Hi all,

I don't know much about wireless security. I have a friend who uses a
Linksys WRT54G router connected to his cable modem so that an OS X
machine in a different room connect to the web using airport.

My understanding is that WRT54G is a very common router, so I hoping
that someone here can help me with this. I have noticed that the airport
in OS X can see several connections (presumably from neighbors),
including the Linksys one. But while all other connections are password
protected, the connection to the Linksys is not, and this troubles me.

On the comuter that is physically connected to the router, I have httpd
to 192.168.0.1 and I've noticed that there is a place to set the
password, however changing the password would not deny connections to
the OS X machine. The machine sees the Linksys router and doesn't even
ask for password. it gets connected right away. So I am guessing that
the password is an administrative password, and not for connections.

Does the WRT54G model have a capability to be password protected? The
firmware has never been updated, how essential is that for password
capability or for security in general (How does one update the firmware
anyway?) Since this a relatively old router, should a more up-to-date
one be purchased? If not, what is the best way to secure a connection
with this router?

Thanks very much,
RS

RS wrote:
Sure it does. Go back in the way you had (192.168.0.1), enter username
and password to access admin controls.

Then simply follow these directions:

http://www.howtodothings.com/compute...ng-wap-and-wep

Cheers.

Kyle T. Jones wrote:



But please omit the step where disabling SSID broadcast. It doesn't change
anything about the security, doesn't make your network invisible at all, but
surely creates a lot of trouble with your client accidentially trying to
connect to someone else's network.

Sebastian G. wrote:

Good point.

"Kyle T. Jones" <Email@reallyrealdomain.net> wrote in
news:fvvj3k$a5m$1@aioe.org:

I don't follow the logic. Disabling SSID makes it more difficult for
someone to connect to my wireless router (WEP turned on also).
They will have to wait until I have a connection in progress and sniff that
to find the router's SSID. During the times when there is nothing
connected, the SSID is not broadcast, so they can't WAR DRIVE by my house
when I am not there and try to bust in.

Also, my laptop, doesn't try to 'accidental' connect to other networks.
It needs to know the SSID for my wireless router in order to establish
connection.
I don't tell my laptop wireless card to connect to any available access
point, so it isn't going to connect to anything unless I tell it to do so.

Clearly, there are things about wireless that I don't yet understand.
Perhaps someone can explain more clearly.





--
bz

please pardon my infinite ignorance, the set-of-things-I-do-not-know is an
infinite set.

bz+csm@ch100-5.chem.lsu.edu remove ch100-5 to avoid spam trap

bz wrote:


Actually it makes them easier to accidentally to connect to your network
instead of another SSID-disabled network.


This would require cracking the encryption.


Bullshit. They can simply send packet to the router, which then replies with
packets. So they can create their own traffic required for the encryption
cracking attempt.


Argh, it seems like you really don't have a clue how things works. Hint:
Your laptop tries to connect to the other router on the MAC layer, tries to
establish an association, with the SSID, and fails. Now it connects to a
third router, tries the same, fails. Now it connects to the second router...
long story short, it can very easily happen that you'll never connect to the
right router at all, since you're intentionally suppressing the required
information for locating the right one.


OK, you can connect to (NAMELESS NETWORK), (NAMELESS NETWORK) or (NAMELESS
NETWORK). Now which one is it?

"Sebastian G." <seppi@seppig.de> wrote in
news:68jrooF2t4jo8U1@mid.dfncis.de:

HOW? They need to know my router's SSID. It has an SSID, it just doesn't
broadcast it.

It DOES respond when my WiFi card says 'hey, (MyRouterSSID), I want to
connect to you, doesn't it?

If I understand stuff correctly, this stuff is loosely based on packet radio
technology.
In packet radio, I would send a transmission something like
Node#1 this is Node#2 k
then Node#1 would answer Node#2 this is Node#1 k
Node#2 would then go ahead and establish a link or send a command to node#1.

If Node#1 isn't busy but is available, it would periodically say something
like
CQ de Node#1 K

If Node#1 isn't broadcasting anything, I need to know its name to contact it,
(and the channel/frequency it listens on).

Agreed.

Please keep the language clean.

HOW do they send a packet to the router? They don't even know it is there.

It isn't broadcasting. It is sitting there listening for broadcasts addressed
to it. It does NOT respond to a transmission unless it is addressed to it.

I don't think there is a 'all routers please broadcast' command for IEEE
802.11, but I could be wrong. I know that such a command exists on wired
ethernet but would not expect it on wireless.

How? I thought their best bet was to monitor for a day or so and then crack
the WEP key from accumulated traffic.

That is why I asked. Because, from what you said not matching with what I
thought I knew, I want to find out where my misunderstands are.

I asked. Do you have a problem with helping people that ask you questions?

My laptop knows the SSID because I configured it to talk to (MyRouterSSID),
doesn't it?

Why would it try to connect to (YourRouterSSID)? It keeps sending
(MyRouterSSID) this is MyLaptopSSID please answer!
Doesn't it????

I am sorry to be so dense but it still doesn't make sense to me.

The router can run its beacon, saying 'This is MyRouterSSID' every 100 ms(or
other time interval, as configured) or it can sit there and just listen for
calls such as
(MyRouterSSID) this is (MyLaptopSSID), do you copy?
and respond to the calls.

One way [in my opinion] makes it easier for someone unauthorized to connect
to MyRouterSSID. But, I could be wrong [and you clearly think it makes it
HARDER for me to keep my computer from connecting to the wrong router, but I
don't understand why.]

I don't try to connect to (nameless network), I try to connect to
(MYROUTERSSID) and if I can't find (MYROUTERSSID) then I don't get a
connection unless there is a network with an SSID that I have previously
configured for connection.

I just tried an experiment. I turned off the SSID broadcast on my wireless
router (It was on).
I turned off my network card.
I started netstumbler and turned on my card. I could not see my wireless
router. (net stumbler prevents connection).
There were no broadcasts from the Wireless MAC address.

I shut down stumbler and cycled my WiFi card off and back on.
It established contact with my wireless router. It DID see a neighbors OPEN
router that broadcasts its SSID the first time I powered it on and would have
connected, if I allowed it to do so, however I doubt it would connect to
anything that does NOT broadcast an SSID.
Unfortunately, I am not seeing any other wireless routers that are not
broadcasting SSID at this time so I can't be sure who is right.
My Dell network card manager sees only one (nonbroadcasting) in its
monitoring window.

When I run NetCrumbler (a patched version of Stumbler that does NOT interfer
with connections) I see my router just fine, along with 5 other named
routers.
But I don't see anyone else running with broadcast off (and am unlikely to do
so with these tools).

So, what is it that I am failing to understand about how these things work?

Are you assuming OPEN routers running with default SSIDs but with broadcast
turned off? I guess that if my router was named Linksys but had broadcast
turned off and there was another router named Linksys that also had broadcast
turned off, it would be easy to connect to the wrong one but operating with a
default router SSID or ANY as an SSID _would_ be kind of clueless.

Surely that is NOT what you are talking about, is it?

Thank you for your patience and for NOT using bad language.

--
bz

please pardon my infinite ignorance, the set-of-things-I-do-not-know is an
infinite set.

bz+nanae@ch100-5.chem.lsu.edu

bz wrote:


We're talking about MAC layer connections. First you connect on the MAC
layer, eventually guided by a known SSID, and then the connection partners
negotiate about the actual connection parameters.


It also responds to "hey, nameless router, let's setup an encrypted session.
If you can decrypt what I sent, and it shows your SSID, then we're partners.
If not, then let's try it again."


And the Node number is the MAC address combined with the channel number.


Hey, nameless routers on channel 7. Give me some random identifiers. Hey,
router SOME_RANDOM_IDENTIFIER on channel 7, let's try setting up a session.



And as such the SSID is obviously a public parameter. If you broadcast the
SSID, they would still have to crack the encryption to get access. If you
don't broadcast the SSID, well, then they have to break the encryption or
the currently nameless network, and if they were successful, they would also
immediately find the SSID. That is, the SSID would always end up with them
if they break it, and would be useless anyway if they don't break it.

And breaking it doesn't require the SSID.


They can clearly see how it sends beacon requests on a fixed channel with a
pseudo-unique identifier, and also with its MAC addressing


It is. It just doesn't broadcast INVITE requests.


And you can address either be its channel, its channel and a pseudo-unique
identifier delivered upon request, or by its MAC address.


There is.


Why not? After all it's an ISO/OSI stack protocol. Heck, it even has an
Ethernet emulation layer.


This is for association setup that only happens after you have negotiated on
the MAC layer. After all, how should this work? You can't identify which
router is yours (since it doesn't broadcast the SSID), and you're supposed
to choose to which one you want to talk to.



Well, then it would be broadcasting the SSID...


nameless router, I'm nameless laptop. Let's talk encrypted. encrypted("is
this your SSID?"). No, damn. OK, everyone, who is here? Ah you! Hello
nameless router... (and you wouldn't even notice that you're always talking
to the same).


And how would you find this one if you have disabled SSID broadcasting?


Right. But you may also not get a connection even if your router is among
these, since you're only trying to talk to the other ones. A wonderful way
to shoot yourself in the foot.


But you could see a SSID-less network, couldn't you?


Like your very own router? Hm?


Which might be yours, or someone else's.



Maybe you're living far away from civilization? Heck, just on my weekly
2hour train+bus tour I can catch hundreds of network.


I suggest adjusting the SSID to clearify the purpose of your network,
thereby exactly fulfilling its functionality, f.e. PRIVATE. And to make sure
to not duplicate any existing name of a nearby network. That is, your
network is clearly visible to both you and outsiders, but they should
understand that it's your private network, so you could hold them legally
responsible if they try to interfere with it. And you can clearly identify
it as yours.

"Sebastian G." <seppi@seppig.de> wrote in
news:68kcijF2sbr7oU1@mid.dfncis.de:

Hmmm. From what I can gather from reading the IEEE 802.11 working doc
80.11 2007.pdf from the IEEE web site, neither one of us has been using
the right terminology. It looks like both my router and my laptop network
devices are STAs, one(the laptop) is an STA client, the other is an
AP(access point) STA. They can be 'associated' or 'disassociated'.
"Before a STA is allowed to send a data message via an AP, it shall first
become associated with the AP."

And they talk to each other over PHY (the physical layer).
"STAs may be hidden from each other".
"IEEE 802.11 is required to look like a wired network to higher layers."

It appears that the SSID is used as part of the associate request at the
MAC level.

It is going to take me a while to read through the 1232 pages of the
document.

Perhaps you can save me some trouble and tell me how my router STA is
supposed to respond to active probing (is that legal in this
jurisdiction?) when bulletin broadcasting is turned off and how the
wardriver even knows my STA is here. Assuming, of course, that the
wardriver passes when I am not using my network but my router is turned
on.


What is this called?

Hey, computer owner, I see the following access points. Which one do you
want me to establish an association with? [I do NOT see any of the SSIDs
that you have previously told me to talk to.]

And cracking the encryption takes either
1) collecting lots of encrypted transmissions [about a days worth]
or
2) a very lucky guess. [would 'normally' take weeks of guesses to hit.]


Where do I find this in the specs?

Where do I find this in the specs?

If it isn't broadcasting, I would need to send a probe request on each
channel asking 'who hears me'? If it is broadcasting, all I need to do is
listen for a while [on all channels].

What is it called?

Yes but that should be at a higher layer, shouldn't it?
It should EMULATE not duplicate.

But I must admit that the specs are a bit confusing.

I would think that it knows its own ID and listens for calls addressed to
that ID, properly encrypted, on the proper channel. I would expect it to
ignore improper calls, those not addressed to it and those not properly
encrypted.

Yep. But broadcast can be turned off, and I have done so now.

Why not encrypted(MyRouterSSID) this is encrypted(MyLaptopSSID). Do you
copy??? Over (repeat until answer received or timeout period has expired,
then report: No (MyRouterSSID) heard. Here is a list of APs heard. Do you
want to talk to one of them?

.....

It is ALWAYS listening for proper calls. It just doesn't say
HEY any STA, this is (MyRouterSSID) listening for properly encrypted calls
on this channel. Go ahead.

I have not seen any such problem yet.
Now at my office, we have two wireless networks and IF I allow my laptop
to connect to ANY network AND if the secure net is down, my laptop will
talk to the insecure routers. But it is pretty easy to remove the
configuration for the insecure net from the list of permitted networks.
Then, if the secure net is down, I don't get any connection.

I could see MINE, after I established connection to it.
I did NOT see it by just listening.

I would need to fire up a computer that had not previously connected to my
router and see what it reports.

I just tried my SMC usb wireless adapter on my laptop but I seem to have
problems finding drivers.

So to test the idea I really need two AP STAs (non broadcasting) plus at
least one STA client.

I will check with our campus wireless experts and see what they say about
your idea.

It was mine.

They are broadcasting their SSID.

How would you know anything about those that don't?

I think that deliberately using someones wireless without their express
permission could be expensive. That is regardless of whether they have
taken any steps to secure their router.

As for getting caught... it happens. It may not be likely but it does
happen.






--
bz

please pardon my infinite ignorance, the set-of-things-I-do-not-know is an
infinite set.

bz+csm@ch100-5.chem.lsu.edu remove ch100-5 to avoid spam trap

bz wrote:


Even when it doesn't broadcast INVITE requests with the SSID, it still
broadcasts Beacon requests to notify its presence on the physical layer. It
also responds to Beacon notify requests.

Maybe you should simply try it. Turn off SSID broadcasting, change the
default channel to a very specific one, disconnect from the router, fire up
NetStumbler and you'll see a No-SSID network on exactly this channel.


Indeed. Since you have no way to differ the routers, you might always
connect to the wrong one. The same happens if you set it up to always try
them all. Same happens on every little interruption.


Dunno what you're talking about, but I only know WEP and WPA/WPAv2/IEEE
802.11i as the two major techniques. WEP can be broken within some minutes
of traffics, or bypassed (by creating a valid (IV, cipher stream) pair to
send, but not receive arbitrary packets) within few seconds. The traffic can
always be generated by sending out Beacon notification requests.

And IEEE 802.11i or its subsets known as WPA can at most be attacked via a
MITM attack on the association setup, which gives you about 30 minutes of
pure bruteforcing until the session key is forcefully renewed, and your
attemt would have to totally start for a new. Also, how exactly would you
bruteforce a random 256 bit key?


Dunno, the analysis documentation of AirCrack is much clearer to read.


Right.


To emulate Ethernet functionally you have to implement a functionally
identical MAC layer, which gives you the required demand for broadcasts.


Indeed, this is how one might have implemented it if the spec wouldn't
require Ethernet MAC layer compatibility.


So are the other APs. But you only know that you got the wrong one after
trying to decipher his reply. That's why you may permanently hit the wrong one.


Well, you cannot always be as lucky as I was. I bought a random No-Name
PCMCIA wlan card, which then turned out to be and AMD PCnet Wireless 800
model based upon the well-known Atheros chipset. You know, the one which was
used for the very first WEP hack.



No, about half of them doesn't.


See above. Beacon request.



Nonsense. In civil law, this is called reasonable expectation of use. If you
built a well near a street and some people would start drinking water from
it, you couldn't sue them (or at least not sucessfully). You'd be required
to install a sign "No drinking from well without permission", then you could
defend.

If my machine is asking your router to establish a connection and it
actually does, I can reasonably expect that this was the full intention of
its owner. Heck, if it even delivers matching IP addresses via DHCP, this
surely must be intentional. After all, if the owner didn't want this access
to be public, he would have configured it differently.

Now if somehow it would be likely that I'd notice his internet access has a
transfer limit, and intentionally utilize it much beyond this limit, I might
get into a little trouble. Unlikely, but possible.

If I were to crack a WEP "encryption", which definitely is a sign of
intended privacy, I would become responsible. Though at least in case of
WEP, I could successfully argue that the owner has been sloppy to allow such
a well-known broken protocols instead of resorting to secure variants (like
WPA) and therefore has to pay a certain share of his damage costs out of his
own pocket.