# Wifi security



## tOsYZYny (Mar 27, 2022)

I recently noticed some suspicious activity in my DHCP server logs and that prompted me to change my SSID and passphrase.  The suspicious activity was a client I don't have any record of requesting a DHCP lease over the course of a few days at a brute force rate, then a more calculated rate.  So, it would appear that someone at the other end wised up.  I checked all of my known hardware and didn't find anything.

My network is setup as static DHCP and each client belongs to a particular group or zone to dictate what traffic it can send / receive both internally (to the router / gateway) and externally.

While I do have an older wifi router, I am running WPA2 and my passphrase (at the time was 16 characters of pseudo-random bits).  Even if they captured the 4-way handshake, I would think 16 characters of pseudo random bits would take quite a bit of time to crack.  Now, it is much longer, I'd prefer not to say ...

Would WIFI EAP (with a client / server certificate be significantly more secure than a single passphrase)?

What do you do for network security?  How much would a more modern router help?  While it'd be cool to have an IDS / IPS, I also don't want to go too far down that rabbit hole of setting up antennas around my perimeter capturing network traffic with a rolling window and saving a snapshot if/when something suspicious is detected ...


----------



## Phishfry (Mar 27, 2022)

I decrease rekey rate(in seconds) from the default of 3600. Would need a very stout computer to crack that fast.
/etc/hostapd/hostapd.conf

```
wpa_ptk_rekey=600
```

It does make the logs rather messy.


----------



## tOsYZYny (Mar 27, 2022)

Basic Wireless Settings - DD-WRT Wiki
					






					wiki.dd-wrt.com
				




I need to do more reading, but my understanding was that the 4-way handshake is what is needed to determine the WPA passphrase, right?  What I mean is that I thought tools such as aircrack-ng / kismet would deauth a client in order to capture the 4-way handshake.  That could easily be done in under 10 minutes (provided the attacker was well within range).

Then, with the 4-way handshake, you would effectively compare hashes of possible passwords with what was captured hoping for a match.  If someone wants to get in, they'd have to pay a price, cracking a 16 character password on a single machine would be time expensive.  I would be led to believe that they'd have to use a cluster (online service).

Now, I think the key renewal is once a client is authenticated, that session uses a key which is part of that 4-way handshake.  Yes, I would think that is much more difficult to crack than if you deauth the client because you're completely reliant on network traffic rather than forcing the client to do what you want at the expense of potentially being caught.  I doubt most people would catch this, even myself I don't have any way to monitor this, do you turn off your wireless devices at night?

I am not logging at that level presently to see if clients were deauthed, but that would go hand-in-hand with setting up antennas capturing traffic ...


----------



## Phishfry (Mar 27, 2022)

tOsYZYny said:


> While I do have an older wifi router, I am running WPA2 and my passphrase


I really don't care for store bought wireless access point. I use FreeBSD which is very flexible.
I used to run my cards in debug mode for max wattage and then I thought about it.
Do you really want max blast of the neighborhood for anybody to intercept?
So output power should be taken into account your desired coverage.


----------



## Phishfry (Mar 27, 2022)

tOsYZYny said:


> do you turn off your wireless devices at night?


No. I do use NanoBSD for my APU2 WAP so it should be even more difficult being read only SD and memdisk for /var.


----------



## Phishfry (Mar 27, 2022)

tOsYZYny said:


> Would WIFI EAP (with a client / server certificate be significantly more secure than a single passphrase)?


Absolutely.  Takes some additional work with a radius server needed.
Maybe one day I will find the time to set it up.


----------



## tOsYZYny (Mar 27, 2022)

What wireless card do you use in AP-mode?  I recently used an Asus PCEAC88, but had to use Alpine Linux to use it effectively.



Phishfry said:


> No. I do use NanoBSD for my APU2 WAP so it should be even more difficult being read only SD and memdisk for /var.


That is physical access ...

If devices are connected at night then the cracker could deauth the clients they want at night without anyone noticing.



Phishfry said:


> So output power should be taken into account your desired coverage.


True, we have to balance having an accessible and convenient network with one that is secure.  There is some expectation that a wifi network should be accessible throughout the home (and a little bit outdoors), but not all the way down the street.


----------



## Phishfry (Mar 27, 2022)

Mikrotik MiniPCIe module 5ghz

```
ath0@pci0:4:0:0:    class=0x028000 card=0xd01419b6 chip=0x0033168c rev=0x01 hdr=0x00
    vendor     = 'Qualcomm Atheros'
    device     = 'AR958x 802.11abgn Wireless Network Adapter'
    class      = network
```


----------



## tOsYZYny (Dec 31, 2022)

I now also run a nightly job that checks my logs for unauthorized DHCP activity.  I am in the process of setting up ELK and once that is done, I will setup an alert in Kibana which should happen in near real-time.  I would also like to have an additional check in which an nmap scan is performed, ARP records are checked for any changes, and so on.


----------



## Argentum (Jan 2, 2023)

tOsYZYny said:


> Would WIFI EAP (with a client / server certificate be significantly more secure than a single passphrase)?


Isn't that amazing? I tried your question on *OpenAI* and here is what I got (_NB! computer generated content!_):


```
In general, a WiFi network that uses EAP (Extensible Authentication Protocol) with client and server certificates is likely to be more secure than one that relies on a single passphrase. This is because EAP with client and server certificates provides a number of additional security measures beyond those offered by a simple passphrase.

Some of the security benefits of EAP with client and server certificates include:

Stronger authentication: With EAP, the client and server authenticate each other using digital certificates, which provide a stronger form of authentication than a simple passphrase. This helps to prevent unauthorized access to the network.

Encryption: EAP with client and server certificates can provide encryption of data transmitted over the WiFi network, which helps to protect the confidentiality of the data.

Improved security against attacks: EAP with client and server certificates can provide additional security against attacks such as man-in-the-middle attacks and other types of spoofing.

Improved scalability: EAP with client and server certificates can be more scalable than a simple passphrase, as it allows for the use of multiple client certificates on a single network.
```

https://chat.openai.com/


----------

