Contact us:

Securing Wi-Fi Networks

Published: 23 January 2021    Last Updated: 05 July 2023

We recently discussed how to break WPA2 keys very quickly using cloud computing. We've also looked at how to use a Rogue AP to capture user credentials from a network using PEAP (MSCHAP).

In this article we'll look at hardening Enterprise wireless networks from these attacks.

The most secure option is to utilise mutual authentication (where both the server and the client authenticate to each other) using digital certificate based authentication, such as offered by EAP-TLS. However, there can be more administrative overhead involved in the deployment of these networks and therefore PEAP may be offer a balance of security and overhead.

To be clear, we recommend the use of EAP-TLS wherever possible - but if you must use PEAP, we offer the following hardening steps:

Continue Reading

Wireless Security: WEP

Published: 19 October 2020    Last Updated: 03 July 2023

It’s well known that the WiFi security protocol WEP is broken. It’s been broken for years. However, if we’re writing a series on wireless security we should start at the beginning. Whilst it stands for Wired Equivalent Privacy, it hardly lives up to its name. WiFi comes under the IEEE 802.11 family. WEP was part of the original standard and was quickly superseded by WPA – WiFi Protected Access.

WEP can be broken using the aircrack-ng suite. However you will require a compatible wireless card with features such as injection support – the aircrack-ng documentation discusses supported cards. In this article we’ll be using a USB Alfa AWUS036ACH, which inside has a Realtek RTL8812au. To get injection support requires patched drivers, but again they’re available from aircrack:

Continue Reading

Wireless Security: WPA

Published: 19 October 2020    Last Updated: 03 July 2023

We previously spoke about WiFi security and how utterly broken WEP is. Now it’s time to take a look at WPA and WPA2 bruteforcing. This isn’t the only weakness of these protocols – but weak keys are common. The first thing to note is that the key-length for WPA is between 8 characters and 63 characters – this is important when building brute-force word lists.

Setting up the tools for these attacks is very similar to our previous post. We’re going to be using aircrack-ng and you’re going to need a compatible wireless card. We’ll be using a AWUS036ACH, with a Realtek RTL8812au. Drivers to support injection can be installed on Kali Linux.

Continue Reading

Breaking Enterprise Wireless

Published: 19 October 2020    Last Updated: 05 July 2023

In our previous posts we discussed how WEP is completely broken, known weaknesses with WPA, and bruteforcing WPA using AWS. This time around it’s time to look at “Enterprise” Wireless security. These are networks protected with EAP – Extensible Authentication Protocol.

However EAP is not just one protocol, but a collection of protocols. We won’t be breaking down every authentication method here, we’ll simply be highlighting that using Enterprise security for a wireless network doesn’t immediately remove all risk – and can in fact introduce more risk.

Both EAP-MSCHAPv2 and EAP-TTLS utilise password based authentication; for example to authenticate to Active Directory. This could be a machine account or a user account. This addresses one of the issues with WPA, which is the difficulty in revoking a user’s access to the network – as all devices use a single Pre-Shared Key (PSK).

Continue Reading