Should you be using WiFi 7 or WPA3? Best Wi-Fi setup?

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

WPA3 is the latest and greatest but we've also got WEP and WPA, WPA2. Can you tell us like what we should not be using and what we should be using? So very short answer to this question never use WEP and WPA original WPA1. It's called the WPA without the one but don't use that stuff because it's crackable in seconds today. This device that you see right here is actually called our Sidekick 2 and it's our all-in-one measurement device for Wi-Fi so it scans everything in Wi-Fi in the 2.45 6 gigahertz frequency bands but not just Wi-Fi it also has an inbuilt super fast high resolution spectrum analyzer so as you walk around your environment not only will it detect your Wi-Fi access points your neighbor's Wi-Fi access points but if you have any interferers are getting attacked by a fly it will pick up if you've got any microwave ovens passive infrared devices bluetooth wireless non-Wi-Fi cameras and captures everything at the same time as you move around your environments. I'm here with my Wi-Fi expert Mack and Mack from Ekahau. Now this is a technical video I'm going to ask you a bunch of technical questions that I get. So you'll be throwing us under the bus every five minutes then. That's about right yes so looking forward to it. First question right WPA3 why is it better and should I be using it today? Okay so WPA3 is the newest latest and greatest security suite. It was introduced and forced to use in 6 gigahertz bands so the reality is if you have 6 gigahertz you have to be using WPA3 it's mandatory and the legacy bands they don't have to use WPA3 it's optional so now let's talk about if it's more secure than WPA2. What's your take on it Matt? Yeah so WPA3 is the successor to WPA2 and it offers us extra encryption and it's stronger than WPA2. Why would we not use it? Well you may have some older devices in your environment that don't support it so you have to think about how you're going to be configuring your wireless networks in 2024 and beyond because if you just decide to blanketly configure your SSID that's broadcasted across your frequency bands across 2.45 and 6 gigahertz with WPA3 and you have new devices come in like your iPhone your iPad MacBook some Windows devices they may support WPA3 and can connect to the network no problem at all but if you've got some older devices that may be a bit legacy or not been around for the last few years they then come in the following day and try and connect to the wi-fi they may not be able to associate at all and you're going to be getting a lot of support calls or people calling you in the middle of the night saying David my wi-fi doesn't work how can you help me? There wasn't a call David there was a call you. That's right. And I'll be calling it to David. David said turn on WPA3 so. Okay so WPA3 is the latest and greatest but we've also got WEP and WPA2. Can you tell us like what we should not be using and what we should be using? So very short answer to this question never use WEP and WPA original WPA1. It's called the WPA without the one but don't use that stuff because it's crackable in seconds today and by crackable I mean it has an encryption so your traffic is encrypted when you send it over the air and when I capture your traffic from the air I can't decrypt it as easily but with WEP and WPA I can find an encryption well I can decrypt your traffic very very easily so don't use that. WPA2 is still considered secure for as long as your key is long and now don't use spiderman as my password right? Yeah so you're actually unless you put an exclamation on the end because then that makes it really secure. Okay that's a joke right? Just so everyone doesn't get it. And then one two three is the most common so password then exclamation then one two three. Is that the most common password right? Yeah well don't use that so guys for as long as you have password that is not in WPA2 that is non-dictionary that is fairly long and it has different characters then you're good okay because you can't brute force it really because it will take you years or tens of years and it's not really practical and you can't guess it so you're you're good to go. However if you know password in WPA2 when you're using personal PSK I can put in this password in Wireshark for example and take the decryption off from all your wi-fi frames so probably not the brightest idea is it? No so the problem with pre-shared key is kind of in the name that is pre-shared so if David you know the key and I know the key and Mac knows the key we can then use that and any widest traffic that is sent to somewhere that's unencrypted perhaps if you go to a website that's HTTP rather than HTTPS then anything that is sent to that could be easily decrypted and seen by anybody. Clear text basically right. So give us some best practices you said password must be of a certain length right must be like good like mixed characters any other good practices if I'm using non-dictionary and also there are actually quite a few nice practices so WPA2 for as long WPA2 PSK I mean personal is secure for as long as the password is secure and it's not shared between different people or groups of people so long password not known you can distribute it to your devices using MDM apps QR codes we can even use something like IPSK MPSK PPSK. Wait what is that so I was about to say that so that's the same thing named differently by different vendors but basically it means that people or groups of people they can be using their own dedicated pre-shared keys so if a key for me is compromised maybe yours is still cool so your traffic is still encrypted so that adds to security quite massively. So you mentioned PSK what's the alternative for because I mean PSK seems correct me if I'm wrong is okay perhaps for home but not the best for business right? Yeah so if you're running a business you have a corporate environment the most likely type of authentication you're probably going to use is something that's called radius or 802.1x authentication and what that basically means is that you're going to have some sort of radius server somewhere maybe in your network or somewhere else that you can authenticate users either by doing a certificate based authentication or they're logging in with that username and password so it adds extra layers of authentication and encryption so it makes it much more challenging for bad actors to get access to the wireless network or to intercept any of that traffic but then there are some caveats and things you want to think around with radius authentication because big thing in wi-fi is being mobile and being able to move around an environment like where we are now Cisco live and easily switch between different access points we're in your office your warehouse you want to be able to roam fast the thing is when you do a radius authentication when you do that initial connection it can actually take quite a long time because you're not just going from your wireless client device to the wireless access point and to the controller to you know exchange a set of passwords for a pre-shared key when there's radius server involved there's a lot more steps that's in place so you go from the wireless client device to the access point access point forwards that onto the controller that falls onto the radius server radius server checks your credentials your certificate possibly and the radius server can be in a different country or on a different continent and you can take like a second or two or four yeah right exactly and then if you when you roam what would happen if you don't have anything turned on from like a roaming a fast roaming amendment what would happen is each time you go from access point to access point you have to do that full radius authentication that can take anywhere up to a second a couple of seconds and in wi-fi that's a really long time so you want to try and reduce that as much as you can by using something called 802.11r bash transition if you're in the Cisco world like we are today and what that basically does it'll speed up that roaming time between going between access point and access point because you don't have to do that full authentication to the radius server each time it's cached and stored locally on the access points and there's other ways the brand we can do it too that's a very good point so what we've discussed so far is the psk that's a personal right wpa2 psk you have a key and then wpa2 enterprise that uses the radius for backend authentication of users and also that it's great to use something that we call 802.11r fast transition ft to make sure that you don't have to go back to radius every time you switch from ap to ap when you walk around your premises but you mentioned something offline about the instead of using psk there's a new thing is that right there is there is so psk appreciate key is the wpa and wpa2 thing and that means if i know your password i can decrypt your wi-fi wi-fi traffic right so that's a little bit risky doesn't have to be too bad if your password is strong but in wpa3 we've replaced the psk with sae simultaneous authentication of equals and sae is a direct successor to psk we don't have psks anymore now we have just sae and sae is quite cool because even if i know your password i won't be able to decrypt your traffic so your password in sae is used for authentication of user of you you use your password but it's not used for encryption anymore encryption is derived automatically from a very simple sounding wi-fi helmet algorithm that basically means that it works in one way so i can encrypt your traffic but i can't use the same password to decrypt your traffic so that's quite fascinating isn't it i believe there's even more security with wpa3 because with wpa2 the way that you crack it is you deal with the clients you capture the handshake right and then you just run brute force against that and try and decrypt it is that solved in wpa3 yeah exactly that so um something that's enforced with wpa3 is also management frame protection or protected management frames depending on what vendor or how you're talking to somebody in industry how they'll be referring to that and that is to kind of mitigate exactly what you just mentioned has happened there about clients getting de-authenticated from the management frames and then re-associate into a malicious or rogue access point that they shouldn't be connecting to or honeypot ap and then they uh share their credentials which is what we want to try and avoid as much as possible so basically your question was how to exploit ip peep authentication method using wpa enterprise either wpa1 or two or three actually enterprise is pretty much identical between between wpa2 and wpa3 the only difference between these two is the encryption length of a key optional but yeah so that was ip peep requires users credentials to authenticate to the wireless network and it's easier to use than certificate based authentication so ip peep requires username and passport and it's still validated against the radius server in the back end and the easy thing about it is that you don't have to install a certificate on your user device installing a certificate on your user device is can be quite complicated you need to have an infrastructure for it you need to upload it somehow install it somehow if you ask the user they probably won't so that's why we are using ip peep and ip peep asking you for credentials is risky because as you said without management frames protection we can de-authenticate all the users and force them or encourage them to connect to an attacker's ap and harvest their credentials and then have access to their i don't know an email or whatever other services they're using so yeah good question did the author attacks work against wpa3 then was that solved uh this attack will work against wpa3 as well because we are not trying to decrypt the traffic we are just harvesting users credentials so if i if i send a bunch of like de-auth messages to the ap i can kick the users off even in wpa3 in w well wpa3 you're probably asking about the mfp and mfp or pmf management friends protection is enforced now so if you are using wpa3 you will be using pmf or mfp so you cannot do the off attack so you can attack the users that are just connecting to the network they might be coming to your access point but you can't de-authenticate existing users so it is of course more secure however you can configure mfp pmf on alt legacy bands on 2.4 and 5 as well but then you are risking compatibility right all their devices they simply won't be able to connect to an ssid that uses mfp pmf whatever you call that and if they don't support it they won't connect guys i'm a bit slow right people call me a boomer on my videos even though i'm not but yeah i'm a bit slug i'm a bit slow so just make it clear for me in some of my videos that i've done in the past with WPA2 i've had a wi-fi watch that can de-auth clients so that doesn't work anymore in wpa3 is that is that correct that is correct because monitor band friends protection or protection of management frames mfp pmf will stop you from de-authentication attack and it's as simple as that and if i try to de-auth i mean that's not going to work but let's assume that even if i could capture the management frame in the past with wpat i'd de-auth the client would connect i'd capture that and then i would use a gpu or the cloud to try and crack the password that also doesn't work so that might work because pmf behavior it doesn't change between wpa2 and wpa3 okay but is that something that you can configure to stop those kind of attacks i don't think you really can okay so in a lot of my videos and i'm talking about like psk so like a home device i had like a little tp link router and i got an iphone to connect to it so what i'd use is carly linux to de-auth the the the phone right it would reconnect i'd capture the handshake and then i'd use a gpu to crack it that's no longer possible if i understand right in wpa3 so sae now it's not possible now because of difficult one-way algorithm you can encrypt it but you can't decrypt it so do you guys have like a summary about wpa3 like what's the the the sales deck if you like to an executive why you want wpa3 the quick 30 second picture okay so the simple answer is it's a lot more secure because you have management frame protection so if David's around your environment which you may or may not want trying to deal with your client devices they're going to be protected from not wearing a watch we're safe we're safe okay now his watch is not wearing his day but even if he was if we're using wpa3 with management frame protection we are going to be safe because we can't get de-authenticated from the watch because the management frames protection is going to be enabled for by default so that's safe much better than wpa2 that doesn't have it turned on or wpa1 from before and then also you asked if somehow you were able to de-authenticate the device and it did connect to one of your honeypot access points or rogue APs and you were able to capture that four-way handshake with wpa3 it doesn't use psk anymore it uses sae simultaneous authentication of equals which uses diffie hellman so even if you were to capture the device you wouldn't be able to decrypt it using one of your fancy kali linux boxes and gpus to try and bracket so basically look cannot brute force the encryption key on wpa3 personal sae not possible just for the people who don't have wpa3 yet best practice for wpa2 is make it long so the gpus even if you had big gpus it wouldn't be able to crack it right that's correct so if i capture your wpa psk personal traffic i am able to use the dictionary attacks to guess your password if that doesn't work i can start doing a brute force attack with my gpus against your encrypted traffic and if the password is short i will be able to crack it if it's longer then there is no way i would be able to crack that if i don't know the password already you guys mentioned six a band six gigahertz right so can you explain the bands and what six gigahertz is and why it's important totally i'd love to so in wi-fi since like the very late 1990s and early 2000s we've had access to two wi-fi frequency bands 2.4 gigahertz and 5 gigahertz and the thing with 2.4 gigahertz is we only have a small chunk of usable spectrum so there's uh inside of these wi-fi frequency bands we use something that's called channels and in the 2.4 gigahertz frequency band we only actually have depending where you are most places three channels that don't overlap with each other and the 2.4 gigahertz frequency band is so susceptible to non-wireless interference you're going to find things like microwave ovens bluetooth wireless non-wi-fi video cameras happening in your environment causing you interference so it's just not that much usable spectrum there however however with five gigahertz we have a lot more usable spectrums are actually up to like depending on where you are 500 megahertz of spectrum and we have a lot more non-overlapping channels so depending where you are up to 25 non-overlapping 20 megahertz wide channels which is fantastic because more spectrum but there's a whole bunch of rules we have to follow on some of those channels that could be impacted by what's called radar or dfs activity and the amount of wireless devices that are now connecting to the network if you think how many millions of billions of devices there are if you think about wi-fi in the term of you're driving along a highway or a motorway 2.4 and 5 gigahertz that gives us access to the two lanes to drive down and we have got our cars on the motorway why we need to have six gigahertz is because we got to the point where these motorway lanes are just getting too congested there's even with the five gigahertz band too many devices connecting so we needed six gigahertz but mac why do we need six gigahertz so much yeah good question so six gigahertz not only gives us more frequency band more lines on the motorway but also is less congested so it means we'll have less cars on that motorway so we not only have bigger motorways but we can also go faster on these motorways so that's very basically six gigahertz more frequency is always better and how about the europe versus states yeah so uh depending on where you are in the world you may have slightly more access to the six gigahertz frequency band so over in the u.s they actually go up to 1.2 gigahertz with additional wider spectrum they can use however us over here in europe we get an additional 500 megahertz unlucky yeah still amazing we needed that extra motorway to be able to be driving along to get us the extra capacity we need for all of these wireless devices that are coming out there so yeah it's fantastic we've got access to this but six gigahertz does bring us some more challenges because we have to think around different device classifications that's a lot of wireless channels now that we have to scan for our client devices so how do we discover wi-fi right how do we discover wireless networks there's so many channels to scan across all those frequency bands so yeah lots of uh lots of challenges with six gigahertz as well for a lot of people watching wi-fi 7 a lot i see vendors already releasing wi-fi 7 but can you guys explain like like what's important today like wi-fi 6 wi-fi 5 maybe even i don't know wi-fi 67 yep totally so to to make it quite quite short a wi-fi 5 is still relevant and wi-fi 5 is 802.11 ac it works in five gigahertz frequency bands only five gigahertz okay and then in 2021 we ratified wi-fi 6 standard and the standard from i triple e is called 802.11 ax and it defines wi-fi operation in 2.45 and six gigahertz frequency bands okay so now we have three bands it's it's a lot of bands so that's 80.11 ax to make things simple we have an organization called the wi-fi alliance that tests interoperability based on a subset of functionality from i triple e standards i know it can be quite confusing but it really isn't well it is a little bit okay i like wi-fi 6 is the wi-fi alliance interoperability name for 802.11 ax and it tests interoperability across two frequency bands 2.4 and 5 only but then since six gigahertz is available to us in most countries around the world we now can start testing interoperability of devices ax devices on six gigahertz bands and that's what wi-fi alliance calls wi-fi 6e it's still wi-fi 6 but e stands for extended and it captures six gigahertz band so again wi-fi 6 works on 2.4 5 and 6 gigahertz bands okay well wi-fi 6 tests interoperability on 2.4 and 5 wi-fi 6e on 6 gigahertz and all of them wi-fi 6 and wi-fi 6e it's the same standard 802.11 ax okay and 7 wi-fi 7 is the latest new standard of wi-fi that will be getting ratified at some point this year and what wi-fi 7 will be it actually work across 2.4 5 and 6 gigahertz so there will be big benefits to wi-fi 7 but the main benefit being is that it still supports 6 gigahertz 6 gigahertz is the future of wi-fi so wi-fi 7 the fact that it operates in the 6 gigahertz frequency band as well as 2.4 5 gigahertz that is still the main benefit of wi-fi 7 i've seen some vendors like i know we won't mention names like wi-fi 7 is the best we've got a wi-fi 7 router should i buy wi-fi 7 devices today fantastic question so the reality is that you might buy order some wi-fi 7 APs but you don't have pretty much any wi-fi 7 capable devices so if you are thinking about buying wi-fi today think about wi-fi in more 6 gigahertz categories so 6 gigahertz is still the most important thing so buying 6e today is more mature it's nothing wrong with buying 6e today and then five years from now or seven years from now whatever your cycle is to replace your APs go for wi-fi 7 or wi-fi 8 it doesn't matter as much as people think because wi-fi 6e we have six gigs already so now wi-fi 6 plus wi-fi 6e both of them combined is pretty much the wi-fi 7 wi-fi 7 adds some new functionality but basically it's almost the same slightly faster slightly more advanced functionality like in wi-fi so what's the biggest advantage of wi-fi 7 versus wi-fi 6e might being honest most likely you're going to see the biggest benefits of wi-fi 7 at home in the enterprise maybe not so much because there's this new thing called mlo which stands for multi-link operation where you're going to be able to send your traffic out of the different radios and the frequency bands of the device from the access point to the client device but how often we're going to see that in the enterprise i highly doubt it so we are going to be getting faster data rates more complex modulation so it means we can send our wireless data faster in wi-fi 7 but again just a few percent faster so now we are using 4k quam versus 1k quam exactly still the biggest benefit is going to be six gigahertz the access to the additional highway motorway lane that you get to drive down your nice six gigahertz capable cars we're talking about the future how about wi-fi 8 what's going to be great about wi-fi 8 is it coming anytime soon not anytime soon but we start to have a glimpse into what it can consist of so i wanted to but let i wanted to differentiate between home and enterprise because i think that's a good differentiation so at home if i'm going to buy a wi-fi router today or ap would i try and get a wi-fi 7 or wait if you're purchasing a wireless device now for your home or even for the enterprise you would go with the latest that you can get so at home you're probably going to find consumer grade wireless users that support wi-fi 7 but there's not many enterprise grade wireless access points out available right now that support wi-fi 7 so going for the latest that's supported with six gigahertz capabilities wi-fi 6e is still the main thing but for home it might be a little bit different with wi-fi 7 we have the mlo as you mentioned multiple link operation and it can combine multiple non-adjacent channels even across different frequencies into one massive giga channel so think of it i can have like a one channel 20 megahertz on five gigahertz two channels or six gigahertz combine them into one massive motorway and i can send my traffic that way but most clients most likely will not support it but what will support it is the home mesh systems so think about like having a main router in your living room and then satellites in your like you know bedroom one and bedroom two that's where the mlo will will be super beneficial for 7 so if you can leverage that that's that's fine but the reality is wi-fi 6 6e is fantastic okay so nothing wrong with going with wi-fi 6 and 6e today it's probably a redundant question is it worth ripping out wi-fi 6e in the enterprise for wi-fi 7 or should i just wait i wouldn't be ripping out wi-fi 6e 6gb for wi-fi 7 yeah i had a short answer i would just wanted to say no and at home no no if you have a much older device that if you can give a wi-fi 4 or previous or even wi-fi 5 then i would consider it but if you've just upgraded to wi-fi 6e and you've got six gigahertz then for me personally i don't see the benefit right now and i mean you guys have said it a few times i think i want to drive it home the piece that some people seem to forget is it's not the APs it's all the client devices that's a problem right yeah so your wireless network only works the best as your worst devices that you support on the network so if you can have wi-fi 7 access points everywhere but you bring an old really uh legacy device that's a scanner or phone that supports just 802.11n which is wi-fi 4 then when your client device connects to the access point it's only going to be leveraging wi-fi 4 technology so you have this fancy wi-fi 7 but your wireless is only going to be operating a wi-fi 4 with the worst case of the device that you've got connected to the network if you've got an home enterprise that's got just wi-fi 7 access points and and wi-fi 7 capable client devices then fantastic but there's not that many of them around right now you guys are from Ekahau you've got this fancy device here what is it and you know what does it do and what do you guys do like professionally sure so this device that you see right here is actually called our psychic 2 and it's our all-in-one measurement device for wi-fi so it scans everything in wi-fi in the 2.456 gigahertz frequency bands but not just wi-fi it also has an inbuilt super fast high resolution spectrum analyzer so as you walk around your environment not only will it detect your wi-fi access points your neighbor's wi-fi access points but if you have any interferers and getting attacked by a fly it will pick up if you've got any microwave ovens passive infrared devices bluetooth wireless non-wi-fi cameras and captures everything at the same time as you move around your environment what else is inside this device mac well the biggest battery we can take into commercial airplane so that's quite cool like a full day surveying battery life kind of thing but also it's extremely easy to take a sidekick for a walk just connect it to your phone and today you don't even need to use a map you know you don't need to scale up the map with any laser measure tools you just connect it to your phone hit the button walk around and your phone will find out the layout of your building as you walk around it will bark the walls create a floor pan for you and then a sidekick will be measuring all the wi-fi and electromagnetic rf energy stuff all around you and place all the information on the map that you can then use not only to design your new network on but also to optimize your existing wi-fi so it's never been easier i would say easy peasy lemon squeezy so last question can people reach out to you if they've got wi-fi questions and where's like twitter x where can they reach you guys yeah of course the any questions you have we would love to hear from you so you can find myself on twitter linkedin x tiktok whatever you like my user account is just at matt starling how about you and my handle is at mac daring but reach out to matt okay and also his email is so we won't yet well done so for everyone watching i'll put their links below also links to Ekahau big thanks to echo for sponsoring this video and supporting the community let me know in the comments if you enjoy these types of videos these guys really know wi-fi so i want to answer you get your questions answered so put them below and hopefully we can get you guys back for more tips and tricks on wi-fi thanks for having us mate yeah thank you davis so much for bringing us on we love to be here

Info

Channel: David Bombal

Views: 49,749

Rating: undefined out of 5

Keywords: wifi, wpa, wpa2, wpa3, ehakau, kali linux, kali, nethunter, kalihunter, kali nethunter, wifi hacking, scanner, wifi scanner, hacking, hackers, ethical hacker, ethical hacking, hacker, hacking course, learn hacking, how to hack, wifi password, wi-fi, alfa adapter, wifite, hashcat wpa2, how to hack wifi password, penetration testing, wpa2 cracking, wifi password hacker, wifi password hacker app, hashcat wifi cracking, wireless security, wpa2 hacking, wifi cracking, slow wifi, fast wifi

Id: UpuLysPeihI

Channel Id: undefined

Length: 27min 20sec (1640 seconds)

Published: Sun Mar 10 2024