What exactly does SSL protect in a web site forum/mail?

Nope. You're thinking of UPnP (Universal Plug and Pray) which does exactly that. That's a real security risk, but is oh so convenient that it's difficult to resist. It also is required for some devices that only autoconfigure with UPnP.

What I was talking about above is the inconvenient detail that ethernet switches and all wi-fi is bridging. The means that every packet has to have a source and a destination. If the destination is on the other side of the bridge, the packet goes through. None of the other ports on the ethernet switch or the other side of a wi-fi bridge will see those packets. This is why you generate a huge volume of traffic between two ports, and the other ports are unaffected.

So, let's pretend you have some interesting traffic going between two ports. The ports can be two ports on an ethernet switch, or two ports on a wireless bridge. If you plug a laptop (favored tool of network hackers) into a 3rd port on the switch, or setup a 3rd connection to the Wi-Fi access point, it will only see traffic intended for this 3rd port. None of the traffic (except broadcasts) going between the first two ports will be seen by the 3rd port and the sniffing laptop.

Note: These are the basics. Life gets really complexicated if I introduce a BRouter (bridge-router), VLAN (virtual local area network), wireless switch (dumb wi-fi access point and managed ethernet switch), and VPN (virtual private network).

Reply to
Jeff Liebermann
Loading thread data ...

Read this

formatting link

Reply to
Jeff Liebermann

I'm talking about all-singing all-dancing home router/WiFi/print-server appliances. No, the cracker can't just sit there and passively monitor passing traffic as he would on a hub. He will, however, be on your LAN and able to probe for interesting things like printers (or routers) with "admin" for the password.

It isn't a serious risk, though. All the Windows pcs on the LAN are already in a botnet and the bot-herders will defend them.

Reply to
John Hasler

The subject of my comment was unauthorized wired connections.

Reply to
John Hasler

I'm checking my new SSID & passphrase against rainbow tables right now.

Wikipedia: Rainbow table

formatting link

Rainbow Tables: Your Password's Worst Nightmare

formatting link

List of Rainbow Tables

formatting link

Tutorial: Rainbow Tables and RainbowCrack

formatting link

Reply to
Alice J.

Well, it normally doesn't run that fast. :-)

That command, or rather using the more secure /dev/random, can take days to fill up a hard disk.

Reply to
Carlos E. R.

How's this look to you for generating an 8-character password? $ dd if=/dev/urandom bs=6 count=1 2> /dev/null | base64

Reply to
Alice J.

...

I'm not surprised at that :-)

I only did a quick read, but I think that the program was intended as part of a method to obtain free internet service by illegally connecting to the cable and posing as some other neighbour whose MAC is valid - not something I'd be inclined to try >;-)

Reply to
Carlos E. R.

Why not just use pwgen?

NAME pwgen - generate pronounceable passwords

SYNOPSIS pwgen [ OPTION ] [ pw_length ] [ num_pw ]

DESCRIPTION

The pwgen program generates passwords which are designed to be easily memorized by humans, while being as secure as possible. Human- memorable passwords are never going to be as secure as completely completely random passwords. In particular, passwords generated by pwgen without the -s option should not be used in places where the password could be attacked via an off-line brute-force attack. On the other hand, completely randomly generated passwords have a tendency to be written down, and are subject to being compromised in that fashion.

The pwgen program is designed to be used both interactively, and in shell scripts. Hence, its default behavior differs depending on whether the standard output is a tty device or a pipe to another program. Used interactively, pwgen will display a screenful of pass? words, allowing the user to pick a single password, and then quickly erase the screen. This prevents someone from being able to "shoulder surf" the user's chosen password.

When standard output (stdout) is not a tty, pwgen will only generate one password, as this tends to be much more convenient for shell scripts, and in order to be compatible with previous versions of this program.

With the -s option it will produce completely random unpronounceable passwords. That's what I use and of course I write them down as Bruce Schneier suggests.

Reply to
John Hasler

Well, that's a very abnormal part of the world, IMHO.

Where I live, there is a pair of homeless beggars sitting on the corner, most mornings. If I called the police, they would just laugh at me or say that they have the same right as me to be there. Which is true. And some of my neighbours are quite rich (but not me) ...

Anyway, let's change my phrase to "would you leave your car unlocked on any city centre?" :-p

Reply to
Carlos E. R.

I'm going to try this!

Do I understand the basics?

WPA with RADIUS is the most secure way to tie down a wireless LAN

  1. The access point requests the client's certificate, & then,
  2. The access point passes the client's certificate to a RADIUS server, & then
  3. The radius server checks the certificate & client access

The author suggests a Raspberry Pi for the Linux radius server, but, can we just use our Linux laptop instead?

Reply to
Alice J.

That's your inside traffic.

Reply to
Carlos E. R.

Maybe your router has client isolation enabled.

Reply to
Carlos E. R.

I had a router that sent all traffic to all sockets. Even to the WiFi, if I remember correctly, it was some years ago and I no longer posses that unit. I could sniff it all with wireshark.

Reply to
Carlos E. R.

Sure. But it has to run full time, 24*7. IMHO, it is not worth it unless you use it for other "server" tasks, too.

Reply to
Carlos E. R.

At one time, I had the bright idea of setting up a SBC (single board computah) with Linux and FreeRadius, that sits next to the router. However, instead of having it store individual logins and passwords, I was going to let it accept a generic login name (user or something equally disgusting) and no password. In theory, it should work well in a coffee shop environment to prevent sniffing without having the barista involved in coaching users. I won't go into detail, but I decided that it wouldn't make me any money, so I dropped the idea. If all you want is to secure your network from sniffing, it should do the job.

Sorry, but my crystal ball is at the local sorcerers repair shop and cannot be used to read your mind at this time.

That's the authentication ceremony. Add the authorization part (login/password) to complete the procedure. Otherwise, methinks you have the basic idea. More: Also, please use WPA2, not WPA.

Sure. Actually, the laptop is easier to deal with. However, you'll probably want to leave the RADIUS server in place full time. Using a laptop for that might be a bit awkward, so a SBC, such as a Raspberry Pi 2B, might be more convenient.

Reply to
Jeff Liebermann

I understood that to be the intent, but my goal would be simply to see what a neighbor can see.

I wonder also how the cable company would react to seeing TWO exact same modem MAC addresses at two different locations.

It doesn't seem like it would work. It's too easy for the cable company to notice.

Reply to
Alice J.

Nope. While I do leave my car unlocked in my driveway, with my bluetooth speakerphone on the visor and my ipod in the unlocked glovebox, I would definitely lock up the car on a typical city street.

I'm looking up how to set up a radion server as per Jeff Liebermann, but it seems like I need a dedicated linux server to do that (which could be a raspberry pi but I don't have one).

Does setting up WPA2 Enterprise at home *require* a dedicated Linux machine?

Reply to
Alice J.

But everyone said the *inside* traffic (i.e., connected to the router) was where the danger was??????????

Reply to
Alice J.

I don't think so. With a managed switch, you can setup a monitor port, that will monitor all the traffic on the backplane, but only to that one port, not all the others. Cisco calls it port monitor or SPAN.

My guess(tm) what you were doing was monitoring traffic on the router WAN port. That will show all IP packets with a destination address somewhere on the internet, which means that they have to go out the WAN port to some king of modem, CSU/DSU, wireless bridge, or whatever gets you to your ISP. Monitoring the WAN port will show most of the packets floating around the LAN, but not all of them. For example, if you were running a local backup between two ports on the router, all the backup traffic would have a source and destination MAC address of these two ports. Since it's all local, the router WAN port would never see any of this traffic.

Monitoring WAN traffic on a consumer grade wireless router isn't going to work because the modem to router WAN port connection is not accessible. However, if you use separate modem and router boxes, this can be done with an ethernet tap. I have several in tool kit for sniffing networks using Wireshark or Microsoft Network Monitor 3.4.

Reply to
Jeff Liebermann

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.