumptions above?

See above.

>If we can't figure out how (and of course, if we can't do it ourselves),
>then we've just uncovered an heretofore unknown wireless security method
>that has never before been seen in print!

Do you really need instructions in how to determine the IP address in
use and how to setup a static IP on the client? I'll make it easy. I
walk up to a Windoze machine and run:
Start -> run -> cmd
ipconfig
ipconfig /all | find "Address"
I now have the IP addresses in use, the gateway IP, and the MAC
address of the client. If I'm lazy, I just turn off the machine, and
use the same MAC address and setup the same IP address on my machine.
The DHCP server won't re-assign the IP to someone else because it will
first ping the IP to see if it's in use.

You left out far too many conditions and considerations:
1. Is the link encrypted?
2. What's the LAN netmask?
3. Where's the DHCP address pool?
4. Is there a MAC address filter?
5. Any 802.1x authentication? RADIUS authorization/authentication?
6. Any secure tunnels (VPN)?

In my never humble opinion, the only real security available is WPA or
WPA2 encryption. Even that has a problem in that shared keys can be
extracted from the client machines. Therefore, WPA2-RADIUS, which
does not use a shared key and delivers a unique key for the session,
is best. All the tricks with MAC and IP filters, and are worthless as
anyone with a clue can work around them. I'll pretend not to mention
security by proprietary wireless protocols, which also has a fan club.


--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Re: First time home wireless - how to match PC to router - setup question

On Sat, 16 Jun 2007 21:16:21 -0700, Jeff Liebermann wrote:
> You left out far too many conditions and considerations:
Thank you for asking. I will try to faithfully answer the questions.

> 1. Is the link encrypted?
I'm not sure what that means. I'm not using VPN if that's what you're
asking, but I am using standard WPA2-PSK authentication & AES data
encyption as set up on the router and windows xp machine.

> 2. What's the LAN netmask?
On the router, it is 255.255.255.0 and the router IP address is set to
192.168.100.100 and changed weekly.

> 3. Where's the DHCP address pool?
I'm not sure what this means. On my Linksys router, there is a setting for
"Maximum Number of DHCP Users" which I've set to "3". Is that the DHCP
pool?

> 4. Is there a MAC address filter?
Yes. I currently have DEADBEEFCAFE, 0BADFEEDBEEF, & 00BADCODEFAD as my
three MAC addresses on my windows computers and the MAC address filter in
the router is set to only accept those three MAC addresses and they are
changed weekly.

> 5. Any 802.1x authentication? RADIUS authorization/authentication?
I do not have the "Enable IEEE 801.1x authentication for this network" set
in the Windows network application for the wireless network. Neither do I
have Radius for my home network. I just use WPA2-PSK.

> 6. Any secure tunnels (VPN)?
No, I am not using VPN.

> In my never humble opinion, the only real security available is WPA or
> WPA2 encryption. Even that has a problem in that shared keys can be
> extracted from the client machines.
I am using WPA2-PSK so shared keys can be extracted, I guess.

Given this information, how can anyone connect to my network when the only
three available DHCP addresses are in use by my three PCs?

Re: First time home wireless - how to match PC to router - setup question

Roger Harrison hath wroth:

>On Sat, 16 Jun 2007 21:16:21 -0700, Jeff Liebermann wrote:
>> You left out far too many conditions and considerations:
>Thank you for asking. I will try to faithfully answer the questions.
>
>> 1. Is the link encrypted?
>I'm not sure what that means. I'm not using VPN if that's what you're
>asking, but I am using standard WPA2-PSK authentication & AES data
>encyption as set up on the router and windows xp machine.

Then the IP addresses are NOT visible and cannot be sniffed over the
air. Obscuring and limiting the IP addresses would be effective.
However, as I pointed out, a physical attack on any client will
extract a usable WPA key, which can then be used to decrypt a capture
file, and thus extract the necessary IP addresses. In short, unless
you have WPA2-RADIUS and very good physical control over the clients,
IP address limiting is not going to do much.

>> 2. What's the LAN netmask?
>On the router, it is 255.255.255.0 and the router IP address is set to
>192.168.100.100 and changed weekly.

So, you have 254 available IP addresses. Even if you limit the DHCP
address pool to a very small number of IP addresses, an working IP
address can be easily found and configured.

I presume that you also change the IP address of the default gateway
weekly. I suppose that this security by moving target will mostly
work because most evil hackers (like me) will not think that anyone
would go through so much effort. Again, as I pointed out in my
previous description, a physical attack on the client will extract the
WPA2 shared key, which can then be used to decrypt the capture file,
which will reveal the IP address selection of the week. I note that
you do not mention changing the WPA shared key every week, so once the
evil hacker has your WPA key, extracting the IP addresses are trivial
and routine.

You might want to look at the available tools to see what can be
(easily) accomplished.



>> 3. Where's the DHCP address pool?
>I'm not sure what this means. On my Linksys router, there is a setting for
>"Maximum Number of DHCP Users" which I've set to "3". Is that the DHCP
>pool?

Yes. It also should have a starting DHCP address, which is usually
192.168.1.100. So, with those settings, your DHCP address pool is
..100 through .102. A client connecting with DHCP will get one of
these 3 IP addresses. However, because you don't have the netmask on
the LAN side set to something less than /24, an evil hacker (like me)
can easily set their client computah to use any of the *OTHER* 251 IP
addresses, which will work just fine.

>> 4. Is there a MAC address filter?
>Yes. I currently have DEADBEEFCAFE, 0BADFEEDBEEF, & 00BADCODEFAD as my
>three MAC addresses on my windows computers and the MAC address filter in
>the router is set to only accept those three MAC addresses and they are
>changed weekly.

Changed weekly? On both the client and on the router? Well, that's
fine but completely useless, even with encryption. By necessity, all
the MAC addresses are exposed in the 802.11 headers. They are not
encrypted. A few seconds sniffing will reveal the MAC addresses in
use. Ethereal, Wireshark, Kismet, and even Netstumbler will reveal
all the MAC addresses in use. All I have to do is wait until one
particular device is not being used, and I just borrow their MAC
address.

>> 5. Any 802.1x authentication? RADIUS authorization/authentication?
>I do not have the "Enable IEEE 801.1x authentication for this network" set
>in the Windows network application for the wireless network. Neither do I
>have Radius for my home network. I just use WPA2-PSK.

Then you have a problem. I rarely attack a system directly. In this
case, the weak link is the encrypted WPA key stored on the client
computer. See WZCook:

for how it's done. I have a USB dongle setup to extract the necessary
keys. It's a bit slower than I prefer, but it will do the job in
about 10 seconds, most which is plug-n-play taking forever to
recognize the USB dongle.

>> 6. Any secure tunnels (VPN)?
>No, I am not using VPN.

That's the way you get real security. I know of several corporate
LAN's that do not use any encryption on the wireless end. You can
connect, but the gateway goes nowhere. If you want to enter the
corporate LAN, it's through a VPN tunnel.

>> In my never humble opinion, the only real security available is WPA or
>> WPA2 encryption. Even that has a problem in that shared keys can be
>> extracted from the client machines.
>I am using WPA2-PSK so shared keys can be extracted, I guess.

Correct. It's not a weakness if you have good physical control over
the client machines. However, a bit of social engineering or
subterfuge, and I've got the key. For the small number of machines
you operate, it's fairly easy to replace the WPA shared key. However,
for monster corporate WLAN systems, with huge number of clients,
that's just not going to work. That's another reason why RADIUS
authorization (passwords) and authentication (802.1x and EAP) are so
nice. There's no shared key and the security is enhanced by it being
random, messy, and unique.

>Given this information, how can anyone connect to my network when the only
>three available DHCP addresses are in use by my three PCs?

Not anyone. Someone would need to know what you're doing for
security, how it works, what you're doing to maintain it, and roughly
what you have for hardware and firmware. For a casual hacker, just
the encryption key will stop them due to lack of time. However, once
they have the encryption key, the other security measures are little
better than putting a "do not enter" sign on the door. It wouldn't
stop even a beginner.

Let me offer some (free) advice.

1. Your WPA key is your primary security. Do everything you can to
protect it. All the other filters and obstacles are worthless and
only cause complications. For example, how much work is it to add an
additional user or laptop?

2. If you can't run your own RADIUS server, then subscribe to an
online RADIUS service. For example:

There are others, but it's late and I'm too lazy to dig through my
mess of bookmarks.

3. You didn't mention anything about logging. Putting a lock on the
door doesn't buy you much if you don't check the lock regularly.
That's what logging does. When something unusual appears on your
network, you would want to know about it. For simple Linksys
wireless, see AirSnare:


4. If your wireless operations is only during business hours, setup a
timer to disable the wireless during off hours. The evil hackers
(like me) prefer operating under cover of darkness.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Re: First time home wireless - how to match PC to router - setup question

On Sun, 17 Jun 2007 00:34:07 -0700, Jeff Liebermann wrote:
> Then the IP addresses are NOT visible and cannot be sniffed over the
> air. Obscuring and limiting the IP addresses would be effective.
> However, as I pointed out, a physical attack on any client will
> extract a usable WPA key, which can then be used to decrypt a capture
> file, and thus extract the necessary IP addresses.

By "physical", do you mean hands'on access to the router & the PC machine?
If it matters, I also change my "pre-shared key" weekly (it's just a long
string of gibberish which I ad hoc write down on paper and then set my
machines to every Sunday).

>>> 2. What's the LAN netmask?
>>On the router, it is 255.255.255.0
> So, you have 254 available IP addresses.

Oh no! I did not realize that. I change both the router starting IP address
and the router login address every Sunday. For example, I just changed to a
starting IP address of 192.168.120.134 and I changed to a router login
address of 192.168.200.134.

One question: Do I have to use 192.168.xxx.xxx? Can I use, for example,
123.123.123.123 as my router login address and, for example,
231.123.101.201 to 231.123.101.203 as my 3 available DHCP addresses?

Even so, what is the logic of the Linksys router question asking how many
IP addresses I wish to limit it to while the netmask should have done that
already? I'm confused because you say a netmask of 255.255.255.0 allows way
more than 3 IP addresses.

> I presume that you also change the IP address of the default gateway
> weekly.
Yes. And the MAC address & hostname of BOTH the router and the windows PC's
because I read a good hacker can see both the router and the pc behind the
router.

> I note that you do not mention changing the WPA shared key every week
That's what started this whole thing actually. I learned I should change my
pre-shared-key - and - while I was there, I figured I may as well change
everything I could. I even changed all the beacon and interval numbers but
then the router didn't work so I had to reset the router and go more slowly
with the changes of everything I could.

> You might want to look at the available tools to see what can be
> (easily) accomplished.
I tried airsnare to see if I could find out who was connecting to me, which
installed ethereal and winpcap, but I can't get it to capture anything yet,
not even things on my own network. So I must be doing something wrong.

>>> 3. Where's the DHCP address pool?
> So, with those settings, your DHCP address pool is
> .100 through .102. However, because you don't have the netmask on
> the LAN side set to something less than /24, an evil hacker (like me)
> can easily set their client computah to use any of the *OTHER* 251 IP
> addresses, which will work just fine.
Oh. Should I use a different netmask to limit the "hidden" allowable IP
addresses?

>>> 4. Is there a MAC address filter?
>>Yes.
> A few seconds sniffing will reveal the MAC addresses in use.
> Ethereal, Wireshark, Kismet, and even Netstumbler will reveal
> all the MAC addresses in use.

You know, since I am on winxp, I tried Network Stumbler (actually the
hacked netcrumbler which allows connections at the same time) and all I see
is the MAC address of my access point. I do NOT see the MAC address of any
client machines. Does netstumbler really provide the MAC addresses of the
client machines?

And, with Ethereal, when I say "Capture > Options > MyWirelessCard", and
then "Capture > Start", all I get is a "Captured Packets" window that never
captures anything.

I can't believe I'm (accidentally) so secure that Ethereal can't capture my
packets nor Netstumbler will find my windows pc MAC address. So, I must be
doing something wrong.

>>> 5. Any 802.1x authentication? RADIUS authorization/authentication?
>>I just use WPA2-PSK.
>
> Then you have a problem.
> the weak link is the encrypted WPA key stored on the client

Oh no. I must research this radius thing. I am a home user. I thought
Radius (whatever it is) was for office users. I must look this up. Thank
you for the pointer.

>>> 6. Any secure tunnels (VPN)?
>>No, I am not using VPN.
> That's the way you get real security.

I'm confused. I use VPN when connecting to my company but I thought VPN
needed a client and a server. On a home network, if I used vpn, my PC would
be the client but could the Linksys WRT54G router act as the server?

> once they have the encryption key, the other security measures are little
> better than putting a "do not enter" sign on the door. It wouldn't
> stop even a beginner.
I'll keep this in mind and try to secure my pre-shared keys and change them
more often and make them even longer now.

> You didn't mention anything about logging. Putting a lock on the
> door doesn't buy you much if you don't check the lock regularly.
> That's what logging does. When something unusual appears on your
> network, you would want to know about it. For simple Linksys
> wireless, see AirSnare:
>
I'm still trying to get AirSnare to work. It gives an error which I'm
trying to figure out.

> 4. If your wireless operations is only during business hours, setup a
> timer to disable the wireless during off hours. The evil hackers
> (like me) prefer operating under cover of darkness.
Interesting. I never thought of that!

This is a WONDERFUL discussion! I very much appreciate your expert (super
expert in fact) advice!

Re: First time home wireless - how to match PC to router - setup question

Roger Harrison hath wroth:

>On Sun, 17 Jun 2007 00:34:07 -0700, Jeff Liebermann wrote:
>> Then the IP addresses are NOT visible and cannot be sniffed over the
>> air. Obscuring and limiting the IP addresses would be effective.
>> However, as I pointed out, a physical attack on any client will
>> extract a usable WPA key, which can then be used to decrypt a capture
>> file, and thus extract the necessary IP addresses.
>
>By "physical", do you mean hands'on access to the router & the PC machine?

Yes. If I can get my hands on the machine, I can extract enough
information to enable me to connect to your network. Simple things
like having the screen blanker demand a password will slow me down
considerably. However, if I can boot the machine with my favorite
cracker CDROM, I can bypass almost all the Windoze security features.
There are pleny of Linux boot CDROM's (and floppies) that will mount
an NTFS filesystem, and neatly extract the registry files. They can
also edit the registry which includes changing the administrator
password.

>If it matters, I also change my "pre-shared key" weekly (it's just a long
>string of gibberish which I ad hoc write down on paper and then set my
>machines to every Sunday).

That's fine, but again, if I have physical access, I can extract the
key from the registry.

There may be another problem here. If the WPA key is short enough
that you can scribble it down, and pound it into several machines plus
your router, it must be fairly short. Be advised that short pass
phrases can be cracked by brute force. I believe that 20 characters
minimum is considered best practices.

Also, be sure to hide or destroy the paper you scribbled down the pass
phrase. My all time winning clueless customer would reassign
passwords monthly, and then post the list on a bulletin board so that
everyone was informed of the changes. It took a while to explain what
was wrong with that procedure.

>>>> 2. What's the LAN netmask?
>>>On the router, it is 255.255.255.0
>> So, you have 254 available IP addresses.
>
>Oh no! I did not realize that. I change both the router starting IP address
>and the router login address every Sunday. For example, I just changed to a
>starting IP address of 192.168.120.134 and I changed to a router login
>address of 192.168.200.134.

If you're going to do all that (not recommended) please read up on how
netmask and IP subnets operate. There are numerous calculators
online. You can't just pick an IP address at random. This looks
acceptable:

The router IP address must be within the netmask IP address range or
the client cannot connect. Most router firmware is smart enough to
inform you that you might be unable to connect if you plant it outside
the netmask range. However, some don't and you'll find yourself
unable to access the router. Punching the reset button will recover,
but you should save a settings back file to make recovery easier.

>One question: Do I have to use 192.168.xxx.xxx?

The available RFC1918 IP addresses are:
10.0.0.0 - 10.255.255.255 (10/8 prefix)
172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
If you pick anything outside of these ranges, you run the risk of
duplicating the address of some internet user or server. That's why
these were reserved for your use. They don't route anywhere.

Some routers will demand that you use one of these, because they have
preconfigured anti-spoofing filters with these addresses
pre-configured. If someone tries to pretend that they're on your
inside LAN, but is connected via the WAN (internet) port, these
filters will stop them. If you pick something outside of the
acceptable IP ranges, they won't.

>Can I use, for example,
>123.123.123.123 as my router login address and, for example,
>231.123.101.201 to 231.123.101.203 as my 3 available DHCP addresses?

No. Two problems. The first I explained in the previous paragraph on
the use of RFC1918 non-routeable IP addresses. The 2nd I explained a
bit earlier in that the IP address of the router MUST be within the
netmask range. If you use 123.123.123.123 as your router's IP
address, then the DHCP range must be between 123.123.123.0 and
123.123.123.255 for the default netmask of 255.255.255.0.

>Even so, what is the logic of the Linksys router question asking how many
>IP addresses I wish to limit it to while the netmask should have done that
>already?

254 usable IP addresses is a rather small sandbox to play inside if
you have a large network. Running out DHCP addresses to assign is a
common problem. By limiting the number of assignable IP's in the
pool, more devices can be accomidated. In other words, DHCP range
limiting was never intended to be some kind of security feature.

>I'm confused because you say a netmask of 255.255.255.0 allows way
>more than 3 IP addresses.

Correct. It allows 253 IP addresses plus one for the IP address of
the router plus another one is the broacast address. All DHCP does is
deliver a unique IP address, gateway, DNS servers, and a mess of other
junk depending on system, to the client. If the client already has a
static IP address, and knows the DNS servers and gateway IP, then they
don't need anything from the DHCP server. Again, DHCP is NOT a
security feature.

>> I presume that you also change the IP address of the default gateway
>> weekly.
>Yes. And the MAC address & hostname of BOTH the router and the windows PC's
>because I read a good hacker can see both the router and the pc behind the
>router.

Sorta. By sniffing the internet traffic, I can watch the sequence
numbers and deduce the number of clients hidden behind your NAT
router. However, unless you've left open IP ports, or your router has
a security problem, I cannot "see" anything behind your NAT router.
Sniffing the WAN side traffic will NOT show any internal MAC or IP
addresses as these appear as if everything were coming from the
routers WAN IP and MAC address. Try it. Plant a hub (not a switch)
between your router and your DSL or cable modem. Sniff with Wireshark
or Ethereal. See any MAC's or IP's from the LAN side of the router? I
hope not.

>> I note that you do not mention changing the WPA shared key every week
>That's what started this whole thing actually. I learned I should change my
>pre-shared-key - and - while I was there, I figured I may as well change
>everything I could. I even changed all the beacon and interval numbers but
>then the router didn't work so I had to reset the router and go more slowly
>with the changes of everything I could.

Chuckle. My domain is LearnByDestroying.com. Welcome to the club. I
also like to change things to see what happens. Incidentally, when I
worked in engineering many years ago, the drafting department gave me
a "change everything" rubber stamp as a present.

As I said in my previous rant, your primary and probably sole real
security feature is the WPA or WPA2 shared key. That's should be the
only thing of importance here. If that's compromised, I can work
around all the other tricks you've mentioned.

>> You might want to look at the available tools to see what can be
>> (easily) accomplished.
>I tried airsnare to see if I could find out who was connecting to me, which
>installed ethereal and winpcap, but I can't get it to capture anything yet,
>not even things on my own network. So I must be doing something wrong.

If you did this on a Windoze machine, it won't work. The monitor or
promiscuous modes are conspicuously absent in Windoze NDIS drivers.
That's not a problem with Linux drivers, but you have to pick and
choose your hardware carefully. There is a wireless Windoze
workaround at:

However, if you used an ethernet port to do the sniffing, you should
have been able to see packets from the entire network with Windoze.

Another common problem, especially with AirSnare is that users try to
use an ethernet switch instead of a hub for sniffing. A switch will
only show traffic coming or going to/from the port that the sniffer is
plugged into. All other traffic never goes to this port. So, you see
nothing. Either use a hub, which is really a repeater that repeats
everything going into any port to all the other ports, or get a high
end ethernet switch that has a configurable monitor port.

>>>> 3. Where's the DHCP address pool?
>> So, with those settings, your DHCP address pool is
>> .100 through .102. However, because you don't have the netmask on
>> the LAN side set to something less than /24, an evil hacker (like me)
>> can easily set their client computah to use any of the *OTHER* 251 IP
>> addresses, which will work just fine.
>Oh. Should I use a different netmask to limit the "hidden" allowable IP
>addresses?

Yep. That's what I've been trying to explain for the last 3 messages.
Using DHCP to limit available IP's with a /25 netmask doesn't work.

>>>> 4. Is there a MAC address filter?
>>>Yes.
>> A few seconds sniffing will reveal the MAC addresses in use.
>> Ethereal, Wireshark, Kismet, and even Netstumbler will reveal
>> all the MAC addresses in use.
>
>You know, since I am on winxp, I tried Network Stumbler (actually the
>hacked netcrumbler which allows connections at the same time) and all I see
>is the MAC address of my access point. I do NOT see the MAC address of any
>client machines. Does netstumbler really provide the MAC addresses of the
>client machines?

No. Netstumbler is NOT a passive sniffer. It's an active probe that
sends probe request broadcasts which only the access points respond.
Netstumbler will not show clients. There are some kludges for Windoze
that do this, but I prefer to use a Linux LiveCD. I suggest using:

Boot it and run kismet, which is a passive sniffer. That should show
client MAC addresses (if you have a compatible wireless card).

>And, with Ethereal, when I say "Capture > Options > MyWirelessCard", and
>then "Capture > Start", all I get is a "Captured Packets" window that never
>captures anything.

I'm not going to try and troubleshoot Ethereal or Wireshark via
newsgroup. See section 7 of the FAQ at:


>I can't believe I'm (accidentally) so secure that Ethereal can't capture my
>packets nor Netstumbler will find my windows pc MAC address. So, I must be
>doing something wrong.

I can't tell from here. I had plenty of trouble figuring out how to
use Ethereal and then Wireshark. After you start capturing packets,
your next headache will be filters or you'll be buried in too much
data.

>>>> 5. Any 802.1x authentication? RADIUS authorization/authentication?
>>>I just use WPA2-PSK.
>>
>> Then you have a problem.
>> the weak link is the encrypted WPA key stored on the client
>
>Oh no. I must research this radius thing. I am a home user. I thought
>Radius (whatever it is) was for office users. I must look this up. Thank
>you for the pointer.

RADIUS usually is for office use. It has many advantages, but it's
big and ugly. Too big for inclusion inside most cheapo routers. There
are some that have built in RADIUS servers, but most do not. Most home
users do not need the level of security you're attempting. Again,
encryption is your primary security device. RADIUS offers a method of
delivering unique encryption keys per session so you don't have to
screw with fabricating a shared key, protecting it, and changing it
erratically. In my opinion, you don't need it for home use. Just use
the WPA key and keep it well protected.

>>>> 6. Any secure tunnels (VPN)?
>>>No, I am not using VPN.
>> That's the way you get real security.
>
>I'm confused. I use VPN when connecting to my company but I thought VPN
>needed a client and a server. On a home network, if I used vpn, my PC would
>be the client but could the Linksys WRT54G router act as the server?

I wasn't thinking of it lack that. I actually do just that at one
clients. The wireless network is unencrypted and looks wide open.
However, to connect to the inside office network, you have fire up an
IPSec VPN client, which connects to a VPN gateway on the wireless LAN.
It's quite secure.

You could do something like that if you really want. I do but for
totally different reasons. I have a WRT54GS in both my palatial
office and house. They run DD-WRT V23 SP2 and SP3 respectively. Try
it:


Both have PPTP VPN clients and servers. I often have the two routers
connect to each other, thus forming a VPN tunnel, which makes my
office and home network look like one big LAN. Very handy for working
at home. I also use the VPN PPTP termination for checking my email
when I'm on a laptop at a public hotspot. All the traffic is
encrypted by the tunnel, so hotspot sniffing is useless.

Incidentally, not all WRT54G routers can handle alternative Linux
firmware. Look on the serial number tag and disclose the hardware
revision number. See:

for details.

>> once they have the encryption key, the other security measures are little
>> better than putting a "do not enter" sign on the door. It wouldn't
>> stop even a beginner.
>I'll keep this in mind and try to secure my pre-shared keys and change them
>more often and make them even longer now.

I'm not getting through to you. Leave the encryption key alone for a
while. Change it every few months if you must. Forget about the
other methods of security by obstacle course. They only get in the
way. Use some form of monitoring to determine what your network is
doing and who is on it.

>> You didn't mention anything about logging. Putting a lock on the
>> door doesn't buy you much if you don't check the lock regularly.
>> That's what logging does. When something unusual appears on your
>> network, you would want to know about it. For simple Linksys
>> wireless, see AirSnare:
>>
>I'm still trying to get AirSnare to work. It gives an error which I'm
>trying to figure out.
>
>> 4. If your wireless operations is only during business hours, setup a
>> timer to disable the wireless during off hours. The evil hackers
>> (like me) prefer operating under cover of darkness.
>Interesting. I never thought of that!
>
>This is a WONDERFUL discussion! I very much appreciate your expert (super
>expert in fact) advice!

You might want to read the FAQ for alt.internet.wireless.
FAQ for Wireless Internet:
FAQ for Wi-Fi:
Wi-Fi How To:
Fixes to Wi-Fi Problems:

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

Re: First time home wireless - how to match PC to router - setup question

On Sun, 17 Jun 2007 19:47:58 -0700, Jeff Liebermann wrote:
> if I have physical access, I can extract the key from the registry.
Thanks to you, I am now better informed. I would assume this
WPA2-Pre-shared-key can also be extracted with a "virus" or a "trojan" ...
Is that correct?

> I believe that 20 characters minimum is considered best practices.
I just type away on the router to set the key and then write it down to
bring to the PCs. These pre-shared keys are around 20 or 25 characters but
I'll go longer from now on now that I know it's the holy grail.

>>One question: Do I have to use 192.168.xxx.xxx?
> 10.0.0.0 - 10.255.255.255 (10/8 prefix)
> 172.16.0.0 - 172.31.255.255 (172.16/12 prefix)
> 192.168.0.0 - 192.168.255.255 (192.168/16 prefix)
> They don't route anywhere.
Interesting. Very interesting. I think I'll rotate through these additional
addresses in my Sunday changes. I'll read up on the netmask stuff as it
seems to be the opposite of what I thought originally. Thanks.

> DHCP range limiting was never intended to be [a] security feature.
Bummer. Got it.

> when I worked in engineering many years ago, the drafting department
> gave me a "change everything" rubber stamp as a present.
I believe it!

> As I said in my previous rant, your primary and probably sole real
> security feature is the WPA or WPA2 shared key.
I'll spend more time making the WPA2-PSK key longer and harder to guess.
I've been using all the funky characters and I will try to use at least 30
characters each week.

>There is a wireless Windoze workaround at:
>
I'll check this suggestion out as I am very interested in seeing my first
packets ever!

> Either use a hub, which is really a repeater that repeats
> everything going into any port to all the other ports, or get a high
> end ethernet switch that has a configurable monitor port.]
All I have is a windows pc with a wireless router. I don't know about
"hubs" or "switches". Presumably the router is both a hub and a switch.

> Yep. That's what I've been trying to explain for the last 3 messages.
> Using DHCP to limit available IP's with a /25 netmask doesn't work.
As I said, and as you said, I need to bone up on the netmask!


>> Does netstumbler really provide the MAC addresses of the
>> client machines?
> No. Netstumbler is NOT a passive sniffer.
> I suggest using backtrack & kismet.
> That should show client MAC addresses
I think I'll set up a separate spare PC for that as it sounds interesting.
I also have Knoppix CDs so I might see if I can somehow use Knoppix with
Kismet.

> I often have the two routers
> connect to each other, thus forming a VPN tunnel,
> which makes my office and home network look like one big LAN.
> All the traffic is encrypted by the tunnel, so hotspot sniffing
> is useless.
> They run DD-WRT V23 SP2 and SP3 respectively. Try it:
>
I saw "Suzy", "micron", and "BLITZEN". :)

> Use some form of monitoring to determine what your network is
> doing and who is on it.
Got it. I'm working on that as noted above.

> You might want to read the FAQ for alt.internet.wireless.
> FAQ for Wireless Internet:
> FAQ for Wi-Fi:
> Wi-Fi How To:
> Fixes to Wi-Fi Problems:
Will do! Thanks!

I hope to learn more and more and more so I'll go quiet a while so I can
learn without troubling others!

Re: First time home wireless - how to match PC to router - setup question

Roger Harrison hath wroth:

>On Sun, 17 Jun 2007 19:47:58 -0700, Jeff Liebermann wrote:
>> if I have physical access, I can extract the key from the registry.
>Thanks to you, I am now better informed. I would assume this
>WPA2-Pre-shared-key can also be extracted with a "virus" or a "trojan" ...
>Is that correct?

Yes, I think they can. I don't know of any that do that, but it could
be done. I don't think that's the danger. Walking up to the computah
with a USB dongle and script, and extracting the registry keys, is all
that's required. I think I saw it being done in a busy coffee shop,
but I'm not sure. No keyboard entry required, just an autorun.inf
file and a VBS script.

>I'll spend more time making the WPA2-PSK key longer and harder to guess.
>I've been using all the funky characters and I will try to use at least 30
>characters each week.

John Navas posts this regularly to alt.internet.wireless on selection
of WPA keys.


>> Yep. That's what I've been trying to explain for the last 3 messages.
>> Using DHCP to limit available IP's with a /25 netmask doesn't work.
>As I said, and as you said, I need to bone up on the netmask!

Oops. I mean't /24 network (256 IP's).

>> No. Netstumbler is NOT a passive sniffer.
>> I suggest using backtrack & kismet.
>> That should show client MAC addresses
>I think I'll set up a separate spare PC for that as it sounds interesting.
>I also have Knoppix CDs so I might see if I can somehow use Knoppix with
>Kismet.

Backtrack is based on Knoppix. If Knoppix works, then Backtrack
probably will also work. The difference is that the Backtrack CDROM
has all the nifty hacker tools already installed, working, and tested.

>> They run DD-WRT V23 SP2 and SP3 respectively. Try it:
>>
>I saw "Suzy", "micron", and "BLITZEN". :)

Suzy is a neighbors laptop. The one labelled * is another laptop at
the same location, but that has no visible machine name. Micron is a
kids desktop at a different neighbor. Blitzen is a customers laptop
on my desk which is currently driving me insane. Note that the list
only includes clients that are issued DHCP addresses. If the client
uses a static IP address, it will NOT show up on the list.

Ooops. I forgot to disable listing of the full MAC address. (fixed).

>I hope to learn more and more and more so I'll go quiet a while so I can
>learn without troubling others!

Good luck.

--
Jeff Liebermann jeffl@cruzio.com
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558