On our office network (Active Directory, DHCP, DNS etc) we have three NETGEAR WN802T used as access points for laptops onto the network. These AP's are secured using WPA-PSK with a long and complicated key, and they have had default ssid's, passwords etc changed. Looking through DHCP on the Server I noticed two address leases from computers outside our domain.
Trying to narrow down the likely culprits, I wonder is it likely to be someone with access to the WPA key or is WPA still not secure enough to stop unauthorized access?
Question: Should WPA stop the DHCP server offering leases through the Access points?
On 13 Apr 2007 06:09:28 -0700, "Alister" wrote in :
WPA is still secure with a strong passphrase. Might they have been wired to your network?
Yes. Your passphrase might have been compromised, or those might be old leases. Suggest you clear the DHCP server, change your key (passphrase), and see what happens. And consider switching to RADIUS, thereby avoiding the problems of a shared key.
DHCP from the server acts quite differently than a DHCP in a wireless router. If the DHCP server were located in the wireless router, then a DHCP lease would NOT be issued to any random wireless client that has not successfully exchanged WPA encryption keys and survived authentication (802.1x). Therefore, you should not see any unusual or unauthorized wireless clients (if the DHCP server were on the wireless router.
However, your DHCP server is in the Windoze server (assumed 2003) and will issue DHCP leases to literally anything that plugs into the network. That can be laptops, PDA's, game machines, network printers, and just about anything that can play DHCP client. It also includes wireless clients, but only after they have exchanged WPA keys and authenticated.
Zero. It's something local on your network. Grab the MAC addresses from the log file and paste them into:
My guess(tm) is that you'll find that it's a printer manufacturer or something equally mundane.
Yes. WPA is you first, main, and best line of wireless security. If you're truely paranoid, and have a suitable Windoze Server 2003 or Linux server, then setup RADIUS athentication. That will give you a unique WPA key for each user and each session so that there's no chance that a shared WPA key leaks out to the world.
Incidentally, it's VERY easy for users to decrypt the WPA key on a client computer, making the security of such shared key systems to be rather lacking.
Short answer: yes. Better answer: DAGS on something like ["windows 2000 server" radius] and sort through 150K hits.
Lotsa good books on the subject. Mark Minasi's come to mind, for NT family server config. Mark even provided howto for setting up such a service before MS named it "RADIUS" for "Remote Authentication Dial-In User Service."
Except for quickie kludges, there's really no substitute for RTFM.
Easy. WPA encryption cannot easily be decrypted (key recovery) by sniffing traffic over the air. None of the techniques that work so well with WEP encryption will work with WPA. However, that doesn't secure the key from physical attack.
There are two basic types of WPA encryption. WPA-PSK and WPA-RADIUS. Over the air, they look identical. What's different is that WPA-PSK (pre-shared key) has a common static key for all users on the system. The key is inscribed into the access point or wireless router on initial installation and usually left in place forever. The key is also inscribed into all the client computers and saved in an encrypted form so that it allegedly cannot be recovered. Well, that is the basic idea, but as usual, the evil bad guys are very close behind the security curve. The WPA key is saved in the Windoze registry and can be recovered with WZCook and others:
If I can get my hands on just one of the wireless clients long enough to either extract the registry entries or run one of several WPA recovery programs, I will have the WPA key. Once I have the WPA key, it's quite easy to decrypt all the past captured traffic and perhaps browse the network looking for machines to compromise.
The key security problem is solved by using WPA-RADIUS. There is no common shared key with WPA-RADIUS. The WPA key is generated during the initial connection and the individual authorization and authentication cerimony. The key is unique for both the session and the user. It is also a maximum strength key (dependent on the random rubbish key generator in the RADIUS server). If one key is somehow leaked, it is useful only for decrypting the session in which it was used. It cannot be used to decrypt other users traffic or re-used for a later session. In other words, WPA-RADIUS doesn't have the common key security problems of WPA-PSK.