New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Wifi & security
Third parties have access to my wifi. I'm using a stock cheap dsl modem/router from the ISP.
My questions:
Can the wifi devices MitM the wired devices?
Is there a way to make it impossible for the mobile devices to be in the same subnet as the wired devices? What should I look for in the modem's web interface?
Can I sniff the wireless devices? (less important).
Comments
Most routers will show attached devices, wireless or wired.
Some routers will let you block access too.
Or you could not be stupid and apply a secure password or change your current one..
Most speedstream routers default password has been cracked using a simple algorithm..
I know one MITM method for WiFi, which is done by taking down the AP using a deauth flood (or similar) until the router goes offline. And then creating a fake access point with the same name and broadcasting it, this AP won't have security and once you connect and open your browser to visit any site you will go to a fake security/login page asking for your WiFi password because of a recent upgrade/patch to your router, you have to be stupid to input your WiFi password but if you do, the attacker can see it and will then use it.
But that is not really an attack on the wired devices. More of an attack on the entire AP.
Internal subnet? Usually the numbering is done automatically and there is only one subnet (192.168.0.0/24 or 192.168.1.0/24 etc). If it's stock I'm pretty sure this is hardcoded but that depends on the make/model.
Yes, tools such as airodump-ng can sniff connected devices and their MAC addresses (also possible for attackers to spoof their MAC as a MAC connected to your router).
I would also check your router for a recent WPS flaw (if your router has WPS technology), whereby if the WPS PIN is guessed correctly (takes a few days depending on if your router does ratelimiting, etc) the WPA passphrase is given in plaintext to the attacker.
There is a also a more recent attack called pixiedust which also exploits WPS but this is a much faster method if your router's network chipset is vulnerable (Ralink is the easiest and takes a few seconds, there is also Realtek and some Broadcoms).
Read more: http://www.wifislax.com/wps-pixie-dust-attack/
I gave the access, it's not a matter of hacked access. It's a matter of limited trust and knowing what the dangers are and how to protect.
>
Thank you for the detailed post! If I understand correctly, only MitM/sniffing to other wireless devices is possible and a wireless device can't MitM/sniff the wired traffic. I am fine with that (I don't log in to anything from the mobile devices anyway).
EDIT: Just realized I have utterly nothing useful to add to this post, don't mind me. Carry on
In that case, if you don't trust the person you're giving access to they shouldn't have access in the first place because anything they do online (bomb threats, pranks) will fall back on you.
There are levels of trust. I doubt an ISIS member is using my wifi
Yes, if they have the PSK of your (hopefully WPA2) encrypted wireless LAN. They can spoof ARP packets of your gateway and sniff the traffic.
Your device must support 2 SSIDs, one for you and one for your friends. Both need to configure a different network with no route between them (or blocked with iptables).
Yes, if you are "root" on your device, you can use tcpdump.
You can achieve this with OpenWRT. I use TP-Link TL-WR841N. It's really cheap.
If you don't trust your friends, you can force their traffic into a VPN tunnel or TOR.
For what it's worth, the AVM FRITZ!Box (did I do the capitalization right there?) lets you create two completely isolated access points, if I recall correctly - one for 'guests' and one for private users. I suspect there are more models from other vendors that can do this as well.
There are also many replacement firmwares for 20 dollar routers which can create separate APs with or without connection with the rest of the network, even VLANs.
I would, however, setup a separate AP to give access with carefully configured iptables on the main device to only allow access to the internet. Problem solved with 10 $ or even nothing at all, just look around for a discarded router.
Well, f*ck
Is there a software I could have running 24/7 (e.g. on a wired Pi) to detect the ARP poisoning? If I detect it happening, I can kick everyone one without feeling bad about it.
Could use VPN.
Is this helpful/relevant (to separate subnets)?
Currently, I checked the wired and wireless and are all on 192.168.1.x
You can use Snort or Suricata to detect and write you an email. You can also install a device with two network interfaces and bridge them together and filter evil ARP packets with ebtables.
But you want to buy a cheap TP-Link ;-) Don't trust provider's hardware...
I share my internet with my neighbors so I have 2 different subnets and firewall them off so neither can talk to each other and I run 2 different SSIDs (guest is limited to 20Mbps). One subnet is default via DHCP and the other is whitelist only. I prevent the use of static IPs with locking IPs to MAC addresses using ARP and any device not in the table gets no response from the router (DHCP server automatically adds the device to the table so no manual work needed).
Might be possible to separate your LAN and wifi but I think you want to access your own LAN devices from your wifi client.
Funny GUI that tells you have WLAN ports...
I don't
Tablet/mobile are for browsing the internet only, no local filesharing/remote desktops etc. What would my next step be?
You could use static ARP entry of your gateway on all your LAN devices. What OSes do you use?
@deadbeef i really recomand to limit the device in numbers. For exemple if you know you use in the same time 2 device you can limit your ruter to permit only 2 connection in the same time,in this case if the 3 part cannot connect. next is see what you have for security in rooter menu.
Use coca cane to block/weaken wifi signal on certain direction.
That does not work as nobody can really predict reflections and what kind of antenna someone can use, besides, they have to get signal to connect to the internet.
Test until you get a position that works well
That's great, if it is possible to set this up, it solves my worries! My wired machines are Win 8.1, OSX and a Pi (Raspbian). I've been looking at the router's web ui, but I don't see anything that mentions arp
Status update:
I've set up "antidote" on the Pi to monitor for abnormal arp use and send the logs to papertrailEdit: Hits the CPU with 100%, stopped it.
Why? I don't want to be a dick and say "yes, here's the psk" and then slyly disable access while pretending I have no idea.
get yourself a Staminus DDoS protection because if they cant break in they will just flood your wifi and you will have a slow internet and your router will explode.
Please read the thread properly...
Update: After I realized "antidote" was turning the Pi to an egg boiler, I am using this Windows script: https://github.com/alan-reed/ARP-Defense/blob/master/defendAPR.bat to monitor the gateway arp entry.
I will try to port this on Linux and use it on the Pi.(A python script already exists, duhhhh)Does monitoring the gateway cover me, or do I need to monitor each wired device as well?
One thing (among many
) I don't understand, is why this script works. Doesn't the attacker have the ability to spoof his own mac address to be the same as the gateway's?