PDA

View Full Version : How to make your network almost unhackable!!



L-dog23
2014-12-31, 21:46
By: Lithium Delta

As an auditor of wireless network security you begin to see weaknesses and strengths of networks. This knowledge can be used to improve your home network, although often forgotten your home network is vital for one reason: Its connected to your computer which contains many password, personal details, bank details and photographs.

Many of people leave this resource freely available for anyone. Anyone could access your network and take that information with basic software. Most passwords are 10 characters and mostly a combination of capital letters, WPA. WPA2 is more advanced and often includes numbers. At the start there was WEP which was only numbers and easy to crack.

To make your password secure and safe there are a few basic steps you can take:

1. Increase the length of the password.

Routers can support passwords up to 62 characters, it would be hard to type it out every time someone new wants to use the network. 99% of hackers will try and crack your password up to 10 characters long and cracking a password that long would only take a few days, anything passed that would take weeks to crack.

2. Restrict the amount of time you use it to 3 hour intervals.

The more data you use the heavier the traffic, that means there is a hight chance of the hacker capturing the data needed to guess your password.

3. Do not use wireless.

Its easier these days to roam your house while browsing but if you use wired connections it is often faster and a hacker will struggle intercepting wireless data.



I hope this has helped those who are concerned about their home or business network.

pwnémon
2015-01-02, 18:23
There are a lot of stuff you can do so i just made an account to add some stuff.
Not everything is possible on all devices and there's probably still a lot missing since i'm still learning but maybe some people can get useful info from it and add stuff to it.

Always make sure wps is disabled.
Change signal strenght according to requirements, it's not smart to send your packets 2 streets further if you want indoors use only...
Use mac whitelisting if possible or static ip's and no dhcp server (doesn't make it much more secure but can be trouble for a scriptkiddy.)
Keep firmware updated and make sure you don't use default (admin) passwords on your router config.
don't forget to add a couple of numbers and symbols for max effect, i think "horsebatterysta-1-" is better than "horsebatterystaple" and change them once in a while.
(imagine some gpu's being toasted to get a password wich already changed ;))
Use lan management only (use vpn if wan management is needed) and if possible a dedicted nic for management.
disable upnp and use portforwarding.
Try to hack your own network to find any weaknesses that you missed.
If it's in a place where it gets used on certain times, make a schedule to disable wlan when it's not used.
Maybe spend some time with snort & add other firewall/iptable rules or disable unused network services if necessary ?
Check your settings triple and make regular backups.

Kalinoob
2015-01-04, 19:24
I think WPA 3 or 4 needs to come out...I have written on this in different areas and attempted to contact the Wifi Alliance (Austin Texas) with no luck because I can't afford a $15,000 membership... Also linked a stack exchange post I made talking about the SIMPLE change/additions and the post was deleted....SO here it goes

Current PSK formula is

DK = PBKDF2(HMAC−SHA1, passphrase, ssid, 4096, 256)

What this means is it uses HMAC-SHA1 with your passphrase/ssid, 4096 iterations, and produces a 256 bit key
So for the past 10+ years people have been able to create databases/rainbow tables, etc.

First thing that needs to change is the number of iterations, 10+ years ago hardware could only bruteforce 100-300 passwords a second. The number of iterations needs to be increased in order to bring that change back in effect.

The next thing would be to change the salt to include the mac of the router so that each router brute forced would require starting from scratch

DK = PBKDF2(HMAC−SHA1, passphrase, ssid + Router mac, 4096000, 256)

Next we need to take the HUMAN element out of the Equation.

1) a password of 12 or more needs to be implemented
2) if not already present in the password entered, the router would then GIVE the user a couple of permutations that include at least TWO upper/TWO lower/TWO special characters/TWO numbers and make them choose one. In other words the router would not allow anything less than a more "sophisticated" password.

Another option would be that after the first formula is used and the client connects successfully the FIRST TIME.... the router then "remembers" that mac address and now the formula changes to

DK = PBKDF2(HMAC−SHA1, passphrase, ssid + Router Mac, RND, 256)

Where RND is a random number generated by the router 6-8 digits long for the iterations. Unless a "Hacker" just happened to catch the first handshake and then ran through the set standard 500,000 iteration formula and happened to find the password (being able to decrypt the aes256 exchange of RND), from that point on the formula would be different. This could be the same for the router, or even more secure, for each client connected. So the router would keep a table of Client macs and RND so when the client says "HELLO I want to connect" it would be done using the RND value. If someone was to find how the RND value was saved on the client (physical access to the client) then it would be different for each client. After X many days/X many hours this could be re-set/established again using the first formula and AES256 as an option.

So this is just some Ideas, with todays technology/hardware it shouldn't be that hard to do. WPA2 is old and getting easier to crack. Many wordlists have been created that easily go up to 10 if not more... "hackers" have been generating wordlists for YEARS. Making the first formula iterations high enough to slow down the brute force attack, and then making the hacker start from scratch with the combination of SSID + Router Mac, PLUS add the fact that after the client is first set up/connected to that router making the number of iterations RND (6-8+ digits)........this just makes it VERY VERY VERY difficult for a wardriver to accomplish finding the password.

Hopefully I don't get trashed on this post, all criticisms/ideas/opinions are open.

L-dog23
2015-01-04, 21:35
Hi, thank you for your reply.


Yes i missed a coupled things lol, i try and make the hints and tips for people that don't know much about wireless security. Those three tips are good and easy for beginners and easy to implement on a stock router.

A CPU will burn out with a 62 character password haha (plus it could take up to a year to crack). scriptkiddies will find it hard.