Jump to content


Photo
- - - - -

do i need encryption turned on


  • Please log in to reply
9 replies to this topic

#1 nyphonejacks

nyphonejacks

    Dangerous free thinker

  • Members
  • 793 posts
  • Gender:Male
  • Location:718

Posted 08 May 2011 - 01:23 AM

I am curious to know if i even need to bother having the encryption turned on for my router that has DHCP turned off...

i have a wifi router connected to the cable modem @ 192.168.1.1 that provides DHCP to my network
I have another wifi router - that i use as a switch (DHCP turned off) @ 192.168.1.254

i do not use the wifi on the router that has the DHCP turned off - not sure if i could, the one time that i tried to connect to it - it seemed like it was taking forever to get an address, so i just connected to the main router... would the .1.1 router give out DHCP to something connected wireless to the .1.254 router?

reason why i would want to turn encryption off on the .1.254 router would be just to troll people trying to connect, and never being able to obtain an IP address..

#2 serrath

serrath

    SUP3R 31337

  • Members
  • 181 posts
  • Country:
  • Gender:Male

Posted 11 May 2011 - 03:08 AM

I am curious to know if i even need to bother having the encryption turned on for my router that has DHCP turned off...

i have a wifi router connected to the cable modem @ 192.168.1.1 that provides DHCP to my network
I have another wifi router - that i use as a switch (DHCP turned off) @ 192.168.1.254

i do not use the wifi on the router that has the DHCP turned off - not sure if i could, the one time that i tried to connect to it - it seemed like it was taking forever to get an address, so i just connected to the main router... would the .1.1 router give out DHCP to something connected wireless to the .1.254 router?

reason why i would want to turn encryption off on the .1.254 router would be just to troll people trying to connect, and never being able to obtain an IP address..


That might protect you from the average user with no know-how, but a clever user might decide to statically assign himself an IP address. Also, bear in mind that without encryption your traffic is unencrypted (duh) so anyone's welcome to listen in. While this is perfectly fine if you're not in a high-risk environment (e.g. a college dorm (any kind of school really) or city), it's bad practice. (In case you ever statically assign an IP and connect to the router.)

Silly things you probably thought of:

1) Your router, with DHCP turned off, won't pass traffic through the WAN port at all.

2) Your router, with DHCP turned off connected to the modem on a LAN port may have DHCP relay enabled; this means it will forward DHCP requests and users will be assigned IP address when they connect to the 192.168.1.254 router (which for all intents and purposes has become a WAP).

If you want to troll people, disconnect the router from the modem, change the admin password, and leave it unencrypted.

#3 nyphonejacks

nyphonejacks

    Dangerous free thinker

  • Members
  • 793 posts
  • Gender:Male
  • Location:718

Posted 11 May 2011 - 05:53 PM


I am curious to know if i even need to bother having the encryption turned on for my router that has DHCP turned off...

i have a wifi router connected to the cable modem @ 192.168.1.1 that provides DHCP to my network
I have another wifi router - that i use as a switch (DHCP turned off) @ 192.168.1.254

i do not use the wifi on the router that has the DHCP turned off - not sure if i could, the one time that i tried to connect to it - it seemed like it was taking forever to get an address, so i just connected to the main router... would the .1.1 router give out DHCP to something connected wireless to the .1.254 router?

reason why i would want to turn encryption off on the .1.254 router would be just to troll people trying to connect, and never being able to obtain an IP address..


That might protect you from the average user with no know-how, but a clever user might decide to statically assign himself an IP address. Also, bear in mind that without encryption your traffic is unencrypted (duh) so anyone's welcome to listen in. While this is perfectly fine if you're not in a high-risk environment (e.g. a college dorm (any kind of school really) or city), it's bad practice. (In case you ever statically assign an IP and connect to the router.)

Silly things you probably thought of:

1) Your router, with DHCP turned off, won't pass traffic through the WAN port at all.

2) Your router, with DHCP turned off connected to the modem on a LAN port may have DHCP relay enabled; this means it will forward DHCP requests and users will be assigned IP address when they connect to the 192.168.1.254 router (which for all intents and purposes has become a WAP).

If you want to troll people, disconnect the router from the modem, change the admin password, and leave it unencrypted.


i was thinking of updating the firmware with one of those public wifi firmwares, but the router does not have much memory in it... something else that might be fun to do would be to enable DHCP, but alter the DNS, or some type of redirect, so that i would basically send them to different sites other than the ones that they want to go to...

oh well - for now i guess i will just continue to troll by leaving the SSID as something offensive

EDIT- i know that they could create a static IP to get around DHCP, but they would need to know the router address wouldn't they? if i changed it from 192.168.1.1 to something obscure, they would have to basically scan ip addresses until they gained access, since i do not think that they would be able to ping addresses with out obtaining an IP themself i think that this would be a time consuming task, and would probably give up

perhaps i could turn on DHCP and enable MAC filtering, and filter out all MAC addresses...

Edited by nyphonejacks, 11 May 2011 - 05:58 PM.


#4 wwwd40

wwwd40

    DDP Fan club member

  • Members
  • 53 posts
  • Gender:Male

Posted 12 May 2011 - 07:38 AM

With a completely filtered MAC table for the wireless clients, the DHCP question is a moot point as no one is going to get that far.

You could fully seperate the wireless router from your home network and set it up with no filtering or encryption (i.e. open), or very basic encyption and filtering, and issue DHCP with the DG, DNS etc to a server on your "guest" network. Then any DNS request can be referred to that server and you can post a message, browser exploit etc or whatever you want. You could dual link that server into your actual network and filter any traffic trying to leak from your guest network. A few VMs could give the impression the network is bigger than it is and allow you to observe and mess with anyone on there who are trying to do more naughty things.

It all depends who you expect to be connecting e.g. average user looking for some free bandwidth to browse the web or an attacker..

Edited by wwwd40, 12 May 2011 - 07:56 AM.


#5 nyphonejacks

nyphonejacks

    Dangerous free thinker

  • Members
  • 793 posts
  • Gender:Male
  • Location:718

Posted 12 May 2011 - 09:59 PM

With a completely filtered MAC table for the wireless clients, the DHCP question is a moot point as no one is going to get that far.

You could fully seperate the wireless router from your home network and set it up with no filtering or encryption (i.e. open), or very basic encyption and filtering, and issue DHCP with the DG, DNS etc to a server on your "guest" network. Then any DNS request can be referred to that server and you can post a message, browser exploit etc or whatever you want. You could dual link that server into your actual network and filter any traffic trying to leak from your guest network. A few VMs could give the impression the network is bigger than it is and allow you to observe and mess with anyone on there who are trying to do more naughty things.

It all depends who you expect to be connecting e.g. average user looking for some free bandwidth to browse the web or an attacker..

doubt that there would be an attacker within range of my wifi... most of the people within range are older, it would just be people trying to leech the wifi signal...

thing is that i am currently using the wired ports of the router.. so i could not physically separate it from my network.. i would not want to do anything like a MITM attack.. i just want to annoy people..

#6 serrath

serrath

    SUP3R 31337

  • Members
  • 181 posts
  • Country:
  • Gender:Male

Posted 14 May 2011 - 11:18 PM

You might want to choke the bandwidth to 128k, stick it on a separate Vlan from the rest of your network, and do a little upside-down-ternet for all those leeches.

#7 nyphonejacks

nyphonejacks

    Dangerous free thinker

  • Members
  • 793 posts
  • Gender:Male
  • Location:718

Posted 15 May 2011 - 12:47 PM

and do a little upside-down-ternet

what do you mean by this?

#8 wwwd40

wwwd40

    DDP Fan club member

  • Members
  • 53 posts
  • Gender:Male

Posted 16 May 2011 - 04:21 AM

http://www.ex-parrot...own-ternet.html

#9 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,085 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 16 May 2011 - 11:54 AM

I did something similar, and aet it up like this:

MyMain Router/WiFi Network -----NAT TRanslation----> |DDWRT 54G|

Since NAT cannot be (if implemented correctly) traversed upwards, it kept my main network offlimits to the "victim" using my "honey pot" wrt54g. The wrt 54g connected to my neighbor's WiFi in client mode (don't want people doing naughty stuff on my Internet Connection). I then had another WRT-54G plugged one of the Ethernet sockets of the DDWRT WRT-54 router, with an unencrypted signal, and blocked all connections from that router to the WRT-54G running DDWRT, to any administration ports (23, 80, 443, 80.. etc..), so a 1337 h4x0r couldn't access admin functions of the WRT running ddwrt. That was really the most secure way I could figure out to run a WiFi honey pot and access it from a secured network. It was kind of a pain in the ass to set up routes enabling me to sniff on the second wrt-54g, though.

#10 serrath

serrath

    SUP3R 31337

  • Members
  • 181 posts
  • Country:
  • Gender:Male

Posted 09 June 2011 - 06:29 PM

Tested this; a computer connected to a network with a self-assigned IP can run a quick Cain sniff and pick up the devices on the network. Definitely secure this device, or disconnect it from your network.




BinRev is hosted by the great people at Lunarpages!