Wireless (In)Security

  • http://insights.dice.com/2014/03/20/wpa2-security-cracked-without-brute-force/

    I was reasearching the strength of wireless security WPA2 and it looks like 5 years ago it took 3-5 hours to crack a moderate passphrase. I would have to think it has only gotten faster in the meanwhile.

    I have a pfsense security question: I would prefer not to allow wireless users to run a dictionary attack against my pfSense Access Point for hours at a time.. Is there anyway to block via mac or similar if repeated bad passphrase's are used by the same user. Like 100 guesses and your MAC is blacklisted? Would this be futile?

    Lets assume they  breach my wifi and make it in to my host system. Does pfSense UI allow blocking of guessed password attempts after 100 guesses and blacklisting of offending MAC?

    I hope I would hear the console beep evertime a user tries to login.

  • I see that pfsense webgui is covered by sshlockout. Allows 15 tries.

  • Banned

    So that do you want to block? The WebGUI/SSH access? Or wifi access? For the former, you'd normally disallow the access altogether by blocking access to "This Firewall" management ports from the WLAN… regardless of how many hours/days it takes to crack WPA2.

  • I was just thinking it seems stupid to allow someone to throw millions of tries at wireless passphrase for WPA2. I see alot of braggarts saying they cracked their neighbors wifi in 10 minutes.. I am saying why give them the chance. 15 tries at passphrase and lockout for 3600 minutes if unsuccessful.
    That would be righteous by me.

  • I would think if someone was pounding your access point with an dictionary attack it would affect the performance of your wireless network as well, if not severely degrade it. If you only had 15 passphrase tries then at least it add a layer of complication for the attacker.
    Just like any lock, with enough effort anything is possible.

  • LAYER 8 Netgate

    Ruckus controllers block MAC addresses for a short period after several consecutive join failures.  These are solved problems.  Just not using FreeBSD as your access point.

  • Looking at either an used Ruckus 7362 for $75 or 7982 for $250.
    Are features relatively the same? I would like 3X3 but i don't really need it. What are the implications of the EOL status of 7362. Obviously no updates…
    Are the internal antennas similar? Beamforming on both?

    Sorry to stray off topic but i need to have something to compare pfSense wireless to anyway. I really prefer the web interface versus Mikrotiks solution.

    Any Linux solutions to handling the issue of WPA2 brute forcing? They uses wpa2 supplicant as well as hostap so i doub

  • LAYER 8 Netgate

    I have no idea if you get the sort of blocking I mentioned without a controller.  nor do I have any idea what the capabilities are of the old units.  Ruckus datasheets are probably where you want to be spending your time.

    7982s are beasts.

  • What about FreeRadius. I see it is used in captive portal by some. Would it provide me with the ability to foil passphrase guessing? Is this level of security really as good as it looks?

    4-10 hours to hackdown really does concern me.

  • LAYER 8 Netgate


    (Captive portal authentication has nothing to do with Wi-Fi/WPA password cracking)

    Using freeradius on your Wi-Fi means you're using WPA2 Enterprise.  That completely changes the equation because you're no longer trying to crack a PSK.

    But to use WPA2 Enterprise properly you need to deploy certificates to all your client devices, maintain usernames and passwords for everyone, etc.

  • I am going to try that route. I already learned cert stuff with VPN setup. I know that WPA2 Personal -encryption causes a wireless speed hit, Will WPA2-Enterprise make it worse? How bout things like my Visio TV or other embedded wireless devices. How do i get certs there? I am guessing it is pretty much -only works with supported devices? I like the sound of EAP+TLS. I think i could rest well with that level of protection.

  • LAYER 8 Netgate

    No idea.  Doesn't much matter because it is what it is.  You either enable the crypto or you don't.  It either slows it down or it doesn't.  Probably different on all combinations of gear, distance, physical topology/construction, etc.

    Survey your site and put in what you need to get close to expected performance and understand that wi-fi is not ever guaranteed.  Too many variables: shared medium, limited available channels, interference, etc.

  • Attacks on WPA/WPA2 are performed offline.
    You will need to wait till a client authenticates (Or send out fake deauthentication request to force the client to reauthenticate) and then capture the four way handshake.
    This four way handshake is brute-forced offline.
    So lookout for deauthentication request but even better just chose a 25 random character passphrase.

    Also see:

Log in to reply