What's new

2.4GHz mess... another WideChannel problem

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

sfx2000

Part of the Furniture
After actually sitting down with my adjacent neighbors, and working out a channel plan... things were good...

New AP shows up, and it's "hot" - my guess is someone got a new CM/Gateway device - it's on wide channels, and pretty much nukes the lower channels 1 thru 5...

How hot? Its RSSI is higher than my two AP's in my own house... this is the equivalent of the really loud stereo at 3 in the morning...

In the past, I've been a bit passive-aggressive, throwing lots of traffic into the primary channel and forcing them to move - a WRT54G in 11b mode with WPA2 enabled generally does the trick...

So perhaps, time to break out the PineApple and get tactical... don't piss off an engineer with technical knowledge...

tactical,jpg.jpg
 
And no, I didn't hack the box - I could have, there's enough information there...

In your router setup - turn off WPS, and in your security settings, make sure you're WPA2/AES, and not any kind of WPA2-Mixed or whatever...

TKIP-Groupwise is a backdoor to someone who is interested - makes things easier, as this suggests the AP (and the associated BSS) will accept WPA-TKIP credentials...

Don't be the person that is owned...
 
what router do they have is it an arris? You can see it with InSSIDer or acrylic wifi. Arris are high powered peices of crap lol
 
what router do they have is it an arris? You can see it with InSSIDer or acrylic wifi. Arris are high powered peices of crap lol

And on recon - InSSIDer is handy on Windows, as is WiFi Explorer on Mac... but these tools only show if the SSID is un-cloaked...

These tools are good to get some situational awareness on the problem before breaking out the Linux box and getting tactical to understand fully the problem at hand...

I like Kismet as it basically just listens... never probes... The PineApple has a Kismet remote function... along with other handy tools hosted on it - it's an OpenWRT with additional tools...

Between these tools, along with my handy MetaGeek Wi-Spy - and a small USB GPS dongle - I can roll things up into a sqllite DB and then break things out into a KML file suitable for Google Maps/Google Earth...
 
Good question... because the gains are higher, so if you set the SSID to the same as the person you're having a problem with... and WPA2, it looks really sweet to some of the clients in that BSS, so they'll try to handoff to it, and get rejected, and that process goes over and over again...

And that's kind of a lightweight passive approach... it's not very hard... you might have been a victim of this very approach to WiFi and Spectrum Management...

Taking a more active role... If one is serious, just sit and collect data - or if impatient, just flood with de-auth frames - either to

a) Collect more data - WEP and TKIP/WAP vectors can be found here...
b) make them just go away...
 
Channel utilization... a neighbor's high signal strength AP/router, even 40MHz mode, won't bother your clients if the neighbor's utilization of that 40MHz is low. If they stream 1080P on it, well, that's an issue.
 
Pulled my older 802.11n Airport Extreme off the shelf last night - replacing one of my 802.11ac AP's

Parked it on his primary channel and ran slingbox over night...

The Airport is one of those AP's that explicitly sets the fat channel intolerant bit in 2.4GHz - did the trick... some time over the evening, it did switch down to narrow channels, so all is good..

Quick note - one of my neighbors has a Cisco enterprise grade AP, and it does measure (and report) channel utilization on it's beacon frame - and it was also getting stepped on pretty hard by the new guy - his AP was reporting 87 percent channel usage, so I wasn't the only one getting beat up..
 
OK, so after a bit more recon... it's not an IPTV box, but they've got what looks like a nice media center thing going on - without breaking out the Wireless SpecOPS/SWAT team... They used to be U-Verse with a 2Wire 11g/11n, but looks like on Friday they moved over to CoxHSI...

CM Gateway - the Netgear CG3000DV2 - Single Band 11n/3streams <- this is the current common CM/Gateway they offer up if folks don't bring their own stuff...

Netgear PT1000 Wireless HDMI adapter - had to track this back a bit, but the MAC addr and traffic analysis looks good

Belkin Wireless AV Link - F7D4550 - which is basically a 4port WiFi to Ethernet Bridge

Also appears to have a Dell Laptop (with a Dell MAC addr, probably a 1705 card on Atheros), along with at least another Intel WiFi adapter (second latop or HTPC?)

Additionally, I see 3 smartphones, one HTC, one Samsung, and an iPhone... also found a Roku and an AppleTV.. Anyways, the smartphones and the intel card probably explains the PT1000 (it does Miracast and WiDi)...

Gotta love Kismet and Wireshark - and occasionally I war-drive the neighborhood, mostly for giggles and to see what's up with trends - so GisKismet takes the .netxml outputs from Kismet and drops them into a sqlite database - which can then either be queried directly, or exported to .KML files..

Again, I guess what it shows is don't anger someone with technical knowledge and the right tools...
 
So if this thread scares some folks - well, it should...

1) WPS/WPA-Mixed Mode with TKIP - you're only as secure as your settings - WPA2/AES in most environment is more than good enough - WAP-TKIP, that's a edge to peel up...

2) Don't use WPS - disable it explicitly on your AP/Router - this is an ongoing security concern

3) Wireless Recon shows what you have on your network - simply put for someone who has the right tools and knowledge... This person has nifty cool stuff on their network, which means they have nifty cool stuff that someone might want to steal...

This is all thru passive observation - these tools are out there...

With additional tools, one could either a) actively attack the network, forcing the WPA-TKIP and WPS to open the doors, or just DOS the network with De-Auth frames.

Be secure - watch your wireless settings, and only put on WiFi what you need to put, otherwise run on the wire...

(oh, and FWIW - I could have run an in-depth NMAP scan on the Cable Subnet to see what's up there - uPNP or HNAP issues, or an exposed OpenVPN or HTTP Admin endpoint - we're on a shared network, but out of respect to the operator and to my neighbor, I didn't)

And I'm a white-hat kind of guy...
 
what router do they have is it an arris? You can see it with InSSIDer or acrylic wifi. Arris are high powered peices of crap lol

FWIW - there's a lot of industry consolidation happening here - 2Wire (mostly DSL) was acquired by Pace PLC, which is being bought by Arris Group, which bought Moto's cable business... So it's getting hard to see what is 2Wire/Motorola/Pace and what is Arris...

Netgear is jumping into the Carrier CPE business big-time for both DSL and Cable - I don't blame them, they're a viable 3rd party provider there...
 
Channel utilization... a neighbor's high signal strength AP/router, even 40MHz mode, won't bother your clients if the neighbor's utilization of that 40MHz is low. If they stream 1080P on it, well, that's an issue.

It can be an issue...

What prompted investigation was the wife saying that internet was down and slow on her laptop, normally I'm on the wire... so I didn't really notice much..

This was early last Friday evening... late in the evening close to bed-time - I typically will fire up netflix to find something to fall asleep to around 11, things seemed fine...

And she was good Saturday morning (stay away from that, lolz) - but in the afternoon, things were slow again... so did some additional digging as to why... I was on my Windows box so fired up inSSIDer to take a quick look, and there was a new AP/SSID on the same channel as mine - and like posted above, it was just as hot RSSI was as mine...

To be honest, I had nowhere to go - in the neighborhood, we've negotiated agreements - next door, he's on Ch11, neighbor acroos the street is on Ch6 (802.11g w/WEP) but he's retired on a tight income, so I was on Ch 1... we're all pretty much on full time, as either WorkFromHome or just...

So when the new AP jumped in, not only did in blow me off the network, it blew off the guy across the street...

That CableCO AP is four houses down... and like I said, it's hot...
 
Here's a pic of my WiFi toolkit - completely self hosted on an Asus X200CA mini laptop - it's about the same size as a MacBook Air 11... in this pic it's running Kismet, but it also has Wireshark and sqlite installed for data collection and analysis...

The dongle to the left is a GPS receiver, it's an old MSFT Maps dongle OEM'ed by Pharos, but it does NMEA, so good enough...

Clipped external is an hi-gain Rokland N3 USB wireless card.. which is a RT2800 series, so it's fairly friendly for various Linux tools... The Rokland is high power/high gain, similar to the Alfa card (same chip set), which covers a wide area for scanning... but with coarse location due to it's range...

I've got a Buffalo thumb-adapter for low power/range stuff (WLI-UC-GNM)... which let's one zero down on things..

Normally I don't use the built-in card, in this device it's a Realtek combo card, but in a pinch...

snb_wifi_toolkit.jpg
 
Last edited:
Did you go talk to the new interference generator as you did with your other neighbors?
 
You could also point a high gain at him and set beacon interval to something like 1ms and co-channel with his stuff and turn it on.
 
Well as to 2.4GHz. Outdoors 2.4GHz has roughly 4dB lower freespace loss than 5.2-5.9GHz. All else being equal.

So if you are antennas design limited, especially on both legs (Tx and Rx sides), then you are better off with 2.4GHz than 5GHz. Roughly 60% more range with 2.4GHz.

Of course you might have better gain on your antennas in 5GHz than 2.4GHz, which could more than make up for the freespace losses.

Indoors, lots of people can't cover their entire domicile with 5GHz well. Mine is, but mine is probably also an exception. I still utilize 2.4GHz indoors too, though most of my devices inside and out leverage 5GHz when they can.
 
Those aren't particularly high gain antennas and they are rather expensive. Hopefully it'll work well for you, but I'd plan for failure unless you have line of sight through a window to the house at least, and using 2.4GHz. That or the dettached garage is arms reach from the house. Seperation isn't much of an issue so long as they are at least 1/2 wave length apart. A full wave length doesn't hurt.

What are you using for a router and how tiny is your house? Or how many routers do you have? I have a 2,500sq-ft rancher including the basement and 2 APs are needed to cover the thing in 5GHz. Heck, 2 is ideally needed for 2.4GHz as well since I can't centrally locate an AP. If I could, 2.4GHz would be fine through out, but 5GHz would still be marginal in the further flung parts of the house.

New standards don't fix physics. 5GHz has higher free space losses, which is arguably made up for with higher gain antennas for a similar physical size (but of course that means greater off axis losses too). You also have significantly lower penetration through physical materials. With the much higher bandwidth of 80MHz 802.11ac I find that 5GHz comes much closer to 2.4GHz for similar performance, but 2.4GHz still beats 5GHz in terms of absolute range by a fair amount indoors (outside too, but there if it is a wireless bridge, it is easy to get higher gain 5GHz than you can get 2.4GHz antennas on both ends of the bridge. EX 20-24dBi yagis are easy enough to find for 5GHz, for 2.4GHz you are looking at 14-18dBi yagis, which gives you about 6dB higher gain on the 5GHz bridge when you account for free space losses, also smaller fresnel zone on 5GHz).
 
Everyone should know that many routers do not actually obey when you turn off WPS. (viz: Linksys et al) They say they do, but they actually don't. Upgrade your firmware.

And many remain unpatched - recent firmware for WRT610N and WRT160NL for example - WPS still cannot be fully shut off...

I didn't bother with the Pinapple; it's just a nice handy pre-packaged unit, and I roll my own.

It has it's purposes, but one thing to note is that it's pretty underpowered, and slow... it's a tool, like anything else, but knowing this, it does have some use - kismet-drone for one.. or one can use it as fakeAP, etc.. most pro's will stay away from it, mainly again due to the lack of horsepower...

Oh, did I mention? It's slow..

That ultrabook with the right SW and wireless adapters does pretty much the same thing, and much faster at it.

WPA/WPA2 require at least an 8-character password. Recently I did some calculations on brute-forcing every permutation of a 10-char password using oclHashcat and my massively-parallel AMD 7970 GPU -- it would take 3,490 YEARS to try every combination. Fortunately there are shortcuts to rumble complex passwords. (combinator, Markov)

Proper passwords on WPA2/AES are more than adequate - biggest challenge there is rainbow tables and folks not using good combinations - don't have to go overboard - example --> Ahphie6yaehi - easy to remember as a mnemonic, but tough to crack...

And it's easy to set up a cloud instance (just takes money) and hash things out there - iirc, there is an outfit that does this on a per instance basis, and can generally return an easy passphrase in less than an hour..

I'm in the process of building my own router, running in my server machine, as I want total control over the hardware and software. It'll be CentOS 7.1 Minimal running in a Xen VM, using Shorewall for firewall and to masquerade between interfacen. I'll also run Suricata, Snorby, and Squert for IDS.

The hardware was a problem because I have only one PCIe slot left, and no extra ethernet, but luckily I found the only multi-card mini-PCIe adapter in existence. This will carry a dual-port gigabit mini-PCIe and a Doodle Labs ac mini-PCIe. And I've ordered SuperPowerSupply 6dBi gain blade antennae, spaced as far apart as I can make them on the case.

You mentioned this earlier - rolling one's own - please keep folks updated as to the progress - after some though, running it on top of Xen could be interesting indeed...

Checked on the Doodie Labs cards - most of them look like Atheros based - I would check with them before ordering to ensure the vendor - decent drivers that good support for HostAPd will save a lot of aggravation here, esp with some newer kernels - if i recall, there was a major change in the mainline right around 3.10 that broke many drivers out there...

With the antennas - since you're running dipoles, to get best performance, the spacing is somewhat critical - aim for half-wave Lambda for 2.4Ghz, and you'll get good spacing for 5GHz as a result - proper spacing can get you about 2-3 dB of additional Rx/Tx gain...

I've always considered those who network multimedia over 2.4GHz, as ignorant clods. I've used 5GHz for years, and don't understand anyone who uses 2.4GHz, especially those who are more technically-savvy. Don't be an a55hole; get away from the amateurs.

I think this probably mirrors the same exact thoughts than many of the more experienced folks have... but people are people...

Please elaborate on the TKIP vuln.

The TKIP holes have been around since, hmmm, at least 2008, where certain packets can be injected as a MIM attack - the bigger concern is that WPS can make things even easier yet, as the keyspace is fairly limited...

tkiptun-ng is a part of aircrack-ng, there's a write up at the following URL:

http://www.aircrack-ng.org/doku.php?id=tkiptun-ng
 
Did you go talk to the new interference generator as you did with your other neighbors?

We have a small mailing list, just moved everyone around him for now... in any event, he's no longer on WideChannels, I guess the Airport and the replan fenced him in, and the radio in his AP is doing what it's supposed to do...

Next thing - need to get the retiree across the street off his 11g AP and onto 11n - I've got an older unit here that I might just donate to him, and then we can sort things out from there...
 
Similar threads
Thread starter Title Forum Replies Date
F Fixing another person's setup General Wireless Discussion 2

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top