Unfortunately not. Anyone who would manage to break the other security features will surely know how to set an IP address manually.
To achieve what you want (no available addresses for an attacker), you'd have to think of subnetting. By narrowing your network address range with a smaller network mask, you could prevent more than 6 (sorry, 3 or 4 is not an option) stations from beeing on your network simultaneously.
By changing the mask from 255.255.255.0 to 255.255.255.248, and assuming a router address of 192.168.1.1, you would get the range
192.168.1.2 to 192.168.1.6, with 192.168.1.7 beeing your new broadcast address (which used to be 192.168.1.255).
Unless you already know subnetting (or find it easy), I'd rather recommend using an access-list to limit access. You mentioned Cisco earlier,
access-list 1 permit ip host 192.168.1.1 any access-list 1 permit ip 192.168.1.0 0.0.0.1 any access-list 1 permit ip any host 192.168.1.7 any
, will permit traffic from 192.168.1.1-192.168.1.3, and deny the rest. The last of the three lines allow broadcast traffic. Not sure if that's required.
Julie Bove wrote in news:XV3bi.1310$ snipped-for-privacy@newssvr17.news.prodigy.net:
Not really, I hope. Where do you live? We could be driving by right now.(NOT)
Perhaps, but only if all three computers are left on all the time. Otherwise, if your other security settings don't stop unauthorized computers from connecting (and it should), that IP would be available for DHCP assignment.
Hmmm... I've never heard of "security" by limiting the available IP addresses ... so there MUST be a fatal flaw in my argument ... but here it is...
a. Assume the "bad guys" CAN change their IP address (a la John Navas' suggestion) ... but also assume the following conditions ...
b. The Wireless router is assigned to an "arbitrary" range, say the 3 IP addresses can be assigned to a limited contiguopus range that the "bad guys" don't (yet) know (e.g., 192.168.145.128 to 192.168.145.120).
c. Assume that all three PCs are on the network so there are now zero available IP addresses.
My security question: How can the bad guy get in given those three assumptions above?
If we can't figure out how (and of course, if we can't do it ourselves), then we've just uncovered an heretofore unknown wireless security method that has never before been seen in print!
Hmmm... I've never heard of "security" by limiting the available IP addresses ... so there MUST be a fatal flaw in my argument ... but here it is...
a. Assume the "bad guys" CAN change their IP address (a la John Navas' suggestion) ... but also assume the following conditions ...
b. The Wireless router is assigned to an "arbitrary" range, say the 3 IP addresses can be assigned to a limited contiguopus range that the "bad guys" don't (yet) know (e.g., 192.168.145.128 to 192.168.145.130).
c. Assume that all three PCs are on the network so there are now zero available IP addresses.
My security question: How can the bad guy get in given those three assumptions above?
If we can't figure out how (and of course, if we can't do it ourselves), then we've just uncovered an heretofore unknown wireless security method that has never before been seen in print!
They can. It's very easy to change the clients IP address manually. It's also very easy to change the clients MAC address. That makes it very easy to spoof any client that is only authenticated by its IP and MAC addresses.
IP addresses are NOT exposed in encrypted packets, so such security by obscurity will work if the link is encrypted. However, without encryption, the IP address range that's in use is easily extracted by sniffing.
You have two things going at the same time here. DHCP IP assignment and Netmask. One does not "assign" the router to an arbitrary range of IP's. It's done with Netmask using well known subnet masking rules. That limits the available IP's that can be used to connect to the router including blocking those that are manually assigned by the client.
The DHCP range must by necessity be within the available IP range of the Netmask. It can be smaller than the netmask range, but not larger. (It also shouldn't include the router LAN IP address and the broadcast address, as those can't be used by clients).
If you chose NOT to use Netmask, and leave it at the default /24, you'll have 254 available IP addresses to chose from. You can set the DHCP range for any smaller amount of IP's, and evil hackers like myself can easily select an IP address that is *OUTSIDE* of the DHCP range, and get a connection.
See above.
Do you really need instructions in how to determine the IP address in use and how to setup a static IP on the client? I'll make it easy. I walk up to a Windoze machine and run: Start -> run -> cmd ipconfig ipconfig /all | find "Address" I now have the IP addresses in use, the gateway IP, and the MAC address of the client. If I'm lazy, I just turn off the machine, and use the same MAC address and setup the same IP address on my machine. The DHCP server won't re-assign the IP to someone else because it will first ping the IP to see if it's in use.
You left out far too many conditions and considerations:
Is the link encrypted?
What's the LAN netmask?
Where's the DHCP address pool?
Is there a MAC address filter?
Any 802.1x authentication? RADIUS authorization/authentication?
Any secure tunnels (VPN)?
In my never humble opinion, the only real security available is WPA or WPA2 encryption. Even that has a problem in that shared keys can be extracted from the client machines. Therefore, WPA2-RADIUS, which does not use a shared key and delivers a unique key for the session, is best. All the tricks with MAC and IP filters, and are worthless as anyone with a clue can work around them. I'll pretend not to mention security by proprietary wireless protocols, which also has a fan club.
Thank you for asking. I will try to faithfully answer the questions.
I'm not sure what that means. I'm not using VPN if that's what you're asking, but I am using standard WPA2-PSK authentication & AES data encyption as set up on the router and windows xp machine.
On the router, it is 255.255.255.0 and the router IP address is set to
192.168.100.100 and changed weekly.
I'm not sure what this means. On my Linksys router, there is a setting for "Maximum Number of DHCP Users" which I've set to "3". Is that the DHCP pool?
Yes. I currently have DEADBEEFCAFE, 0BADFEEDBEEF, & 00BADCODEFAD as my three MAC addresses on my windows computers and the MAC address filter in the router is set to only accept those three MAC addresses and they are changed weekly.
I do not have the "Enable IEEE 801.1x authentication for this network" set in the Windows network application for the wireless network. Neither do I have Radius for my home network. I just use WPA2-PSK.
No, I am not using VPN.
I am using WPA2-PSK so shared keys can be extracted, I guess.
Given this information, how can anyone connect to my network when the only three available DHCP addresses are in use by my three PCs?
Then the IP addresses are NOT visible and cannot be sniffed over the air. Obscuring and limiting the IP addresses would be effective. However, as I pointed out, a physical attack on any client will extract a usable WPA key, which can then be used to decrypt a capture file, and thus extract the necessary IP addresses. In short, unless you have WPA2-RADIUS and very good physical control over the clients, IP address limiting is not going to do much.
So, you have 254 available IP addresses. Even if you limit the DHCP address pool to a very small number of IP addresses, an working IP address can be easily found and configured.
I presume that you also change the IP address of the default gateway weekly. I suppose that this security by moving target will mostly work because most evil hackers (like me) will not think that anyone would go through so much effort. Again, as I pointed out in my previous description, a physical attack on the client will extract the WPA2 shared key, which can then be used to decrypt the capture file, which will reveal the IP address selection of the week. I note that you do not mention changing the WPA shared key every week, so once the evil hacker has your WPA key, extracting the IP addresses are trivial and routine.
You might want to look at the available tools to see what can be (easily) accomplished.
Yes. It also should have a starting DHCP address, which is usually
192.168.1.100. So, with those settings, your DHCP address pool is .100 through .102. A client connecting with DHCP will get one of these 3 IP addresses. However, because you don't have the netmask on the LAN side set to something less than /24, an evil hacker (like me) can easily set their client computah to use any of the *OTHER* 251 IP addresses, which will work just fine.
Changed weekly? On both the client and on the router? Well, that's fine but completely useless, even with encryption. By necessity, all the MAC addresses are exposed in the 802.11 headers. They are not encrypted. A few seconds sniffing will reveal the MAC addresses in use. Ethereal, Wireshark, Kismet, and even Netstumbler will reveal all the MAC addresses in use. All I have to do is wait until one particular device is not being used, and I just borrow their MAC address.
Then you have a problem. I rarely attack a system directly. In this case, the weak link is the encrypted WPA key stored on the client computer. See WZCook:
for how it's done. I have a USB dongle setup to extract the necessary keys. It's a bit slower than I prefer, but it will do the job in about 10 seconds, most which is plug-n-play taking forever to recognize the USB dongle.
That's the way you get real security. I know of several corporate LAN's that do not use any encryption on the wireless end. You can connect, but the gateway goes nowhere. If you want to enter the corporate LAN, it's through a VPN tunnel.
Correct. It's not a weakness if you have good physical control over the client machines. However, a bit of social engineering or subterfuge, and I've got the key. For the small number of machines you operate, it's fairly easy to replace the WPA shared key. However, for monster corporate WLAN systems, with huge number of clients, that's just not going to work. That's another reason why RADIUS authorization (passwords) and authentication (802.1x and EAP) are so nice. There's no shared key and the security is enhanced by it being random, messy, and unique.
Not anyone. Someone would need to know what you're doing for security, how it works, what you're doing to maintain it, and roughly what you have for hardware and firmware. For a casual hacker, just the encryption key will stop them due to lack of time. However, once they have the encryption key, the other security measures are little better than putting a "do not enter" sign on the door. It wouldn't stop even a beginner.
Let me offer some (free) advice.
Your WPA key is your primary security. Do everything you can to protect it. All the other filters and obstacles are worthless and only cause complications. For example, how much work is it to add an additional user or laptop?
If you can't run your own RADIUS server, then subscribe to an online RADIUS service. For example:
There are others, but it's late and I'm too lazy to dig through my mess of bookmarks.
You didn't mention anything about logging. Putting a lock on the door doesn't buy you much if you don't check the lock regularly. That's what logging does. When something unusual appears on your network, you would want to know about it. For simple Linksys wireless, see AirSnare:
If your wireless operations is only during business hours, setup a timer to disable the wireless during off hours. The evil hackers (like me) prefer operating under cover of darkness.
By "physical", do you mean hands'on access to the router & the PC machine? If it matters, I also change my "pre-shared key" weekly (it's just a long string of gibberish which I ad hoc write down on paper and then set my machines to every Sunday).
Oh no! I did not realize that. I change both the router starting IP address and the router login address every Sunday. For example, I just changed to a starting IP address of 192.168.120.134 and I changed to a router login address of 192.168.200.134.
One question: Do I have to use 192.168.xxx.xxx? Can I use, for example,
123.123.123.123 as my router login address and, for example,
231.123.101.201 to 231.123.101.203 as my 3 available DHCP addresses?
Even so, what is the logic of the Linksys router question asking how many IP addresses I wish to limit it to while the netmask should have done that already? I'm confused because you say a netmask of 255.255.255.0 allows way more than 3 IP addresses.
Yes. And the MAC address & hostname of BOTH the router and the windows PC's because I read a good hacker can see both the router and the pc behind the router.
That's what started this whole thing actually. I learned I should change my pre-shared-key - and - while I was there, I figured I may as well change everything I could. I even changed all the beacon and interval numbers but then the router didn't work so I had to reset the router and go more slowly with the changes of everything I could.
I tried airsnare to see if I could find out who was connecting to me, which installed ethereal and winpcap, but I can't get it to capture anything yet, not even things on my own network. So I must be doing something wrong.
Oh. Should I use a different netmask to limit the "hidden" allowable IP addresses?
You know, since I am on winxp, I tried Network Stumbler (actually the hacked netcrumbler which allows connections at the same time) and all I see is the MAC address of my access point. I do NOT see the MAC address of any client machines. Does netstumbler really provide the MAC addresses of the client machines?
And, with Ethereal, when I say "Capture > Options > MyWirelessCard", and then "Capture > Start", all I get is a "Captured Packets" window that never captures anything.
I can't believe I'm (accidentally) so secure that Ethereal can't capture my packets nor Netstumbler will find my windows pc MAC address. So, I must be doing something wrong.
Oh no. I must research this radius thing. I am a home user. I thought Radius (whatever it is) was for office users. I must look this up. Thank you for the pointer.
I'm confused. I use VPN when connecting to my company but I thought VPN needed a client and a server. On a home network, if I used vpn, my PC would be the client but could the Linksys WRT54G router act as the server?
I'll keep this in mind and try to secure my pre-shared keys and change them more often and make them even longer now.
I'm still trying to get AirSnare to work. It gives an error which I'm trying to figure out.
Interesting. I never thought of that!
This is a WONDERFUL discussion! I very much appreciate your expert (super expert in fact) advice!
Yes. If I can get my hands on the machine, I can extract enough information to enable me to connect to your network. Simple things like having the screen blanker demand a password will slow me down considerably. However, if I can boot the machine with my favorite cracker CDROM, I can bypass almost all the Windoze security features. There are pleny of Linux boot CDROM's (and floppies) that will mount an NTFS filesystem, and neatly extract the registry files. They can also edit the registry which includes changing the administrator password.
That's fine, but again, if I have physical access, I can extract the key from the registry.
There may be another problem here. If the WPA key is short enough that you can scribble it down, and pound it into several machines plus your router, it must be fairly short. Be advised that short pass phrases can be cracked by brute force. I believe that 20 characters minimum is considered best practices.
Also, be sure to hide or destroy the paper you scribbled down the pass phrase. My all time winning clueless customer would reassign passwords monthly, and then post the list on a bulletin board so that everyone was informed of the changes. It took a while to explain what was wrong with that procedure.
If you're going to do all that (not recommended) please read up on how netmask and IP subnets operate. There are numerous calculators online. You can't just pick an IP address at random. This looks acceptable:
The router IP address must be within the netmask IP address range or the client cannot connect. Most router firmware is smart enough to inform you that you might be unable to connect if you plant it outside the netmask range. However, some don't and you'll find yourself unable to access the router. Punching the reset button will recover, but you should save a settings back file to make recovery easier.
The available RFC1918 IP addresses are: 10.0.0.0 - 10.255.255.255 (10/8 prefix) 172.16.0.0 - 172.31.255.255 (172.16/12 prefix) 192.168.0.0 - 192.168.255.255 (192.168/16 prefix) If you pick anything outside of these ranges, you run the risk of duplicating the address of some internet user or server. That's why these were reserved for your use. They don't route anywhere.
Some routers will demand that you use one of these, because they have preconfigured anti-spoofing filters with these addresses pre-configured. If someone tries to pretend that they're on your inside LAN, but is connected via the WAN (internet) port, these filters will stop them. If you pick something outside of the acceptable IP ranges, they won't.
No. Two problems. The first I explained in the previous paragraph on the use of RFC1918 non-routeable IP addresses. The 2nd I explained a bit earlier in that the IP address of the router MUST be within the netmask range. If you use 123.123.123.123 as your router's IP address, then the DHCP range must be between 123.123.123.0 and
123.123.123.255 for the default netmask of 255.255.255.0.
254 usable IP addresses is a rather small sandbox to play inside if you have a large network. Running out DHCP addresses to assign is a common problem. By limiting the number of assignable IP's in the pool, more devices can be accomidated. In other words, DHCP range limiting was never intended to be some kind of security feature.
Correct. It allows 253 IP addresses plus one for the IP address of the router plus another one is the broacast address. All DHCP does is deliver a unique IP address, gateway, DNS servers, and a mess of other junk depending on system, to the client. If the client already has a static IP address, and knows the DNS servers and gateway IP, then they don't need anything from the DHCP server. Again, DHCP is NOT a security feature.
Sorta. By sniffing the internet traffic, I can watch the sequence numbers and deduce the number of clients hidden behind your NAT router. However, unless you've left open IP ports, or your router has a security problem, I cannot "see" anything behind your NAT router. Sniffing the WAN side traffic will NOT show any internal MAC or IP addresses as these appear as if everything were coming from the routers WAN IP and MAC address. Try it. Plant a hub (not a switch) between your router and your DSL or cable modem. Sniff with Wireshark or Ethereal. See any MAC's or IP's from the LAN side of the router? I hope not.
Chuckle. My domain is LearnByDestroying.com. Welcome to the club. I also like to change things to see what happens. Incidentally, when I worked in engineering many years ago, the drafting department gave me a "change everything" rubber stamp as a present.
As I said in my previous rant, your primary and probably sole real security feature is the WPA or WPA2 shared key. That's should be the only thing of importance here. If that's compromised, I can work around all the other tricks you've mentioned.
If you did this on a Windoze machine, it won't work. The monitor or promiscuous modes are conspicuously absent in Windoze NDIS drivers. That's not a problem with Linux drivers, but you have to pick and choose your hardware carefully. There is a wireless Windoze workaround at:
However, if you used an ethernet port to do the sniffing, you should have been able to see packets from the entire network with Windoze.
Another common problem, especially with AirSnare is that users try to use an ethernet switch instead of a hub for sniffing. A switch will only show traffic coming or going to/from the port that the sniffer is plugged into. All other traffic never goes to this port. So, you see nothing. Either use a hub, which is really a repeater that repeats everything going into any port to all the other ports, or get a high end ethernet switch that has a configurable monitor port.
Yep. That's what I've been trying to explain for the last 3 messages. Using DHCP to limit available IP's with a /25 netmask doesn't work.
No. Netstumbler is NOT a passive sniffer. It's an active probe that sends probe request broadcasts which only the access points respond. Netstumbler will not show clients. There are some kludges for Windoze that do this, but I prefer to use a Linux LiveCD. I suggest using:
Boot it and run kismet, which is a passive sniffer. That should show client MAC addresses (if you have a compatible wireless card).
I'm not going to try and troubleshoot Ethereal or Wireshark via newsgroup. See section 7 of the FAQ at:
I can't tell from here. I had plenty of trouble figuring out how to use Ethereal and then Wireshark. After you start capturing packets, your next headache will be filters or you'll be buried in too much data.
RADIUS usually is for office use. It has many advantages, but it's big and ugly. Too big for inclusion inside most cheapo routers. There are some that have built in RADIUS servers, but most do not. Most home users do not need the level of security you're attempting. Again, encryption is your primary security device. RADIUS offers a method of delivering unique encryption keys per session so you don't have to screw with fabricating a shared key, protecting it, and changing it erratically. In my opinion, you don't need it for home use. Just use the WPA key and keep it well protected.
I wasn't thinking of it lack that. I actually do just that at one clients. The wireless network is unencrypted and looks wide open. However, to connect to the inside office network, you have fire up an IPSec VPN client, which connects to a VPN gateway on the wireless LAN. It's quite secure.
You could do something like that if you really want. I do but for totally different reasons. I have a WRT54GS in both my palatial office and house. They run DD-WRT V23 SP2 and SP3 respectively. Try it:
Both have PPTP VPN clients and servers. I often have the two routers connect to each other, thus forming a VPN tunnel, which makes my office and home network look like one big LAN. Very handy for working at home. I also use the VPN PPTP termination for checking my email when I'm on a laptop at a public hotspot. All the traffic is encrypted by the tunnel, so hotspot sniffing is useless.
Incidentally, not all WRT54G routers can handle alternative Linux firmware. Look on the serial number tag and disclose the hardware revision number. See:
for details.
I'm not getting through to you. Leave the encryption key alone for a while. Change it every few months if you must. Forget about the other methods of security by obstacle course. They only get in the way. Use some form of monitoring to determine what your network is doing and who is on it.
You might want to read the FAQ for alt.internet.wireless. FAQ for Wireless Internet: FAQ for Wi-Fi: Wi-Fi How To: Fixes to Wi-Fi Problems:
Thanks to you, I am now better informed. I would assume this WPA2-Pre-shared-key can also be extracted with a "virus" or a "trojan" ... Is that correct?
I just type away on the router to set the key and then write it down to bring to the PCs. These pre-shared keys are around 20 or 25 characters but I'll go longer from now on now that I know it's the holy grail.
Interesting. Very interesting. I think I'll rotate through these additional addresses in my Sunday changes. I'll read up on the netmask stuff as it seems to be the opposite of what I thought originally. Thanks.
I believe it!
I'll spend more time making the WPA2-PSK key longer and harder to guess. I've been using all the funky characters and I will try to use at least 30 characters each week.
I'll check this suggestion out as I am very interested in seeing my first packets ever!
All I have is a windows pc with a wireless router. I don't know about "hubs" or "switches". Presumably the router is both a hub and a switch.
As I said, and as you said, I need to bone up on the netmask!
I think I'll set up a separate spare PC for that as it sounds interesting. I also have Knoppix CDs so I might see if I can somehow use Knoppix with Kismet.
I saw "Suzy", "micron", and "BLITZEN". :)
Got it. I'm working on that as noted above.
Will do! Thanks!
I hope to learn more and more and more so I'll go quiet a while so I can learn without troubling others!
Yes, I think they can. I don't know of any that do that, but it could be done. I don't think that's the danger. Walking up to the computah with a USB dongle and script, and extracting the registry keys, is all that's required. I think I saw it being done in a busy coffee shop, but I'm not sure. No keyboard entry required, just an autorun.inf file and a VBS script.
John Navas posts this regularly to alt.internet.wireless on selection of WPA keys.
Oops. I mean't /24 network (256 IP's).
Backtrack is based on Knoppix. If Knoppix works, then Backtrack probably will also work. The difference is that the Backtrack CDROM has all the nifty hacker tools already installed, working, and tested.
Suzy is a neighbors laptop. The one labelled * is another laptop at the same location, but that has no visible machine name. Micron is a kids desktop at a different neighbor. Blitzen is a customers laptop on my desk which is currently driving me insane. Note that the list only includes clients that are issued DHCP addresses. If the client uses a static IP address, it will NOT show up on the list.
Ooops. I forgot to disable listing of the full MAC address. (fixed).
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.