Thank you Lain.
This is why I force my browser to warn me when SSL isn’t available. Makes me at least a little safer when I have to use public wifi
So I guess I must be a leet haxor because of all the businesses I configured for the 172.x space because 192.168.x space was too small and 10.x space was way the hell too big.
For bigger networks, I always went with 10.0.0.0/8 for endpoints, 172.16.0.0/12 for servers and other back-end services, leaving 192.168.0.0/16 for smaller networks like OOB IPMI (eg HP iLO, Dell iDrac) services, cluster heartbeat connections, and certain DMZ segments.
My current work acquired a company with a very poorly provisioned IT department. Their networks all happen to be in the low 192.168.0.0/16 so users VPNing in often end up with wonky IP conflicts. I’ve heard warnings about similar when selecting subnet ranges, so I just stick with low 192.168.0.0/16 ranges for home networks from which I might potentially VPN into a network I don’t control, and I use 172.16.0.0/12 or 10.0.0.0/8 at work as needed and as aligns with our wider topology.
I will also add that I encountered some fun challenges at a small bank I worked at where they clearly under-planned their network and carried a bunch of wonky configs as vestigial networking adaptations as they grew. They did do a cool thing where they made each branch its own /24 subnet so you could tell at a glance exactly what branch someone was connecting from, plus branches could theoretically limp along with an ISP outage, but they didn’t the extra steps of setting up edge servers so the end result was a full branch outage during an ISP outage
That’s doable too. A lot of people don’t realize you can route all of those together. It’s even more fun as technically you can route private addresses across public links if you own both ends of the link. Used to see that done at a large ISP to route their internal network and it’d pop new networking admins minds.
ETA: I would use 192.x IPs for unrouted subnets like heartbeats or iSCSI.
wdym too big? That’s what subnetting is for.
I know what subnetting is for. That’s why I know which RFC range to use. I’m talking based on the number of devices and needed groupings, 172 is a good sweet spot where 198.x would be a bit tight and 10.x is complete overkill.
Could you please explain, how 172.x is different “size” than 10.x? Don’t both of those have 255*255*255 spaces?
Edit: Ok, I made ChatGPT explain it to me. Apparently, with 172.x the convention is to only use range from 172.16.x.x to 172.31.x.x because that range is designated for private networks under some internet regulations…
Yeah. Here’s a breakdown of the allocations and their sizes:
- 192.168.0.0/16 - 65,536 addresses
- 172.16.0.0/12 - 1,048,576 addresses
- 10.0.0.0/8 - 16,777,216 addresses
Most home applications only need a single /24 (256 addresses) so they are perfectly fine with 192.168.0.0/24, but as you get larger businesses, you don’t use every single address but instead break it out by function so it’s easier to know what is what and to provide growth in each area.
But tbh, I still don’t see why you can’t just use 10.x but only as many subnets as you need.
I know jack shit about networking, but I’ve set up OpenWrt routers a couple of times, and set my home network to 10.99. because that was suggested by a ZeroTier tutorial and I thought that’s cool.
You’re technically correct, you can use any of them. It’s honestly just a matter of preference.
really start to worry when it’s
169.254.0.x
…That just means the DNS is disabled.
-
“The hotel’s free WiFi is really fast”
-
“the DNS is disabled”
-
That is not what that means, it means there’s no dhcp on that network segment.
If there isn’t DHCP and you device isn’t set for a static IP, would it even connect?
In my defense, whenever there’s a networking issue, it’s always DNS related.
DNS being down is why the DHCP server didn’t start ;)
I can totally see dnsmasq causing this sort of thing.
The three stages of grief:
- It can’t be DNS
- There’s no way it could be DNS
- It was DNS
Thank you lain.
The only part of this I didn’t immediately realize is the wifi pineapples default IP range.
From now on, I’m going to set that as my clients default public IP range to troll anyone who knows.
Thank you Lain!
Does this matter if the traffic is encrypted, such as an https website instead of http? Like, really how often is internet traffic unencrypted?
Yes, back when I was playing around with my WiFi pineapple there were a wide variety of tricks to break SSL authentication without it being obvious to users. Easiest was to terminate the SSL connection on the pineapple and re-encrypt it with a new SSL cert from there to the users browser, so to the user it looked like everything was secure but in reality their traffic was only encrypted from them to the pineapple, then decrypted, sniffed and re-encrypted to pass along to the target websites with normal SSL.
Man in the middle attacks really do give the attacker tons of options
That kind of ssl interception would normally be quite visible without your client device having the pineapples cert in your devices trust store, or am I wrong?
I’m sure a lot has changed in 10 years ago so this won’t be relevant today, but back when I was last playing with this, sslstrip was the tool I was using on the pineapple to enable SSL mitm attacks - https://github.com/moxie0/sslstrip
I’d imagine there are new techniques to counteract new defenses - this stuff is always cat & mouse
Not often. For web browsing - and the majority of apps - your session is encrypted and certified. Breaking SSL is possible but you’ll know about it due to the lack of certs.
Thank you Lain.
Thank you lain.
My ass, Lain.
Thank you Lain!
Isn’t that how the setup works for any relatively large company? I admittedly haven’t worked in many, but that’s usually the case for corporate computers at least.
I think the idea there is that the whole Class B private range starts at 172.16.0.x so it’s unlikely, that any hotel you’re at would be using 172.16.42.x because it’s so far irom the start of that range unless it’s a chain that needs to keep its ranges separate between sites for VPN or documentation reasons.
Basically, seeing 172.16.42.x doesn’t inherently mean something’s wrong, and I’m sure people using the pineapple for nefarious reasons would be smart enough to change its default LAN, but if you see it, maybe be more cautious.
Also if you bring one onto a real network to pwn it you’re probably deliberately not replacing it’s DHCP server so you don’t break static IP assignments (but you might fake the routes so traffic goes through you anyway with ARP spoofing, etc)
Thank you lain
Public WiFi is just PvP enabled
[x] Client isolation on
This is now a safe zone