Im not entirely sure what you expect to achieve here by checking those boxes
I didn't check the boxes. They were already checked. I only went through the trouble of looking and making the screenshot because Monza was nice to me.
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Thu Jun 23, 2022 21:16 Post subject:
Yes, but checked to what, to allow or deny? If deny once applied and filter is enabled the machines are unable to connect, if allow only those machines can connect to router, my screenshot is whitelisting, so they can connect anyone else with authorized macs cannot, unless they spook one of my macs and force a disconnect from my AP so they can connect intead with a spoofed MAC.
It is true that you can prevent the router from broadcasting the SSID but your clients are still broadcasting the SSID.
I created a diagram that I get the feeling I'm going to be using a lot.
This illustrates the 3 things cracking software needs to get right to be able to penetrate this security scheme. The area in red we all agree there is no stopping. It may even be true that if this diagram were scaled by the amount of existing software and it's capabilities, the red area might be the largest piece. We can never truly know how much functional cracking software exists or what all it can do. The objections coming my way seem to be over the size of the slices.
Let's also take what we know as members of this forum into consideration. By the way people have been confronting me, I think we all agree the users are idiots. As members of this forum we can also see that the combination of these technologies cause complications from both a coding and administrative standpoint. We can argue about the size of the slices, but you cannot argue with evidence you see whenever you log in here.
With all of this in mind, there is also my personal situation to consider. Where I live, there are literally hundreds of ssids being broadcast. Those are just the ones I see when I passively scan. Now keep in mind that I'm the only adult for 5 blocks who knows that a MAC address isn't where to find McDonald's. All of my attacks will be from uninformed attackers trying to find a way to connect to their russian minecraft server, watch porn, or whatever.
My plan is to make myself only vulnerable in the red zone. I want someone to have to go through as much bullshit to break it as I have been going through to try and get it to work for the past year. Even if they have the tools for the red zone, I can still count on plenty of user error. I can also count on plenty of other signals being easier to get into. I don't think that's unreasonable.
I have enough know how to get whatever information you need. I have SSH and NAS. I can put in a dummy configuration and send you anything you need. What do you need so I can help you get this to work?
Joined: 06 Jun 2006 Posts: 7492 Location: Dresden, Germany
Posted: Fri Jun 24, 2022 9:54 Post subject:
that diagram doesnt help. for me its more important to have a shortlist for "approach" and "whats not working" and your configuration of course. this thread here is too long. i can guarantee that whitelist/blacklist mac filtering works. i can guarantee that wpa/wpa etc. is working. hiding or not hiding ssid works too _________________ "So you tried to use the computer and it started smoking? Sounds like a Mac to me.." - Louis Rossmann https://www.youtube.com/watch?v=eL_5YDRWqGE&t=60s
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Fri Jun 24, 2022 10:06 Post subject:
I dont know if you ever did any penetration testing, that diagram illustrates what you are trying to achieve and we all understand you. However to the right and left of your red portion (currently white) is all red to me, that diagram is not representing the overlap correctly as the complete attack surface.
If you breach WPA2 and Mac filtering you're done and full access results (MAC filtering is bypassed easily with MAC spoofing and forcing a legitimate client to disconnect and using a spoofed client to connect instead using the key obtained from the effort), you dont need to care about SSID because hidden/not hidden its known either way.
The best way to ensure you're chosen security approach is working is to try hacking it yourself.
As for your claims that MAC filtering doesn't work, to which you should post screenshots so we can help you diagnose.
Your post here https://forum.dd-wrt.com/phpBB2/viewtopic.php?p=1265545#1265545 already points to the fact filtering works, because in that instance the added mac addresses to the list were set to deny/blacklist, so MAC filtering works, hence the machines arent able to connect because they are blacklisted on that example, nothing else makes sense from that perspective.
In any case, what you want is to whitelist your known legit clients, everything else not listed (whitelisted) is by default blacklisted (unless someone spoofs a legit client MAC address which is easy to do)
You dont want to maintain blacklists, its not only time consuming, but its the wrong security approach, you need to blacklist all of the undesired MACs, while you can tell what all your neighbors MACs are you will never account for the drive by/visitor devices. You would end up running out of entries on the blacklist and also nvram space for the settings where they are stored is incredibly limited.
So whitelists are shorter and predictable therefore manageable and easy to maintain.
Your last screenshot is the advanced part (where you manually add/remove specific mac's from the filter), if they are already checked on that dialog means they are part of the list already, nothing else.
The main part after adding MAC to the filter list is important for complete proper setup enabling/disabling of the filters or whitelisting/blacklisting selection.
that diagram doesnt help. for me its more important to have a shortlist for "approach" and "whats not working" and your configuration of course. this thread here is too long. i can guarantee that whitelist/blacklist mac filtering works. i can guarantee that wpa/wpa etc. is working. hiding or not hiding ssid works too
It does not work. It has not worked for over a year. I have tested. Please read the thread.
I dont know if you ever did any penetration testing, that diagram illustrates what you are trying to achieve and we all understand you. However to the right and left of your red portion (currently white) is all red to me, that diagram is not representing the overlap correctly as the complete attack surface.
I'm sorry the simple diagram is too hard for you.
the-joker wrote:
If you breach WPA2 and Mac filtering you're done and full access results (MAC filtering is bypassed easily with MAC spoofing and forcing a legitimate client to disconnect and using a spoofed client to connect instead using the key obtained from the effort), you dont need to care about SSID because hidden/not hidden its known either way.
Finding a target is the first step. Not the last.
the-joker wrote:
As for your claims that MAC filtering doesn't work, to which you should post screenshots so we can help you diagnose.
What part of "only works when SSID broadcast is on" don't you understand?
the-joker wrote:
In any case, what you want is to whitelist your known legit clients, everything else not listed (whitelisted) is by default blacklisted (unless someone spoofs a legit client MAC address which is easy to do)
I've been using DD-WRT for over 5 years. I know how to use the software. When it works, I can make it work just fine. Please read the thread.
the-joker wrote:
Your last screenshot is the advanced part (where you manually add/remove specific mac's from the filter)
That screenshot was for someone else. Not for you. I already said that. Please read the thread. I know what I'm doing.
Well you could post an informative report with screenshtos.
WLAN client = MAC address (screenshot IF settings)
enter the MAC address in the MAC filter (screenshot)
test with "Prevent clients listed from accessing the wireless network" (screenshot)
test with "Permit clients listed to access the wireless network" (screenshot)
And on the screenshots you posted one client has 2 MAC addresses - that can't be possible unless the client has MAC randomization enabled and then the filter doesn't work anyway.
Well you could post an informative report with screenshtos.
WLAN client = MAC address (screenshot IF settings)
enter the MAC address in the MAC filter (screenshot)
You don't need to see my mac addresses. Posting them to the internet is a security risk. I've already demonstrated I know how to make it works when it works by using firmware where it has worked and by didling around with the newest firmware.
Edit2: I made sure the SSIDs and MAC addresses matched when I started this little escapade and just double checked. They're fine.
ho1Aetoo wrote:
test with "Prevent clients listed from accessing the wireless network" (screenshot)
I'm not blacklisting. I'm whitelisting.
ho1Aetoo wrote:
test with "Permit clients listed to access the wireless network" (screenshot)
What screenshots are going to help? I've already proven I know how to use this function. Do you really think I went through all of this and don't know how to use a radio button?
ho1Aetoo wrote:
And on the screenshots you posted one client has 2 MAC addresses - that can't be possible unless the client has MAC randomization enabled and then the filter doesn't work anyway.
That's a list of recognized clients. 2 are connected. One is disconnected. Even with filtering off, that table still functions.
edit: I see what you're talking about. I have a 4th device that never got an IP because it's not compatible with SHA256.
Joined: 31 Jul 2021 Posts: 2146 Location: All over YOUR webs
Posted: Fri Jun 24, 2022 14:26 Post subject:
Im now, unsubscribing from this thread, as its already dangerously close to stomping on forum rules.
Which I will monitor and if such occurs it will be dealt with, I will sort of ignore the rudeness implied and dismiss it as frustration from part of the OP.
But surely something we have to see otherwise the screenshots are useless.
If you post a bug report then it is actually also part of it to provide comprehensible information.
Well, MAC filtering works for me as it should - I tested it briefly earlier.
I can't understand your described problem - this will be because you didn't post any usable settings and because I have another router - I don't know.
But since you apparently do not want to cooperate - well, I also have other things to do.
By the way, not all digits of the MAC address are individual, the first 6 digits are usually the manufacturer code (OUI Organizationally unique identifier).
Millions of devices have this code *yawn
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Fri Jun 24, 2022 17:29 Post subject:
From and email discussion about this with the developer:
kernel-panic69 wrote:
I just read your comment and the comments after and it's like talking to a brick wall as we say here.
The mechanisms work as advertised, although there may be some misunderstanding of how multiple
authentication configurations work or do not work with mixed clients (?). The expectation is to have
multiple WPA settings enabled (WPA2 Personal and WPA2 Personal with SHA256 and it to work with
all clients. Without looking deeper, I guess the question for my own sake is, "do we choose the lowest
compatible setting or the highest compatible setting since it also provides everything lower than it?" ...
meaning, if WPA3 Personal is selected, will WPA2 Personal and WPA2 Personal with SHA256 also be
able to connect? Maybe a better explanation would help - I would have to see if the in-firmware help
file has been updated, but I do know there are known misconfigurations (TKIP with AES, for example).
BrainSlayer wrote:
thats not the case. you can setup multiple concurrent algorithms yes. but alot of clients do not like that. ios / iphone for instance.
i tested once wpa3 psk and wpa2 psk. did not work for alot of devices, where wpa2 works, but wpa3 psk did not.
especially if a end device does not support a crypto algorithm it may not work if its just involved as offering in the setup, even if this is absolutelly a client device bug we cannot fix that
Joined: 08 May 2018 Posts: 14221 Location: Texas, USA
Posted: Fri Jun 24, 2022 18:09 Post subject:
I was just giving examples in the email for the sake of getting an answer that I already expected. I have not tested WPA2 Personal and WPA2 Personal with SHA-256 being enabled at the same time. I have a feeling that the latter requires something that is not CCMP-128 (AES) for algorithm. But there is always a possibility that the correct algorithm selected for WPA2 Personal with SHA-256 will also cause problematic clients to balk and refuse to connect. _________________ "Life is but a fleeting moment, a vapor that vanishes quickly; All is vanity"
Contribute To DD-WRT Pogo - A minimal level of ability is expected and needed... DD-WRT Releases 2023 (PolitePol)
DD-WRT Releases 2023 (RSS Everything)
----------------------
Linux User #377467 counter.li.org / linuxcounter.net
