My neighbors is doing som serious wifi hacking
Seems like they are using wifi handshake methods - and I will very much like to have a tunnel from my OSX client to my WRT router were all handshake information is inside.
I would like to use a VPN like Wireguard to do this BUT as far as I can see you need the wifi to connect to the router before you can use the VPN client buildt into OSX.
BUT this is a problem because I need the handshake to be inside the VPN tunnel - how do I do that
@Elmo - You have started several threads with this common theme.
I would suggest that you start with a new SSID and then set a very very strong passphrase. Similarly, secure your router with a different very strong password. You can take other precautions such as MAC address allow-listing all of your devices, and blocking all else (some will argue this can be circumvented, but it would serve as another barrier, part of a multi-pronged security approach).
You can create DHCP static leases of all of your devices so that they have known IP addresses on your network, and then you can monitor for any rogue devices that join your network.
Done properly, your network will be secure and you won't need to try to use unusual methods such as establishing a VPN between your client devices and the router itself (which, BTW, would not help anything, anyway).
If you're looking for even more robust security, use WPA2 Enterprise (coupled with a RADIUS server) to authenticate devices on your network.
Than you very much. I will look into the RADIUS solution.
And one more thing - I have no experience with WPA Enterprise - do you have any reference to info - again thank you very much
Just searching the web... I don't have any experience with this, personally. I cannot vouch for the medium article below, just linking it as an example.
Nice - I will try it out - thanks
If you actually know about it then it sounds more like he/she tries to use your wifi by simply trying random passwords and hope for the best.
SSID whatever name or hidden/non hidden doesn’t mean anything for security, at best it is a marker for the attacker. Unless you give the hacker a message in the actual SSID name😂
Radius, yea but it is like hitting a mosquito with a bomb and will give you more problems than its worth if you have IoT devices.
Just use at least WPA2 or WPA3 and at least a 32sign random by password generator and use all letters, number and special characters password. Since I doubt your neighbors have spectacular big computer power that password will keep them occupied for some 10000years.
You could also try reducing tx power so pretty much only your home is covered by the signal.
When I was in college (engineering school), I was also part of our theater group.... we had a saying: "if it is worth doing, it's worth overdoing!"
+1. Usage of RADIUS should be very, very last weapon, because it needs a very steep learning curve for a beginner, taking lot of time to manage.
I have had issues with some random IoT devices, that would constantly try to connect to any SSID within reach; just by blocking the MAC address of the offending device, the issue was fixed.
Although that was more about log sanitation (hiding the failing connection attempts) than actual security, as those IoT devices don't know the correct PSK anyways.
Even if they had a supercomputer, it wouldn't help them even a tiny bit: WiFi doesn't have unlimited bandwidth and the router is very likely to be the bottleneck when it comes to attempts at bruteforcing passwords. You can't magically cram 20 billion attempts in a second when the other end ain't fast enough to handle that.
It doesn’t work that way to hack WPA2/3. But to run the short history.
You secretly collect the data over the air from the clients that have the right password.
Then you pretty much run a qualified guesswork, dictionary attack, brute force attack on the data offline until you find the right password.
Then when you offline have successfully hacked the handshake data then you go online and connect to the real wifi.
That is why I said in the beginning that if he knows about it then it isn’t an attack to begin with. It is either a neighbor playing around or as earlier mentioned some IoT thing trying its best.
With WEP and WPA1 it was a lot easier to hack but the only meaningful way there is to really hack access in to a WPA2 network is by getting the actual password.
So it is pretty much up to the owner how fast the hacking is done based on the security level of the actual password.
Love this topic when an user think their neighbors are hackers that hack their wifi when probably the user just use a simple password or the neighbors just have other way to join the wifi.... (physical access to the device for example...)
@flygarn12 thing is that that method would take days/month anyway... it's impossible they are using that method with the user changing the wifi password everyday... But could also be that the user is using insecure router with known vulnerabilities... but again user fault...
The really funny thing is that it is the user that has the know how to know that OpenWrt exist and actually installing it on something that is the neighborhood hacker as seen from the neighbors point of view😂
Well, yes, but that's obviously not the case here, which is why I misinterpreted your comment as you meaning attempting to just bruteforcing the authentication over WiFi.
Have you seen the password lists that are online?
I bet 80% of all wifi routers are hacked within minutes with dictionary attack.
Half of my neighbors has the manufacturers original SSID name for their device, so if they didn’t even change the SSID…
Anyway if they are hackers an allow list won't work since it's too easy to bypass that... if the user wants to really secure his wifi in no practical way to hack it (again IMHO it's stupid since probably the problem is somewhere else...)
radius server and login with certificate... have fun hacking that... but it's a PITA also for the user.
sure and at the same time the router probably crash if it's vulnerable to that kind of attack... nowdays wifi password are generated from random stuff anyway... the thing of using ssid to generate the password is long gone.