People breaking into my wireless network.....

[Razor512]

To get the accepted MAC addresses, you simply have to monitor the network passively until an accepted device associates with it.

 

MAC filtering is useless as if someone has the capability to break WPA2 with AES encryption, then they are well beyond MAC filtering.

 

Keep in mind that the FBI spent a year trying to break AES encryption on a potential criminal's hard drive, and failed.

 

There is currently no known weakness in the encryption that allows an attacker to avoid brute forcing it. If you want to get someones WPA 2 key (assuming they didn't used something that a dictionary attack would work on), you would have to do something  more elaborate, e.g., a rogue AP to get them to connect to the attacker's network, then get then fine a way to get them to infect their system (e.g., malicious DNS server to direct users to a malicious site, then after compromising their system, you then copy the actual WPA2 key saved on their PC.

 

There re many roundabout ways of getting a WPA2 key, but the encryption its self has not been broken.

[Donut417]

1 hour ago, Arokhantos said:

You can take it even whole step further but its very annoying to setup.

disable dhcp so ip adresses aren't given out automaticly.

Change the default 192.168.1.1 ip range to something like 158.159.160.x for example and fill in ip's per device manuely, this way they get in they still have to guess ip adress to.

You can change the wifi security to something else but this also effects wifi speed, not mention some devices don't support every wifi security because they are old.

 

Good point on the security. I discovered that with my PS3. I havent used it in a year and I would not connect because I generally use AES encryption. So I had to switch to both. Changing the routers IP address is a good idea, most because dont think of that. Some routers also have the abiltiy to set broadcast strength. For example my router uses a low, medium and high approach. If you get really good wifi signal where you need it you could try that. Make it where your wifi is out of range. 

[.spider.]

24 minutes ago, Ryan_Vickers said:

But I thought breaking the encryption would supposedly take hundreds of years?  Thus, you'd be left with the option of connecting normally, and this would not be possible without the right MAC address.  Or am I missing something...?

What do you mean by connecting normally?

[vanished]

Just now, .spider. said:

What do you mean by connecting normally?

type in the password (no hacking, just a normal, proper connection)

[.spider.]

1 minute ago, Ryan_Vickers said:

type in the password (no hacking, just a normal, proper connection)

Why care about mac filtering than? The password is a way better protection than the mac filter. 

[.spider.]

4 minutes ago, Donut417 said:

 

Good point on the security. 

Yes, if your attackers are bad script kiddies  

[Razor512]

Transmit power and changing IPs don't really help if the attacker is able to connect to the network. Passive monitoring, or ARP spoofing, is enough to figure out the IP range being used.

 

If your neighbor got through your WPA2 and you used a strong random password, then you are looking at someone with more capabilities than even the NSA. I'm guessing they could have mined out the center of the planet and used the core to run a geothermal in order to power a planet sized super computer just to crack your WiFi password.

[Donut417]

25 minutes ago, Ryan_Vickers said:

But I thought breaking the encryption would supposedly take hundreds of years?  Thus, you'd be left with the option of connecting normally, and this would not be possible without the right MAC address.  Or am I missing something...?

AES takes 100s of years to crack.  TKIP on the other hand is not as secure. However as stated above, older devices might not support AES. So most routers have a setting where you can use both AES and TKIP. All the encryption does is make it so traffic to/from the router and to/from the device can not be read. The password authorizes the device. Mac address filtering is where you can setup a page of trusted or not trusted mac address, allowing or stopping access to the network. Mac address can be spoofed so other devices can act like a authorized device, which is why its not used. 

[vanished]

3 minutes ago, .spider. said:

Why care about mac filtering than? The password is a way better protection than the mac filter. 

I know it is   But the OPs router keeps getting accessed despite his repeated password changes, so we're trying to think up additional ways to keep people out.  Would MAC filtering + the password be better (significantly better, not "just a tiny bit in theory") than just a password?

[Donut417]

1 minute ago, Razor512 said:

Transmit power and changing IPs don't really help if the attacker is able to connect to the network. Passive monitoring, or ARP spoofing, is enough to figure out the IP range being used.

 

If your neighbor got through your WPA2 and you used a strong random password, then you are looking at someone with more capabilities than even the NSA. I'm guessing they could have mined out the center of the planet and used the core to run a geothermal in order to power a planet sized super computer just to crack your WiFi password.

Thats the point of transmit power. If they can connect, the hopes are cutting the transmit power so they cant connect. Plus if this guy is good enough to crack AES, then you might want to call the NSA, FBI or another set of 3 letters and report them (This is a joke for those with out a sense of humor). I know here in Michigan is a felony if you use someones WiFi with out permission. If you some how figure out whos connecting, you might be able to press charges. 

[vanished]

4 minutes ago, Donut417 said:

 All the encryption does is make it so traffic to/from the router and to/from the device can not be read. The password authorizes the device. Mac address filtering is where you can setup a page of trusted or not trusted mac address, allowing or stopping access to the network. Mac address can be spoofed so other devices can act like a authorized device, which is why its not used. 

Yes I knew all that.  What we were wondering is if, with MAC filtering enabled and the password/encryption enabled, if someone had the password but did not know any of the authorized MAC addresses, could they connect?  Wouldn't you have to spoof a valid MAC, which you would not know?

[Razor512]

With a lower transmit power, you can simply use a better antenna, and a better LNA.

 

E.g., using a yagi antenna is a great way to get free WiFi from a distant AP.

 

When you transmit, you cannot control the range of that signal. With sensitive enough equipment.

[Trikein]

4 minutes ago, Donut417 said:

AES takes 100s of years to crack.  TKIP on the other hand is not as secure. However as stated above, older devices might not support AES. So most routers have a setting where you can use both AES and TKIP. All the encryption does is make it so traffic to/from the router and to/from the device can not be read. The password authorizes the device. Mac address filtering is where you can setup a page of trusted or not trusted mac address, allowing or stopping access to the network. Mac address can be spoofed so other devices can act like a authorized device, which is why its not used. 

What is your source for 100's of years? This paper shows AES-192bit in about 146 hours. With a decent GPU and the right software, it isn't impossible anymore, just improbable for the common black hat. No respectable cracker is going to waste a week just to get free wifi. 

[.spider.]

13 minutes ago, Ryan_Vickers said:

I know it is   But the OPs router keeps getting accessed despite his repeated password changes, so we're trying to think up additional ways to keep people out.  Would MAC filtering + the password be better (significantly better, not "just a tiny bit in theory") than just a password?

No, and I don't think someone is accessing his network via WiFi.

To me it is more likely that someone accessed the router via WAN and abused it as a VPN exit or something similar.

Thus I said he should change the router's password.

It is also possible to run a port scan on the own router to check if it replies but doing so could be illegal depending on local law.

[vanished]

2 minutes ago, .spider. said:

No, and I don't think someone is accessing his network via WiFi.

To me it is more likely that someone accessed the router via WAN and abused it as a VPN exit or something similar.

He said he found phones he didn't recognize listed in the windows network devices window.  I think it is wifi

2 minutes ago, .spider. said:

Thus I said he should change the router's password.

He's apparently done that repeatedly to no avail.  Next step?

3 minutes ago, .spider. said:

It is also possible to run a port scan on the own router to check if it replies but doing so could be illegal depending on local law.

Illegal to scan your own device with itself?  That country's due for a revolution...

[.spider.]

10 minutes ago, Ryan_Vickers said:

He said he found phones he didn't recognize listed in the windows network devices window.  I think it is wifi

He's apparently done that repeatedly to no avail.  Next step?

Illegal to scan your own device with itself?  That country's due for a revolution...

And it isn't possible that there are phones in the other network which is connected via VPN?

 

Didn't he always say WiFi password instead of router password?

[Razor512]

It is legal to scan and compromise your own devices if you want.

 

If an attacker is repeatedly getting into the network, assuming you are using a properly strong, then there is likely another security hole.

 

 

Example of a weak password: Thisisaweakpassword

2: evilsquirrelstakingoverthemoon

 

Strong password: 7pVVp8$du:Uz>FKIp9(76,MZv;qktX#zt2Kld{vq!6n<J,w/-7[DIyAX)0C{^s;

 

2: BmvC7qNVZtfF6WmkeehAVgLHjIWGIqoqNdy28ahkfByZvAl9MZ4t9W6ScJ5btdc

 

The key is to push an attacker into having to do a brute force, and not any kind of dictionary attack (which includes word combinations, character-symbol replacements, and numbers at the beginning and end. Those can be done at a massively high rate.

 

For my WiFi, I combine portions of randomly generated passwords that are not designed to be remembered.

 

For devices where it is a pain to use long and complex passwords, then make sure they connect to a guest network, that uses at least a strong alphanumeric random password 16 characters or longer.

 

 

Edit: if the VPN server in a router is compromised then keep it disabled if it doesn't allow you to generate a new certificate.

 

PPTP VPNs are not very secure, but for openVPN, it has not been cracked yet, and thus still safe, assuming no one ever gets a hold of the certificate that you distribute to the client devices.

 

If you must use VPN, I recommend using ones where each client gets a unique certificate, e.g., with untangle. that way if a client is ever compromised, you can revoke the old certificate, and issue a new one.

[vanished]

2 minutes ago, .spider. said:

And it isn't possible that there are phones in the other network which is connected via VPN?

I'm not sure, we'd need input from OP I guess.

3 minutes ago, .spider. said:

Didn't he always say WiFi password instead of router password?

To my knowledge, there are two passwords - the "wifi" password, used to connect, and the "settings" password, which lets you change settings on the router (once connected).  I assume this whole time we've all only been talking about the wifi password since that should be the first line of defence.  yes?

[vanished]

misread... nothing to see here 

Edited February 11, 2016 by Ryan_Vickers

[.spider.]

3 minutes ago, Razor512 said:

It is legal to scan and compromise your own devices if you want.

 

Not everywhere

[Theo]

I dont get why people are recommending to hide the SSID, its so easy to find if you use a program

[Razor512]

8 minutes ago, Ryan_Vickers said:

That's the stupidest thing I've ever heard.  What place has that law?  More importantly, who knows, cares, or has had it enforced on them ever?

It is commonly done in the US, UK, AU, RU, and almost every other major country (not sure about north Korea though). You are allowed to audit your own security. You are just not allowed to audit the security of anyone else without their permission.

 

In fact, some youtubers make a living from showing users how to do basic audits of their own networks.

 

 

https://www.youtube.com/playlist?list=PLW5y1tjAOzI1benBAgqAbMExp5dWkQLgO

 

 

https://www.youtube.com/playlist?list=PLW5y1tjAOzI3n4KRN_ic8N8Qv_ss_dh_F

 

When you compromise your own stuff, it is considered a form of auditing, and pretty much every corporation will do it to ensure their their security is working properly.

 

I have not seen a single country that made it illegal to do so.. The only one that I am not sure of, is North Korea because they are not big on communicating with the rest of the world.

[vanished]

1 minute ago, Razor512 said:

You are allowed to audit your own security. You are just not allowed to audit the security of anyone else without their permission.

 

Well that makes perfect sense, but then how would testing one's own router fall under the latter?

[Razor512]

12 minutes ago, Ryan_Vickers said:

Well that makes perfect sense, but then how would testing one's own router fall under the latter?

Same as with any business. When when after configuring their network, they will test it to ensure that the security measures are functioning properly. You will not find a single company on the planet that would skip this step.

It is how most vulnerabilities are discovered, no one likes to wait until a criminal breaches their network and does and causes millions of dollars in damages in order to determine if a firewall is configured properly.

 

In the past, with older DLS gateways (e.g., the actiontec gt701wg - gt704wg, as well as a number of westell gateways issued by comcast and qwest), had telnet interface accessible on the WAN side and it accepted the factory default password.

 

After many complaints, verizon decided to come up with a new firmware, which used a randomly generated password for the remote access interface on port 4567.

 

For users to confirm that their router was at risk, they had to try telnetting into their onw DSL gateway from the WAN side, and issue a root level command to determine the extent of the vulnerability.

 

If they had waited until malicious use of it was wide spread, you would have been a massive amount of harm done, as it allowed the DNS servers to be changed remotely, or additional software to be installed; no one was arrested for reporting it.

 

When you buy security equipment, there is an expectation that you will audit it.

[vanished]

2 minutes ago, Razor512 said:

*snip*

I just realized I misread your comment... it got shuffled in with the original comment about it not being legal to test your own stuff.  I thought you said " It is illegal to scan and compromise your own devices if you want. " never mind!