From owner-freebsd-questions@FreeBSD.ORG  Wed Apr 24 21:40:42 2013
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by hub.freebsd.org (Postfix) with ESMTP id 10EB4EE2
 for <freebsd-questions@freebsd.org>; Wed, 24 Apr 2013 21:40:42 +0000 (UTC)
 (envelope-from aimass@yabarana.com)
Received: from mail-da0-x236.google.com (mail-da0-x236.google.com
 [IPv6:2607:f8b0:400e:c00::236])
 by mx1.freebsd.org (Postfix) with ESMTP id E2DA81FC5
 for <freebsd-questions@freebsd.org>; Wed, 24 Apr 2013 21:40:41 +0000 (UTC)
Received: by mail-da0-f54.google.com with SMTP id s35so1084951dak.13
 for <freebsd-questions@freebsd.org>; Wed, 24 Apr 2013 14:40:41 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=google.com; s=20120113;
 h=mime-version:x-received:in-reply-to:references:date:message-id
 :subject:from:to:cc:content-type:x-gm-message-state;
 bh=ask7qsKzkJ04ht71btZ6ZTq5d5cQw1Sw64xRupo/M/M=;
 b=R63bWTAM5zIeDZEZEbZ9KCtTwc3kyC6otyAt/VJnl5iLklvWbTKOtbU+xhkfmu3r8g
 N1/1jiY8X1jpQj5pMOlsjg/vhBcLGh8gjlp0hb2y1OBJtq9dn++Hf39mPeoWbTbPlRjW
 m0SWqr6eWiSte6WgD/eidu9uUBKX2qmKfAuQ9jF80EopLI/2OJU10A4CwPTNdey0xle/
 LW2D5fs76LjzIAPHSgUVDH/x9ZQ3WFWAu44PkBWSbGM+/oPzRRfH2IJfsKdKzdvHIEG0
 qaTIIqaZnHmIVt2nGhRIG32oqwr64ckZmZi6g7U89GddGtwejki3ti1WafGA++2MNhh3
 L9tw==
MIME-Version: 1.0
X-Received: by 10.66.89.199 with SMTP id bq7mr25521120pab.202.1366839641639;
 Wed, 24 Apr 2013 14:40:41 -0700 (PDT)
Received: by 10.66.160.233 with HTTP; Wed, 24 Apr 2013 14:40:41 -0700 (PDT)
In-Reply-To: <kl9ej0$f2b$1@ger.gmane.org>
References: <CAHieY7S9b9F1jndpkR2Drw=GCoBxmEWRs6Ot8MRjjQFH=xmHQQ@mail.gmail.com>
 <kl0qu9$ovo$1@ger.gmane.org>
 <CAHieY7SSbO+wt68PeFLYDzAtqMnR0kJ3UakOjvLkSMzVA31LbA@mail.gmail.com>
 <kl3vao$hbt$1@ger.gmane.org>
 <20130423010407.25a73c92@gumby.homeunix.com>
 <CAHieY7SSzuJBt6frT7QoU=EzZDA=9Fc=H-xDHYtH3PejTi5QzQ@mail.gmail.com>
 <kl9ej0$f2b$1@ger.gmane.org>
Date: Wed, 24 Apr 2013 17:40:41 -0400
Message-ID: <CAHieY7Q772KgL65o725QYOuW0ahHeUMWM1RswMyvfac_7eLB3g@mail.gmail.com>
Subject: Re: Home WiFi Router with pfSense or m0n0wall?
From: Alejandro Imass <aimass@yabarana.com>
To: Michael Powell <nightrecon@hotmail.com>
Content-Type: text/plain; charset=ISO-8859-1
X-Gm-Message-State: ALoCoQnt+VdFFtM3N8EEtxTJ9IxyGTNSkwhvngZFK4N7Qw7NPhMF75Mpp5DaFpR9mgyklDzYVh3u
Cc: FreeBSD Questions <freebsd-questions@freebsd.org>
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
 <mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Apr 2013 21:40:42 -0000

On Wed, Apr 24, 2013 at 4:16 PM, Michael Powell <nightrecon@hotmail.com> wrote:
> Alejandro Imass wrote:
>
> [snip]
>>>> Most consider the answer to use WPA2, which I do use too. Many think
>>>> it is 'virtually' unbreakable, but this really is not true; it just
>>>> takes longer. I've done WPA2 keys in as little as 2-3 hours before.
>>>
>>> Are you saying that any WPA2 key can be cracked or or you simply
>>> referring to weak keys?
>>
>> I would also like to specifically if it's for weak keys or are all
>> WPA2 personal keys crackable by brute force. Also is WPA2 Enterprise
>> as weak also. Could anyone expand on how weak is WPA2 and WPA2
>> Enterprise or is this related to weak PSKs only??
>>
>
> I'm just a lowly sysadmin and not any kind of crypto expert.  The problem is
> time and horsepower. While a ridiculously easy key of say 4 characters that
> is not salted may be doable on a PC, once you start to get to 8-9 characters
> or more the time it takes begins to get huge fast. It's a matter of can you
> tie up the resource long enough to wait it out. Throw salting into the mix
> and it gets longer again.
>
> What I do at home is concatenate 2 ham radio call signs of friends that I
> can remember. Then I sha256 that and select from the end backwards 15


[...]

> The pre-shared key is the weakest as compared to Enterprise. Enterprise WPA
> is stronger because it is a user account based system which authenticates
> using 802.1x via a Radius server. You can even assign certificates to user


OK. So we are talking about weak PSKs, of course with enough computing
power virtually anything is crackable by brute force. What I don't get
is that I thought that mac address filtering at the wireless level
meant that the router would not negotiate with a mac no listed in it's
table. I haven't used Kismet but you are saying that with Kismet I can
infer authorized macs that are connecting to a specific access point
so I can spoof one and perform my brute force attack?? Honestly I
don't know much about 802.11 but if that is so it's pretty retarded
and mac address filtering really a joke then.

Thanks again for such detailed responses. I know all this seems all OT
but it's a security issue that I don't think that many people are
aware of so I haven't changed the subject to OT because of this.

Best,

-- 
Alejandro Imass