Decrypt wpa2. Guest access is a means of protecting your home network. Create a strong password to access the router

Today cannot be called something out of the ordinary. However, many users (especially owners of mobile devices) are faced with the problem of which security system to use: WEP, WPA or WPA2-PSK. We’ll see what kind of technologies these are now. However, the greatest attention will be paid to WPA2-PSK, since it is this protection that is most in demand today.

WPA2-PSK: what is it?

Let's say right away: this is a system for protecting any local connection to a wireless network based on WI-Fi. This has nothing to do with wired systems based on network cards that use a direct connection using Ethernet.

With the use of technology, WPA2-PSK is the most “advanced” today. Even somewhat outdated methods that require a username and password, and also involve encryption of confidential data during transmission and reception, look, to put it mildly, like baby talk. And that's why.

Types of protection

So, let's start with the fact that until recently the WEP structure was considered the most secure connection security technology. It used key integrity verification when connecting any device wirelessly and was an IEEE 802.11i standard.

WPA2-PSK WiFi network protection works, in principle, almost the same, but it checks the access key at the 802.1X level. In other words, the system checks all possible options.

However, there is a newer technology called WPA2 Enterprise. Unlike WPA, it requires not only a personal access key, but also the presence of a Radius server providing access. Moreover, such an authentication algorithm can operate simultaneously in several modes (for example, Enterprise and PSK, using AES CCMP level encryption).

Basic protection and security protocols

Just like those of the past, modern security methods use the same protocol. This is TKIP (WEP security system based on software update and RC4 algorithm). All this requires entering a temporary key to access the network.

As practical use has shown, such an algorithm alone did not provide particularly secure connections to a wireless network. That's why new technologies were developed: first WPA and then WPA2, complemented by PSK (personal key access) and TKIP (temporary key). In addition, it also included transmit-receive data, today known as the AES standard.

Outdated technologies

The WPA2-PSK security type is relatively new. Before this, as mentioned above, the WEP system was used in combination with TKIP. TKIP protection is nothing more than a means of increasing the bit depth of the access key. At the moment, it is believed that the basic mode allows you to increase the key from 40 to 128 bits. With all this, you can also change a single WEP key to several different ones, generated and sent automatically by the server itself, which authenticates the user upon login.

In addition, the system itself involves the use of a strict hierarchy of key distribution, as well as a technique that allows you to get rid of the so-called predictability problem. In other words, when, say, for a wireless network using WPA2-PSK security, the password is set in the form of a sequence like “123456789”, it is not difficult to guess that the same key and password generator programs, usually called KeyGen or something like that, When you enter the first four characters, the next four characters can be automatically generated. Here, as they say, you don’t need to be a unique person to guess the type of sequence used. But this, as is probably already understood, is the simplest example.

As for the user's date of birth in the password, this is not discussed at all. You can easily be identified using the same registration data on social networks. Digital passwords of this type themselves are absolutely unreliable. It’s better to use numbers, letters, as well as symbols (even non-printable ones if you specify a combination of “hot” keys) and a space. However, even with this approach, WPA2-PSK can be cracked. Here it is necessary to explain the operating methodology of the system itself.

Typical access algorithm

Now a few more words about the WPA2-PSK system. What is this in terms of practical application? This is a combination of several algorithms, so to speak, in working mode. Let's explain the situation with an example.

Ideally, the sequence of execution of the procedure for protecting the connection and encrypting transmitted or received information comes down to the following:

WPA2-PSK (WPA-PSK) + TKIP + AES.

In this case, the main role is played by the public key (PSK) with a length of 8 to 63 characters. In what exact sequence the algorithms will be used (whether encryption occurs first, or after transmission, or in the process using random intermediate keys, etc.) is not important.

But even with protection and an encryption system at the AES 256 level (meaning the bit depth of the encryption key), hacking WPA2-PSK for hackers knowledgeable in this matter will be a difficult task, but possible.

Vulnerability

Back in 2008, at the PacSec conference, a technique was presented that allows you to hack a wireless connection and read the transmitted data from the router to the client terminal. All this took about 12-15 minutes. However, it was not possible to hack the reverse transmission (client-router).

The fact is that when the QoS router mode is turned on, you can not only read the transmitted information, but also replace it with fake information. In 2009, Japanese experts presented a technology that could reduce hacking time to one minute. And in 2010, information appeared on the Internet that the easiest way to hack the Hole 196 module present in WPA2 is to use your own private key.

There is no talk of any interference with the generated keys. First, a so-called dictionary attack is used in combination with brute force, and then the wireless connection space is scanned in order to intercept transmitted packets and subsequently record them. It is enough for the user to make a connection, and he is immediately deauthorized and the transmission of initial packets is intercepted (handshake). After this, you don't even need to be near the main access point. You can easily work offline. However, to perform all these actions you will need special software.

How to hack WPA2-PSK?

For obvious reasons, the complete algorithm for hacking a connection will not be given here, since this can be used as some kind of instruction for action. Let us dwell only on the main points, and then only in general terms.

As a rule, when directly accessing the router, it can be switched to the so-called Airmon-NG mode to monitor traffic (airmon-ng start wlan0 - renaming the wireless adapter). After this, traffic is captured and recorded using the airdump-ng mon0 command (tracking channel data, beacon speed, encryption speed and method, amount of data transferred, etc.).

Next, the command to fix the selected channel is used, after which the Aireplay-NG Deauth command is entered with accompanying values (they are not given for reasons of legality of using such methods).

After this (when the user has already been authorized when connecting), the user can simply be disconnected from the network. In this case, when you log in again from the hacking side, the system will repeat the login authorization, after which it will be possible to intercept all access passwords. Next, a window with a “handshake” will appear. Then you can launch a special file called WPACrack, which will allow you to crack any password. Naturally, no one will tell anyone exactly how it is launched. Let us only note that if you have certain knowledge, the entire process takes from several minutes to several days. For example, an Intel-level processor operating at a standard clock frequency of 2.8 GHz is capable of processing no more than 500 passwords per second, or 1.8 million per hour. In general, as is already clear, you should not delude yourself.

Instead of an afterword

That's it for WPA2-PSK. What it is, perhaps, will not be clear from the first reading. Nevertheless, I think any user will understand the basics of data protection and the encryption systems used. Moreover, today almost all owners of mobile gadgets face this. Have you ever noticed that when creating a new connection on the same smartphone, the system suggests using a certain type of security (WPA2-PSK)? Many simply do not pay attention to this, but in vain. In advanced settings, you can use a fairly large number of additional parameters to improve the security system.

Today, many people have a Wi-Fi router at home. After all, wirelessly it is much easier to connect to the Internet a laptop, a tablet, and a smartphone, of which there are more than people in every family. And it (the router) is essentially the gateway to the information universe. Read the front door. And it depends on this door whether an uninvited guest will come to you without your permission. Therefore, it is very important to pay attention to the correct configuration of the router so that your wireless network is not vulnerable.

I don’t think I need to remind you that hiding the access point’s SSID does not protect you. Restricting access by MAC address is not effective. Therefore, only modern encryption methods and a complex password.

Why encrypt? Who needs me? I have nothing to hide

It’s not so scary if they steal the PIN code from your credit card and withdraw all the money from it. Moreover, if someone surfs the Internet at your expense, knowing the Wi-Fi password. And it’s not so scary if they publish your photos from corporate parties where you look unsightly. It’s much more offensive when attackers get into your computer and delete photos of how you picked up your son from the maternity hospital, how he took his first steps and went to first grade. Backups are a separate topic, of course they need to be done... But over time, your reputation can be restored, you can earn money, but the photographs that are dear to you are no longer there. I think everyone has something that they don't want to lose.
Your router is a border device between private and public, so make sure it is fully protected. Moreover, it is not so difficult.

Encryption technologies and algorithms

I'm leaving out the theory. It doesn’t matter how it works, the main thing is to know how to use it.
Wireless security technologies developed in the following chronological order: WEP, WPA, WPA2. Encryption methods RC4, TKIP, AES have also evolved.
The best in terms of security today is the WPA2-AES combination. This is exactly how you should try to configure Wi-Fi. It should look something like this:

WPA2 has been mandatory since March 16, 2006. But sometimes you can still find equipment that does not support it. In particular, if you have Windows XP installed on your computer without the 3rd service pack, then WPA2 will not work. Therefore, for reasons of compatibility, on routers you can find configuration options WPA2-PSK -> AES+TKIP and another menagerie.
But if your fleet of devices is modern, then it is better to use WPA2 (WPA2-PSK) -> AES, as the most secure option today.

What is the difference between WPA(WPA2) and WPA-PSK(WPA2-PSK)

The WPA standard provides the Extensible Authentication Protocol (EAP) as the basis for the user authentication mechanism. An indispensable condition for authentication is the presentation by the user of a certificate (otherwise called a credential) confirming his right to access the network. To obtain this right, the user is verified against a special database of registered users. Without authentication, the user will be prohibited from using the network. The registered user base and verification system in large networks are usually located on a special server (most often RADIUS).
Simplified Pre-Shared Key mode (WPA-PSK, WPA2-PSK) allows you to use one password, which is stored directly in the router. On the one hand, everything is simplified, there is no need to create and maintain a user base, on the other hand, everyone logs in with the same password.
At home, it is more advisable to use WPA2-PSK, that is, the simplified mode of the WPA standard. Wi-Fi security does not suffer from this simplification.

Wi-Fi access (encryption) password

Everything is simple here. The password for your wireless access point (router) must be more than 8 characters and contain letters in different case, numbers, and punctuation marks. And he should not be associated with you in any way. This means that dates of birth, your names, car numbers, phone numbers, etc. cannot be used as a password.
Since it is practically impossible to break WPA2-AES head-on (there were only a couple of cases simulated in laboratory conditions), the main methods of cracking WPA2 are a dictionary attack and brute force (sequential search of all password options). Therefore, the more complex the password, the less chance attackers have.

... in the USSR, automatic storage lockers became widespread at railway stations. The lock code was one letter and three numbers. However, few people know that the first version of storage lockers used 4 digits as a code combination. What difference would it seem? After all, the number of code combinations is the same - 10,000 (ten thousand). But as practice has shown (especially the Moscow Criminal Investigation Department), when a person was asked to use a combination of 4 digits as a password to a storage locker cell, a lot of people used their year of birth (so as not to forget). What the attackers used quite successfully. After all, the first two digits in the date of birth of the absolute majority of the country's population were known - 19. All that remains is to determine by eye the approximate age of the person checking in luggage, and any of us can do this with an accuracy of +/- 3 years, and in the remainder we get (more precisely, the attackers) less 10 combinations for selecting an access code to an automatic storage locker...

Security rules when creating a password

To each his own. That is, the router password should not match any other password you have. From mail, for example. Make it a rule that all accounts have their own passwords and they are all different.
Use strong passwords that cannot be guessed. For example: 2Rk7-kw8Q11vlOp0

The Wi-Fi password has one huge advantage. You don't need to remember it. You can write it on a piece of paper and stick it to the bottom of the router.

Guest Wi-Fi zone

If your router allows you to organize a guest area. Then be sure to do it. Naturally protecting it with WPA2 and a strong password. And now, when friends come to your home and ask for Internet access, you don’t have to tell them your main password. Moreover, the guest zone in routers is isolated from the main network. And any problems with your guests' devices will not affect your home network.

What could be more important in our time than protecting your home Wi-Fi network :) This is a very popular topic, on which more than one article has already been written on this site alone. I decided to collect all the necessary information on this topic on one page. Now we will look in detail at the issue of protecting a Wi-Fi network. I’ll tell you and show you how to protect Wi-Fi with a password, how to do it correctly on routers from different manufacturers, which encryption method to choose, how to choose a password, and what you need to know if you are planning to change your wireless network password.

In this article we will talk exactly about protecting your home wireless network. And about password protection only. If we consider the security of some large networks in offices, then it is better to approach security there a little differently (at least a different authentication mode). If you think that one password is not enough to protect your Wi-Fi network, then I would advise you not to bother. Set a good, complex password using these instructions and don't worry. It is unlikely that anyone will spend time and effort to hack your network. Yes, you can, for example, hide the network name (SSID) and set filtering by MAC addresses, but these are unnecessary hassles that in reality will only cause inconvenience when connecting and using a wireless network.

If you are thinking about protecting your Wi-Fi, or leaving the network open, then there can only be one solution - protect it. Yes, the Internet is unlimited, and almost everyone at home has their own router, but eventually someone will connect to your network. Why do we need this, because extra clients are an extra load on the router. And if it’s not expensive, then it simply won’t withstand this load. Also, if someone connects to your network, they will be able to access your files (if local network is configured), and access to your router settings.

Be sure to protect your Wi-Fi network with a good password with the correct (modern) encryption method. I recommend installing protection immediately when setting up the router. Also, it would be a good idea to change your password from time to time.

If you are worried that someone will hack your network, or has already done so, then simply change your password and live in peace. By the way, since you will still be logging into the control panel of your router, I would also recommend which one is used to enter the router settings.

Proper protection of your home Wi-Fi network: which encryption method to choose?

During the password setting process, you will need to select a Wi-Fi network encryption method (authentication method). I recommend installing only WPA2 - Personal, with encryption algorithm AES. For a home network, this is the best solution, at the moment the newest and most reliable. This is the kind of protection that router manufacturers recommend installing.

Only under one condition that you do not have old devices that you want to connect to Wi-Fi. If, after setting up, some of your old devices refuse to connect to the wireless network, you can install a protocol WPA (with TKIP encryption algorithm). I do not recommend installing the WEP protocol, as it is already outdated, not secure and can be easily hacked. Yes, and there may be problems connecting new devices.

Protocol combination WPA2 - Personal with AES encryption, this is the best option for a home network. The key itself (password) must be at least 8 characters. The password must consist of English letters, numbers and symbols. The password is case sensitive. That is, “111AA111” and “111aa111” are different passwords.

I don’t know what router you have, so I’ll prepare short instructions for the most popular manufacturers.

If after changing or setting a password you have problems connecting devices to the wireless network, then see the recommendations at the end of this article.

I advise you to immediately write down the password that you will set. If you forget it, you will have to install a new one, or.

Protecting Wi-Fi with a password on Tp-Link routers

Connecting to the router (via cable or Wi-Fi), launch any browser and open the address 192.168.1.1, or 192.168.0.1 (the address for your router, as well as the standard username and password are indicated on the sticker at the bottom of the device itself). Provide your username and password. By default, these are admin and admin. B, I described entering the settings in more detail.

In settings go to the tab Wireless(Wireless mode) - Wireless Security(Wireless Security). Check the box next to the protection method WPA/WPA2 - Personal(Recommended). In the drop down menu Version(version) select WPA2-PSK. On the menu Encryption(encryption) install AES. In field Wireless Password(PSK Password) Enter a password to protect your network.

Setting a password on Asus routers

In the settings we need to open the tab Wireless network, and make the following settings:

In the "Authentication Method" drop-down menu, select WPA2 - Personal.
"WPA encryption" - install AES.
In the "WPA Pre-Shared Key" field, write down the password for our network.

To save the settings, click the button Apply.

Connect your devices to the network with a new password.

Protecting your D-Link router's wireless network

Go to the settings of your D-Link router at 192.168.0.1. You can see detailed instructions. In settings, open the tab WiFi - Security Settings. Set the security type and password as in the screenshot below.

Setting a password on other routers

We also have it for ZyXEL and Tenda routers. See the links:

If you haven’t found instructions for your router, then you can set up Wi-Fi network protection in the control panel of your router, in the settings section called: security settings, wireless network, Wi-Fi, Wireless, etc. I think I can find it it won't be difficult. And I think you already know what settings to set: WPA2 - Personal and AES encryption. Well, that's the key.

If you can't figure it out, ask in the comments.

What to do if devices do not connect after installation or password change?

Very often, after installation, and especially after changing the password, devices that were previously connected to your network do not want to connect to it. On computers, these are usually errors “The network settings saved on this computer do not meet the requirements of this network” and “Windows could not connect to...”. On tablets and smartphones (Android, iOS), errors such as “Could not connect to the network”, “Connected, protected”, etc. may also appear.

These problems can be solved by simply deleting the wireless network and reconnecting with a new password. I wrote how to delete a network in Windows 7. If you have Windows 10, then you need to “forget the network”. On mobile devices, press and hold your network and select "Delete".

If connection problems occur on older devices, then set the WPA security protocol and TKIP encryption in the router settings.

Password and MAC address filtering should protect you from hacking. In fact, safety largely depends on your caution. Inappropriate security methods, uncomplicated passwords, and a careless attitude toward strangers on your home network provide attackers with additional attack opportunities. In this article, you will learn how to crack a WEP password, why you should abandon filters, and how to secure your wireless network from all sides.

Protection from uninvited guests

Your network is not secure, therefore, sooner or later, an outsider will connect to your wireless network - perhaps not even on purpose, since smartphones and tablets can automatically connect to unsecured networks. If he just opens several sites, then, most likely, nothing bad will happen except for the consumption of traffic. The situation will become more complicated if a guest starts downloading illegal content through your Internet connection.

If you have not yet taken any security measures, then go to the router interface through a browser and change your network access data. The router address usually looks like: http://192.168.1.1. If this is not the case, then you will be able to find out the IP address of your network device through the command line. In the Windows 7 operating system, click on the “Start” button and enter the “cmd” command in the search bar. Call up the network settings with the “ipconfig” command and find the “Default gateway” line. The specified IP is the address of your router, which must be entered in the address bar of the browser. The location of your router's security settings varies by manufacturer. As a rule, they are located in a section with the title “WLAN | Safety".

If your wireless network uses an unsecured connection, you should be especially careful with content that is located in shared folders, since if it is not protected, it will be available to other users. At the same time, in the Windows XP Home operating system, the situation with shared access is simply catastrophic: by default, passwords cannot be set here at all - this function is present only in the professional version. Instead, all network requests are made through an unsecured guest account. You can secure your network in Windows XP using a small manipulation: launch the command line, enter “net user guest YourNewPassword” and confirm the operation by pressing the “Enter” key. After restarting Windows, you will be able to access network resources only if you have a password; however, finer tuning in this version of the OS, unfortunately, is not possible. Managing sharing settings is much more convenient in Windows 7. Here, to limit the number of users, just go to the “Network and Sharing Center” in the Control Panel and create a password-protected home group.

The lack of proper protection in a wireless network is a source of other dangers, since hackers can use special programs (sniffers) to identify all unprotected connections. This way, it will be easy for hackers to intercept your identification data from various services.

Hackers

As before, the two most popular security methods today are MAC address filtering and hiding the SSID (network name): these security measures will not keep you safe. In order to identify the network name, an attacker only needs a WLAN adapter, which switches to monitoring mode using a modified driver, and a sniffer - for example, Kismet. The attacker monitors the network until a user (client) connects to it. It then manipulates the data packets and thereby kicks the client off the network. When the user reconnects, the attacker sees the network name. It seems complicated, but in fact the whole process only takes a few minutes. Bypassing the MAC filter is also easy: the attacker determines the MAC address and assigns it to his device. Thus, the connection of an outsider remains unnoticed by the network owner.

If your device only supports WEP encryption, take immediate action - such a password can be cracked even by non-professionals in a few minutes.

Particularly popular among cyber fraudsters is the Aircrack-ng software package, which, in addition to the sniffer, includes an application for downloading and modifying WLAN adapter drivers, and also allows you to recover the WEP key. Well-known hacking methods are PTW and FMS/KoreK attacks, in which traffic is intercepted and a WEP key is calculated based on its analysis. In this situation, you have only two options: first, you should look for the latest firmware for your device, which will support the latest encryption methods. If the manufacturer does not provide updates, it is better to refuse to use such a device, because in doing so you are jeopardizing the security of your home network.

The popular advice to reduce Wi-Fi range only gives the appearance of protection. Neighbors will still be able to connect to your network, but attackers often use Wi-Fi adapters with a longer range.

Public hotspots

Places with free Wi-Fi attract cyber fraudsters because huge amounts of information pass through them, and anyone can use hacking tools. Public hotspots can be found in cafes, hotels and other public places. But other users of the same networks can intercept your data and, for example, take control of your accounts on various web services.

Cookie Protection. Some attack methods are truly so simple that anyone can use them. The Firesheep extension for the Firefox browser automatically reads and lists the accounts of other users, including Amazon, Google, Facebook and Twitter. If a hacker clicks on one of the entries in the list, he will immediately have full access to the account and can change the user's data at his discretion. Firesheep does not crack passwords, but only copies active, unencrypted cookies. To protect yourself from such interceptions, you should use the special HTTPS Everywhere add-on for Firefox. This extension forces online services to always use an encrypted connection via HTTPS if supported by the service provider's server.

Android protection. In the recent past, widespread attention has been drawn to a flaw in the Android operating system, due to which scammers could gain access to your accounts in services such as Picasa and Google Calendar, as well as read your contacts. Google fixed this vulnerability in Android 2.3.4, but most devices previously purchased by users have older versions of the system installed. To protect them, you can use the SyncGuard application.

WPA 2

The best protection is provided by WPA2 technology, which has been used by computer equipment manufacturers since 2004. Most devices support this type of encryption. But, like other technologies, WPA2 also has its weak point: using a dictionary attack or the bruteforce method, hackers can crack passwords - however, only if they are unreliable. Dictionaries simply go through the keys stored in their databases - as a rule, all possible combinations of numbers and names. Passwords like “1234” or “Ivanov” are guessed so quickly that the hacker’s computer doesn’t even have time to warm up.

The bruteforce method does not involve using a ready-made database, but, on the contrary, selecting a password by listing all possible combinations of characters. In this way, an attacker can calculate any key - the only question is how long it will take him. NASA, in its security guidelines, recommends a password of at least eight characters, and preferably sixteen. First of all, it is important that it consists of lowercase and uppercase letters, numbers and special characters. It would take a hacker decades to crack such a password.

Your network is not yet fully protected, since all users within it have access to your router and can make changes to its settings. Some devices provide additional security features that you should also take advantage of.

First of all, disable the ability to manipulate the router via Wi-Fi. Unfortunately, this feature is only available on certain devices, such as Linksys routers. All modern router models also have the ability to set a password for the management interface, which allows you to restrict access to settings.

Like any program, the router firmware is imperfect - small flaws or critical holes in the security system are not excluded. Usually information about this instantly spreads across the Internet. Check regularly for new firmware for your router (some models even have an automatic update feature). Another advantage of flashing firmware is that it can add new functions to the device.

Periodic analysis of network traffic helps to recognize the presence of uninvited guests. In the router management interface you can find information about which devices connected to your network and when. It is more difficult to find out how much data a particular user has downloaded.

Guest access - a means of protecting your home network

If you protect your router with a strong password using WPA2 encryption, you will no longer be in any danger. But only until you share your password with other users. Friends and acquaintances who, with their smartphones, tablets or laptops, want to access the Internet through your connection are a risk factor. For example, the possibility that their devices are infected with malware cannot be ruled out. However, you won't have to refuse your friends because of this, since top-end router models, such as the Belkin N or Netgear WNDR3700, provide guest access specifically for such cases. The advantage of this mode is that the router creates a separate network with its own password, and the home one is not used.

Security Key Reliability

WEP (WIRED EQUIVALENT PRIVACY). Uses a pseudo-random number generator (RC4 algorithm) to obtain the key, as well as initialization vectors. Since the latter component is not encrypted, it is possible for third parties to intervene and recreate the WEP key.

WPA (WI-FI PROTECTED ACCESS) Based on the WEP mechanism, but offers a dynamic key for extended security. Keys generated using the TKIP algorithm can be cracked using the Bek-Tevs or Ohigashi-Moriya attack. To do this, individual packets are decrypted, manipulated, and sent back to the network.

WPA2 (WI-FI PROTECTED ACCESS 2) Uses the reliable AES (Advanced Encryption Standard) algorithm for encryption. Along with TKIP, the CCMP protocol (Counter-Mode/CBC-MAC Protocol) has been added, which is also based on the AES algorithm. Until now, a network protected by this technology could not be hacked. The only option for hackers is a dictionary attack or “brute force method”, where the key is guessed by guessing, but with a complex password it is impossible to guess it.

Let's briefly explain what WEP, WPA and WPA2 are and what the difference is between them.

WEP

Explanation: Wired Equivalent Privacy. Translated as Security equivalent to a wired connection. Apparently, the inventors overestimated the reliability of this type of protection when they gave it its name.

WEP is a legacy wireless security mode. Provides a low level of protection. In Windows security mode, WEP is often called Open, i.e. open type.

WPA

Explanation: Wi-Fi Protected Access (protected Wi-Fi access)

Divided into 2 subspecies:

WPA-Personal (-Personal Key or -PSK)
WPA-Enterprise.

WPA-PSK

This option is suitable for home use. To authorize on the network, you only need a security key.

WPA-Enterprise

This is a more advanced and advanced option for corporate networks to provide a higher level of security. A Radius server is required for authorization.

WPA2

WPA2 is a more modern and improved version of WPA security. Likewise, it can work in both modes: PSK and Enterprise. It differs in that it supports the AES CCMP encryption type.

What's better? WEP, WPA or WPA2?

On modern equipment, in most cases the best option would be to use the WPA2-PSK with encryption type AES:

What if I don't know what type of security the wifi network uses?

If you don't know what encryption is used on your access point (router), disconnect from the network and. Then connect again. You only have to enter the security key. In this case, the security mode will be selected automatically.

WPA2-PSK: what is it?

Types of protection

WPA2-PSK WiFi network protection works, in principle, almost the same, but it checks the access key at the 802.1X level. In other words, the system checks all possible options.

Basic protection and security protocols

Outdated technologies

Typical access algorithm

Ideally, the sequence of execution of the procedure for protecting the connection and encrypting transmitted or received information comes down to the following:

WPA2-PSK (WPA-PSK) + TKIP + AES.

Vulnerability

How to hack WPA2-PSK?

Instead of an afterword

That's it for WPA2-PSK. What it is, perhaps, will not be clear from the first reading. Nevertheless, I think any user will understand the basics of data protection and the encryption systems used. Moreover, today almost all owners of mobile gadgets face this problem. Have you ever noticed that when creating a new connection on the same smartphone, the system suggests using a certain type of security (WPA2-PSK)? Many simply do not pay attention to this, but in vain. In advanced settings, you can use a fairly large number of additional parameters to improve the security system.

Judging by the fact that you came across this article on the Internet, you know about the security problems of Wi-Fi networks and the need for its proper configuration. But it’s unlikely that an untrained person will be able to figure it out and set it up correctly right away. And many users generally think that everything on the router “out of the box” is already configured with the maximum level of security. In most cases, this is a mistaken opinion. Therefore, now I will give the basic rules for setting up the security of WiFi networks using the example of a TP-Link router.

1. Be sure to enable network encryption.
Never leave your network open. If your home WiFi is not encrypted, this is not correct. Anyone can connect to you and use your Internet access for their own purposes.

2. If possible, use only WPA2-PSK encryption type

If your router settings use WEP encryption, be sure to change it to WPA2, because WEP (Wired Equivalent Privacy) is outdated and has serious vulnerabilities. And WPA2 is the strongest in use right now. WPA should only be used if you have devices that cannot work with WPA2.

3. Disable WPS.

If you do not use the WPS function, be sure to disable it. In some router models, this is a serious vulnerability due to the standard configuration. As practice shows, in 90% of cases WPS is not used at all.

4. Change the default SSID network name.

Very often, a wireless router model is used as the SSID (Service Set Identifier), which makes it easier for an attacker to hack Wi-Fi. Therefore, you definitely need to change it to any other. The name can be any word in Latin and numbers. Don't use Cyrillic.

5. Change the router's default password.

An example is GPON ONT terminals from ZTE. Due to the fact that they all used the same password by default, which no one changed when setting up the device. Because of this, many home networks in Moscow and St. Petersburg were hacked. Accordingly, an attacker could gain access to the router settings, Internet channel and home network.

6. Enable the router's firewall.

Almost all routers are equipped with a built-in firewall (aka firewall), which can be disabled by default. Make sure it's turned on. For even greater security, you should make sure that every computer on your network is also running firewall and antivirus software.

7. Enable filtering of MAC addresses of Wi-Fi clients.

Every computer, laptop, or mobile device has a unique identifier on the network called a MAC address. This allows the WiFi router to keep track of all devices connected to it. Many WiFi routers allow administrators to physically enter the MAC addresses of devices that can connect to the network.

This way, only those devices that are in the table will be able to connect to your home network. Others won't be able to do it at all, even if they guess the password.

8. Disable remote administration.
Most routers allow administrators to connect remotely from the Internet to the device's web interface or command line. If you don't need it, disable this feature. The device settings will still be available from the local network.

So, by taking a few minutes to make sure our home WiFi network is set up at the optimal level of security, you can avoid problems and prevent them from happening in the future.

Recently, many “revealing” publications have appeared about the hacking of some new protocol or technology that compromises the security of wireless networks. Is this really so, what should you be afraid of, and how can you ensure that access to your network is as secure as possible? Do the words WEP, WPA, 802.1x, EAP, PKI mean little to you? This short overview will help bring together all the encryption and radio access authorization technologies used. I will try to show that a properly configured wireless network represents an insurmountable barrier for an attacker (up to a certain limit, of course).

Basics

Any interaction between an access point (network) and a wireless client is based on:

Authentication- how the client and the access point introduce themselves to each other and confirm that they have the right to communicate with each other;
Encryption- what scrambling algorithm for transmitted data is used, how the encryption key is generated, and when it changes.

The parameters of a wireless network, primarily its name (SSID), are regularly advertised by the access point in broadcast beacon packets. In addition to the expected security settings, requests for QoS, 802.11n parameters, supported speeds, information about other neighbors, etc. are transmitted. Authentication determines how the client presents itself to the point. Possible options:

Open- a so-called open network in which all connected devices are authorized immediately
Shared- the authenticity of the connected device must be verified with a key/password
EAP- the authenticity of the connected device must be verified using the EAP protocol by an external server

The openness of the network does not mean that anyone can work with it with impunity. To transmit data in such a network, the encryption algorithm used must match and, accordingly, the encrypted connection must be correctly established. The encryption algorithms are:

None- no encryption, data is transmitted in clear text
WEP- cipher based on the RC4 algorithm with different static or dynamic key lengths (64 or 128 bits)
CKIP- proprietary replacement for Cisco's WEP, an early version of TKIP
TKIP- Improved WEP replacement with additional checks and protection
AES/CCMP- the most advanced algorithm based on AES256 with additional checks and protection

Combination Open Authentication, No Encryption widely used in guest access systems such as providing Internet in a cafe or hotel. To connect, you only need to know the name of the wireless network. Often, such a connection is combined with additional verification on the Captive Portal by redirecting the user HTTP request to an additional page where you can request confirmation (login-password, agreement with the rules, etc.).

Encryption WEP is compromised and cannot be used (even in the case of dynamic keys).

Commonly occurring terms WPA And WPA2 determine, in fact, the encryption algorithm (TKIP or AES). Due to the fact that client adapters have supported WPA2 (AES) for quite some time, there is no point in using TKIP encryption.

Difference between WPA2 Personal And WPA2 Enterprise is where the encryption keys used in the mechanics of the AES algorithm come from. For private (home, small) applications, a static key (password, code word, PSK (Pre-Shared Key)) with a minimum length of 8 characters is used, which is set in the access point settings, and is the same for all clients of a given wireless network. Compromise of such a key (they spilled the beans to a neighbor, an employee was fired, a laptop was stolen) requires an immediate password change for all remaining users, which is only realistic if there are a small number of them. For corporate applications, as the name suggests, a dynamic key is used, individual for each currently running client. This key can be periodically updated during operation without breaking the connection, and an additional component is responsible for its generation - the authorization server, and almost always this is a RADIUS server.

All possible safety parameters are summarized in this plate:

Property	Static WEP	Dynamic WEP	WPA	WPA 2 (Enterprise)
Identification	User, computer, WLAN card	User, computer	User, computer	User, computer
Authorization	Shared key	EAP	EAP or shared key	EAP or shared key
Integrity	32-bit Integrity Check Value (ICV)	32-bit ICV	64-bit Message Integrity Code (MIC)	CRT/CBC-MAC (Counter mode Cipher Block Chaining Auth Code - CCM) Part of AES
Encryption	Static key	Session key	Per-packet key via TKIP	CCMP (AES)
Key distribution	One-time, manual	Pair-wise Master Key (PMK) segment	Derived from PMK	Derived from PMK
Initialization vector	Text, 24 bits	Text, 24 bits	Advanced vector, 65 bit	48-bit packet number (PN)
Algorithm	RC4	RC4	RC4	AES
Key length, bits	64/128	64/128	128	up to 256
Required infrastructure	No	RADIUS	RADIUS	RADIUS

While WPA2 Personal (WPA2 PSK) is clear, an enterprise solution requires further consideration.

WPA2 Enterprise

Here we are dealing with an additional set of different protocols. On the client side, a special software component, the supplicant (usually part of the OS) interacts with the authorization part, the AAA server. This example shows the operation of a unified radio network built on lightweight access points and a controller. In the case of using access points with “brains”, the entire role of an intermediary between clients and server can be taken on by the point itself. In this case, the client supplicant data is transmitted over the radio formed in the 802.1x protocol (EAPOL), and on the controller side it is wrapped in RADIUS packets.

The use of the EAP authorization mechanism in your network leads to the fact that after successful (almost certainly open) client authentication by the access point (together with the controller, if any), the latter asks the client to authorize (confirm its authority) with the infrastructure RADIUS server:

Usage WPA2 Enterprise requires a RADIUS server on your network. At the moment, the most efficient products are the following:

Microsoft Network Policy Server (NPS), former IAS- configured via MMC, free, but you need to buy Windows
Cisco Secure Access Control Server (ACS) 4.2, 5.3- configured via a web interface, sophisticated in functionality, allows you to create distributed and fault-tolerant systems, expensive
FreeRADIUS- free, configured using text configs, not convenient to manage and monitor

In this case, the controller carefully monitors the ongoing exchange of information and waits for successful authorization or refusal of it. If successful, the RADIUS server is able to transfer additional parameters to the access point (for example, which VLAN to place the subscriber in, which IP address to assign, QoS profile, etc.). At the end of the exchange, the RADIUS server allows the client and the access point to generate and exchange encryption keys (individual, valid only for this session):

EAP

The EAP protocol itself is container-based, meaning that the actual authorization mechanism is left to internal protocols. At the moment, the following have received any significant distribution:

EAP-FAST(Flexible Authentication via Secure Tunneling) - developed by Cisco; allows authorization using a login and password transmitted within the TLS tunnel between the supplicant and the RADIUS server
EAP-TLS(Transport Layer Security). Uses a public key infrastructure (PKI) to authorize the client and server (subject and RADIUS server) through certificates issued by a trusted certification authority (CA). Requires issuing and installing client certificates on each wireless device, so is only suitable for a managed corporate environment. The Windows Certificate Server has facilities that allow the client to generate its own certificate if the client is a member of a domain. Blocking a client can easily be done by revoking its certificate (or through accounts).
EAP-TTLS(Tunneled Transport Layer Security) is similar to EAP-TLS, but does not require a client certificate when creating a tunnel. In such a tunnel, similar to a browser SSL connection, additional authorization is performed (using a password or something else).
PEAP-MSCHAPv2(Protected EAP) - similar to EAP-TTLS in terms of the initial establishment of an encrypted TLS tunnel between the client and server, requiring a server certificate. Subsequently, such a tunnel is authorized using the well-known MSCHAPv2 protocol.
PEAP-GTC(Generic Token Card) - similar to the previous one, but requires one-time password cards (and the corresponding infrastructure)

All of these methods (except EAP-FAST) require a server certificate (on the RADIUS server) issued by a certification authority (CA). In this case, the CA certificate itself must be present on the client’s device in the trusted group (which is easy to implement using Group Policy in Windows). Additionally, EAP-TLS requires an individual client certificate. The client's authenticity is verified both by a digital signature and (optionally) by comparing the certificate provided by the client to the RADIUS server with what the server retrieved from the PKI infrastructure (Active Directory).

Support for any of the EAP methods must be provided by a client-side supplicant. The standard built-in Windows XP/Vista/7, iOS, Android provides at least EAP-TLS, and EAP-MSCHAPv2, which makes these methods popular. Intel client adapters for Windows come with the ProSet utility, which expands the available list. Cisco AnyConnect Client does the same.

How reliable is it?

After all, what does it take for an attacker to hack your network?

For Open Authentication, No Encryption - nothing. Connected to the network, and that's it. Since the radio medium is open, the signal travels in different directions, it is not easy to block it. If you have the appropriate client adapters that allow you to listen to the air, network traffic is visible in the same way as if the attacker had connected to the wire, to the hub, to the SPAN port of the switch.
WEP-based encryption requires only IV time and one of many freely available scanning utilities.
For encryption based on TKIP or AES, direct decryption is possible in theory, but in practice there have been no cases of hacking.

Of course, you can try to guess the PSK key or password for one of the EAP methods. There are no known common attacks against these methods. You can try to use social engineering methods, or

To protect your Wi-Fi network and set a password, you must select the type of wireless network security and encryption method. And at this stage, many people have a question: which one to choose? WEP, WPA, or WPA2? Personal or Enterprise? AES or TKIP? What security settings will best protect your Wi-Fi network? I will try to answer all these questions within the framework of this article. Let's consider all possible authentication and encryption methods. Let's find out which Wi-Fi network security parameters are best set in the router settings.

Please note that security type, or authentication, network authentication, security, authentication method are all the same thing.

Authentication type and encryption are the main security settings for a wireless Wi-Fi network. I think that first we need to figure out what they are, what versions there are, their capabilities, etc. After which we will find out what type of protection and encryption to choose. I’ll show you using the example of several popular routers.

I highly recommend setting up a password and protecting your wireless network. Set the maximum level of protection. If you leave the network open, without protection, then anyone can connect to it. This is primarily unsafe. And also an extra load on your router, a drop in connection speed and all sorts of problems with connecting different devices.

Wi-Fi network protection: WEP, WPA, WPA2

There are three protection options. Of course, not counting "Open" (No protection).

WEP(Wired Equivalent Privacy) is an outdated and insecure authentication method. This is the first and not very successful method of protection. Attackers can easily access wireless networks that are protected using WEP. There is no need to set this mode in the settings of your router, although it is present there (not always).
WPA(Wi-Fi Protected Access) is a reliable and modern type of security. Maximum compatibility with all devices and operating systems.
WPA2– a new, improved and more reliable version of WPA. There is support for AES CCMP encryption. At the moment, this is the best way to protect a Wi-Fi network. This is what I recommend using.

WPA/WPA2 can be of two types:

WPA/WPA2 - Personal (PSK) This is the normal authentication method. When you only need to set a password (key) and then use it to connect to a Wi-Fi network. The same password is used for all devices. The password itself is stored on the devices. Where you can view it or change it if necessary. It is recommended to use this option.
WPA/WPA2 - Enterprise- a more complex method that is mainly used to protect wireless networks in offices and various establishments. Allows for a higher level of protection. Used only when a RADIUS server is installed to authorize devices (which gives out passwords).

I think we have figured out the authentication method. The best thing to use is WPA2 - Personal (PSK). For better compatibility, so that there are no problems connecting older devices, you can set the WPA/WPA2 mixed mode. This is the default setting on many routers. Or marked as "Recommended".

Wireless Network Encryption

There are two ways TKIP And AES.

It is recommended to use AES. If you have older devices on your network that do not support AES encryption (but only TKIP) and there will be problems connecting them to the wireless network, then set it to "Auto". TKIP encryption type is not supported in 802.11n mode.

In any case, if you install strictly WPA2 - Personal (recommended), then only AES encryption will be available.

What protection should I install on my Wi-Fi router?

Use WPA2 - Personal with AES encryption. Today, this is the best and safest way. This is what the wireless network security settings look like on ASUS routers:

And this is what these security settings look like on routers from TP-Link (with old firmware).

You can see more detailed instructions for TP-Link.

Instructions for other routers:

If you don’t know where to find all these settings on your router, then write in the comments, I’ll try to tell you. Just don't forget to specify the model.

Since older devices (Wi-Fi adapters, phones, tablets, etc.) may not support WPA2 - Personal (AES), in case of connection problems, set the mixed mode (Auto).

I often notice that after changing the password or other security settings, devices do not want to connect to the network. Computers may receive the error "The network settings saved on this computer do not meet the requirements of this network." Try deleting (forgetting) the network on the device and connecting again. I wrote how to do this on Windows 7. But in Windows 10 you need .

Password (key) WPA PSK

Whatever type of security and encryption method you choose, you must set a password. Also known as WPA key, Wireless Password, Wi-Fi network security key, etc.

Password length is from 8 to 32 characters. You can use letters of the Latin alphabet and numbers. Also special characters: - @ $ # ! etc. No spaces! The password is case sensitive! This means that "z" and "Z" are different characters.

I do not recommend setting simple passwords. It is better to create a strong password that no one can guess, even if they try hard.

It is unlikely that you will be able to remember such a complex password. It would be nice to write it down somewhere. It’s not uncommon for Wi-Fi passwords to be simply forgotten. I wrote in the article what to do in such situations: .

If you need even more security, you can use MAC address binding. True, I don’t see the need for this. WPA2 - Personal paired with AES and a complex password is quite enough.

How do you protect your Wi-Fi network? Write in the comments. Well, ask questions :)

Decrypt wpa2. Guest access is a means of protecting your home network. Create a strong password to access the router

WPA2-PSK: what is it?

Types of protection

Basic protection and security protocols

Outdated technologies

Typical access algorithm

Vulnerability

How to hack WPA2-PSK?

Instead of an afterword

Why encrypt? Who needs me? I have nothing to hide

Encryption technologies and algorithms

What is the difference between WPA(WPA2) and WPA-PSK(WPA2-PSK)

Wi-Fi access (encryption) password

Most popular password

Security rules when creating a password

Guest Wi-Fi zone

Proper protection of your home Wi-Fi network: which encryption method to choose?

Protecting Wi-Fi with a password on Tp-Link routers

Setting a password on Asus routers

Protecting your D-Link router's wireless network

Setting a password on other routers

What to do if devices do not connect after installation or password change?

Protection from uninvited guests

Hackers

Public hotspots

WPA 2

Guest access - a means of protecting your home network

Security Key Reliability

WEP

WPA

WPA-PSK

WPA-Enterprise

WPA2

What's better? WEP, WPA or WPA2?

What if I don't know what type of security the wifi network uses?

WPA2-PSK: what is it?

Types of protection

Basic protection and security protocols

Outdated technologies

Typical access algorithm

Vulnerability

How to hack WPA2-PSK?

Instead of an afterword

Basics

WPA2 Enterprise

EAP

How reliable is it?

Wi-Fi network protection: WEP, WPA, WPA2

Wireless Network Encryption

What protection should I install on my Wi-Fi router?

Password (key) WPA PSK