hacking SSID

Character 47 is nonprintable? Maybe? While more secure those are definitely harder to manually put into a TV or something without a keyboard or copy/paste. I have a bit of ASCII art as my SSID and found once it's rather annoying to enter manually.

@Aledio per https://www.tp-link.com/us/user-guides/tl-wa801n_v6/chapter-3-customize-your-network#ug-sub-title-5 that model has Wireless MAC Filtering so you can block the MAC address, or as noted if they start changing MACs you can allow just your devices' MACs.

@CiscoX said:

I think you are safe for some time

yes well now he's posted it for us. :)

JKnott · Apr 11, 2022, 8:15 PM

@bingo600 said in hacking SSID:

I didn't want Cisco to decide when my 2702i's should be obsoleted, so i am on Autonomous not Lite/CapWAP

It would be nice if more APs went with a central controller. With 802.11r you still have to disconnect and reconnect as you move between APs. With the Cisco central controller, you connect to it, instead of the APs, which become little more than bridges.

JKnott · Apr 11, 2022, 8:18 PM

@steveits said in hacking SSID:

While more secure those are definitely harder to manually put into a TV or something without a keyboard or copy/paste.

My Sharp/Roku TV won't accept 63 characters. It chokes somewhere after 40 or so. So, it's on my guest WiFi, which has a much shorter password than my main SSID.

JKnott · Apr 11, 2022, 8:19 PM

@steveits said in hacking SSID:

yes well now he's posted it for us. :)

I don't use that one. I just got it from www.grc.com.

JKnott · Apr 11, 2022, 8:21 PM

@ciscox

I guess it will keep someone busy for a while.

BTW, it should have had 63 characters, but I guess I missed one when copying it.

MoonKnight · Apr 11, 2022, 8:44 PM

@jknott
hehe, that would be one more century for your extra character

JKnott · Apr 12, 2022, 7:13 PM

@ciscox

Actually, a bit longer I think. Another character means 96 times what's listed. I'd better grab a beer first.

Apr 13, 2022, 5:23 AM

@aledio

try to set up wifi aps instead of repeaters.
use the maximum of 63 chars long password (not supported at all vendors)

small raspberry pi with linux and install

OpenLDAP for wired devices
FreeRadius for wireless devices.

put all wifi clients into vlans, e.g.
vlan10 for family = radius certificate - internet & LAN
vlan20 for guests = vouchers - internet only

Alternatively:
Install a small wifi card into your pfsense and turn on
hotspot with voucher system for guests, can also be a
solution

give all clients a static IP address in the entire network
and then narrow down the DHCP address space to them,
that means no other free dchp addresses will be able to given out.

Setting up snort and/or suricata on pfsense and OSSec
on any other devices, you may need another small server
but also another security line.

Turning on wireshark and sniff on your wifi for a while
perhaps on an rapi or notebook or your laptop at the weekend. Watch out any other IPs then your own ones.

try narrow down the entire signal strength of your wifi
so it is enough for you but only in the near area of you
house or apartment. Try to implement WPA3 where ever
you can do it.

Alternatively you may be also able to get hands on
UBNT wifi aps and then you may get also a small
edge router from them and install there the radius
server.

JonathanLee · Oct 31, 2023, 9:19 AM

If your wireless access point allows user control over transmit and receive power levels lower it so it only works in your home. I would also use snort on the LAN interface with AppID enabled with full manually created text rules and only approve what you normally use. It takes a while but if he is hacking your network and say normally uses ESPN and you don't it will block it until you approve it. Use AES it's harder to break into. He will eventually spoof a device in your homes mac address to get back on also some pen testing software allows you to spoof mac addresses. Another option is to get a cheap AP configure it to the same SSID you used before and leave it blocked for everything and change your SSIDs to something else that you use with lower transmit power. Or just hard wire some RJ45 cables up and disconnect all of the wifi he is using. Wifi is not really safe. Windows 10 for a long time didn't even care what bssid it was using as long as the SSID was the same it would connect. You can also vlan the wireless access point like @johnpoz does that way everything on the wireless lan is inspected at the firewall too.

Gertjan · Oct 31, 2023, 9:19 AM

You guys all scare the hell out of me.
I've loads of APs without any passwords at all.

And at home neither, as I haven't seen yet any rabbits with some BYOD ....