and yes I'm aware this is is as useful as the proverbial, mammaries on a male bovine, before someone leaps in with the obvious. But it is still an issue
As I mentioned above, MAC filtering provides negligible security, as while it will work for obfuscation from the run of the mill neighbor, it's easy enough to determine what MACs are transmitting and receiving in any given area.
- Once garnished, it's a matter of narrowing down which MACs are communicating with what APs, at which point those MACs can be cloned.
- This shouldn't deter anyone from utilizing MAC filtering, but users should also be aware it is easy to bypass... this is why the recommendations in Wireless Overview -> Wireless Security should be followed.
- make sure that you force CCMP (AES) and use a strong password
- use at least 17.01.4 to ensure that you are protected against Krack and Spectre
- Enable the Krack and Spect countermeasures
What doesn't work well:
- MAC restrictions
- Hiding SSID
Good link!
I agree with you, but in my case I use MAC filtering in the same way I use DHCP with static leases for MAC, it's not for security, for security I use WPA2 + CCMP, I use MAC Filtering + DHCP with static leases to "tidy up" my home network, not as security system.
I would check for ports open to the Internet...
GRC ShieldsUP!
https://grc.com/x/ne.dll?bh0bkyd2
SpeedGuide Security Scan
@Klingon, I opened FS#1468 regarding this.
Edit: Under no circumstances should you read any of the above to understand the gist of what has happened/changed. If the author of that change is happy with the new spam that is occurring...
Edit2: Do you actually expect me to regurgitate that which has been written above. Everything you have asked is in the posts above.
Holdup....what????
You opened a bug report?
- OP made a MAC filter
- Others are connecting not on that MAC filter
- The log tells you...
How is this s bug???
Albeit, it's not good it is a Security option...it is one. I doubt it will be taken as a bug.
Can't you lower the logging level?
How can I do it?
Finally I decided to disable MAC Filtering, and now the log has came to "normality".
Maybe technically is not bug, I can't discuss that, but in my opinion is not a correct behavior in hostapd logging.
Not true at all. It makes it more difficult and time consuming, and will protect you from people trying to guess the password that connect to your router manually brute forcing....
But it's easy to capture the EAPOL packets using tools such as aircrack-ng suite. At that point you just run aircrack-ng against that capture file with a wordlist. You don't even have to be near the router once the handshake is captured while it is cracking as it's all done at this point without having to attempt to authenticate with the router.
It's time consuming, and resource consuming, but is not out of the realm of possibility. If your password is n characters long, and the person has a wordlist of all combinations of characters up to your password length or greater, it can be cracked. It may take months or years, depending on the machine(s) used to crack it, but it still is possible. If you have access to a botnet and can distribute the work it makes it faster, as well as using GPUs.
So in conjunction with a complex WiFi password, changing it regularly also improves security. Changing your passwords regularly is just security basics 101.
1 Like
A password in line with the recommendations in the Wireless Overview wiki, would be impossible to crack in a human lifetime:
-
Since I'm not sure on the exact number of symbols that can be utilized, let's use 18. With case sensitive, alphanumeric, this would equate to 80 possible characters than can be utilized.
- (17*10^-6 * 80^16) / 2 / 60 / 60 / 24 / 365 = x
- 17*10^-6 = 0.0017ms
- Approximately how long it takes an 8C 2.8GHz CPU to process SHA512 hashes
- I don't believe wifi passwords use SHA512 for hashing, but I do believe they use SHA256
- I don't believe wifi passwords use SHA512 for hashing, but I do believe they use SHA256
- Approximately how long it takes an 8C 2.8GHz CPU to process SHA512 hashes
- 80^16 = 2.81474976710656e+30
- 80: amount of alphanumeric characters
- 26 lowercase
- 26 uppercase
- 10 numbers
- 18 symbols
- 16: Amount of characters in the password
- 80: amount of alphanumeric characters
- 17*10^-6 = 0.0017ms
- (17*10^-6 * 80^16) / 2 / 60 / 60 / 24 / 365 = 758,668,601,611,040,100 yrs per PC
- Let's say a botnet has 100,000 devices:
- (17*10^-6 * 80^16) / 2 / 60 / 60 / 24 / 365 / 10^4 = 7,586,686,016,110.401 yrs
- Botnet completely comprised of GPUs for calculations (+100>)
- (17*10^-6 * 80^16) / 2 / 60 / 60 / 24 / 365 / 10^6 = 75,866,860,161.10402 yrs
- (17*10^-6 * 80^16) / 2 / 60 / 60 / 24 / 365 / 10^6 = 75,866,860,161.10402 yrs
- Largest botnet ever was 12M devices, and we'll give each a GPU for calculations (+1,200,000,000>)
- (17*10^-6 * 80^16) / 2 / 60 / 60 / 24 / 365 / (12 * 10^8) = 632,223,834.6758667 yrs
- (17*10^-6 * 80^16) / 2 / 60 / 60 / 24 / 365 / (12 * 10^8) = 632,223,834.6758667 yrs
- (17*10^-6 * 80^16) / 2 / 60 / 60 / 24 / 365 / 10^4 = 7,586,686,016,110.401 yrs
- 12M device botnet completely comprised of supercomputers using GPUs for calculations (+180,000,000,000,000>) [150,000 * 12,000,000 * 100]
- (17*10^-6 * 80^16) / 2 / 60 / 60 / 24 / 365 / (18 * 10^13) = 4,214.82556450578 yrs
- (17*10^-6 * 80^16) / 2 / 60 / 60 / 24 / 365 / (18 * 10^13) = 4,214.82556450578 yrs
- Let's say a botnet has 100,000 devices:
- (17*10^-6 * 80^16) / 2 / 60 / 60 / 24 / 365 = x
-
This assumes password will be cracked when half of the possible passwords are checked, hence division of two
- Even with SHA256 hashing, it would still be fundamentally, literally, impossible to brute force a password in line with the recommendations, hence why I added the recommendations.
Can it still be cracked? Yes. Therefore your absolute that it can not is inaccurate.
It would take a botnet comprised of 12M supercomputers utilizing GPUs for calcualtion 4,214YEARS to crack SHA512.
I don't have the time at the moment to calculate SHA256 hashing times, but we'll provide an improbable speed up of 75%, of which it would still take 1,053 YEARS
- I'm not sure what reality you live in...
Is it still crackable? Regardless of time?
NO!
- To quote Bill Murray:
- "It's hard to win an argument with an intelligent person, but it's damn near impossible to win an argument with an ignorant person"
This is what it means to use a complex password. A complex password looks like YugE6!00&d
And so no it's not possible to just run aircrack-ng against that sort of thing
Ok buddy...
In cryptography it's always accepted that brute force is an option theoretically therefore Literally ALL of security is built on making brute force take impossibly long, that's the modern definition of security. So if the largest concievable botnet would take 1000 years to crack a device with a 10 year lifetime it's by the modern definition secure.