I’m not that knowledgeable on networking, but I do remember that if a device is connected to a wired network, it can end up receiving packets not meant for it because switches will flood all the ports for packets they don’t know how to route. But I also heard that Wi-Fi is supposedly smarter than that and a device connected to it should never receive a packet not meant for it.
Is this true? And in practice, does this mean it’s preferable should keep computers with invasive operating systems (which might decide to record foreign packets sent to it in its telemetry) on Wi-Fi instead of on the wired network?
Also, how exactly does Wi-Fi prevent devices from receiving the wrong packets when it’s a radio based system and any suitable antenna can receive any Wi-Fi signal? Does each device get assigned a unique encryption key and so is only capable of decrypting packets meant for it? How secure is it actually?
Worth highlighting WiFi blasts all your data in all directions, and unless you’re using enterprise/WPA3 encryption with a strong password, someone determined enough can break in.
If someone wanted to they could park near your house and run aircrack (or whatever the modern suite is called) without you ever knowing. FWIW this is why it’s good to set up a way of getting notified about new devices on your network (most modern non-ISP routers support a way of doing this)
Conversely, I believe most ethernet NICs discard any packet not intended for it at hardware level, they’re super optimised for speed, it would be much slower to leave that for software. I’m not 100% if that’s universal however, so I’d try and double check that
Aircrack-ng can only try to guess the simple shared password (pre-shared key). So when you run your airodump-ng, it’s got to show the network as having type PSK, or you’re pissing up a rope. With WEP, you could collect IVs, however, with WPA/WPA2, there are no IVs to collect. So you have to guess the password one by one. The only clue you get is when a device performs a handshake with the Wi-Fi. You need to capture that handshake to even start guessing. WPA/WPA2 passwords can be/should be quite long, like up to 63 letters, numbers, or symbols. If the password is a simple word like “cat” or “password,” aircrack-ng might guess it if it’s in the dictionary.
So it behooves the Wi-Fi owner to create a very long, complicated, password with all the bells and whistles. If you are using WEP, you might as well be holding up a sheet of single ply, no brand toilet paper. Also, turn off WPS and UPnP ffs.
I vaguely remember getting into a WPA network (that I owned!) using kismet about 15 years ago with relative ease, but I’m struggling to remember details about that process.
I also remember reading that WPA2 non-enterprise was broken a while ago, however I just looked into it and both of the main exploits I can find were patchable (and have been patched) at client OS level (They were the KRACK and FragAttacks). Seems like there has already been something found wrong with WPA3 too that’s also been addressed.
So yeah as you say back to brute forcing for the most part. Forcing reconnects was a pretty easy way to get more handshakes to record back when I last tried, so I assume that still has decent levels of success, given the prevalence of mesh networks. Looking further it seems people use a tool called hashcat today to get pretty rapid results doing the actual brute forcing using a modern GPU.
But yes very good advice all in all, long passwords and the highest WPA version you can get away with are going to make an attackers job harder.
Thanks for the reply, you got me to go back down an interesting rabbit hole I’ve not looked at in a while
The 4-way handshake crack was the only key recovery attack until 2018 when the PMKID-based attack was discovered (here: https://hashcat.net/forum/thread-7717.html). The PMKID crack attack still required brute-forcing the key, but it didn’t require the 4-way handshake so you didn’t have to depend on a de-authentication attack to get started.
At that time there was another WPA vulnerability, if you were using WPA-TKIP, but it only allowed sending a few small packets every 10-12 minutes so it wouldn’t allow you to gain access to the network.
Later there were a few WPS-based attacks but they were slow (4 hours to recover the WPS PIN) and/or limited to specific manufacturers (weak hardware random number generation).
At 71, I struggle sometimes remembering what I had for breakfast. LOL It is a very interesting rabbit hole for me as well. Wasn’t trying to correct you, I’m an expert at nothing. Your comment just spurred a memory of a long forgotten era of my life as a wannabe haxor.