Greg Hammond

Your Certificate Expired and Broke My Device  Certs are easy to manage, said no one Certificates are a wonderful thing for security but a horrid one for management, especially if you have no formal process in place for renewing them. A quick web search will turn up countless posts and articles about expired certs breaking organizations and causing chaos. This post is not about managing their expiration as I believe operational leaders need to make it a priority in the months prior and have a formalized plan. Instead I will focus on the technical side of supporting users and departments from a network administration perspective. Most network professionals know the certificates on their devices do not hinder client connectivity. The obvious caveat to that is when you forget to update your EAP cert(s) or use your infrastructure as the CA. However when something doesn't connect to the network we all know the phone calls or tickets that come in saying the network is down or your certi...

  802.1X Easy Updated 3/19/2025 It seems I like doing things the hard way sometimes. Packetfence was that next thing. After much trial and error I fell back to something simpler that I already had running. OPNSense with FreeRADIUS. My goal is to create a wifi lab that utilizes Dot1X to better understand how enterprise wifi works. While my day job does allow me troubleshoot it, I cant easily test and play around with it. My setup is basic but that's what makes this so great and accessible for people without the space or extra money for power hungry devices. An OPNSense VM running on Proxmox (Or a standalone device) A Cisco 3560 desktop style gigabit POE switch 2 Unifi AP AC Lites And that's really all you need. You could even go a little cheaper with a basic POE switch if you don't plan on doing wired Dot1X. Once your OPNSense instance is setup you just need to download the FreeRADIUS plugin then you can begin configuring Dot1X. Configuration You'll want to crea...

Finally! I scored a newer laptop to put Kali Linux on along with Windows to do some more wifi shenanigans. Before I was using a WLANPi on my desktop, which limited my mobility of course. Now I can follow devices and get closer to some of my other APs. Yes I know you can also use Pi as a remote capture device but that still didnt help with looking into roaming events. Now its been a few years since Ive used Kali and I was amazed at how polished its become. I think I used Backtrack about a decade ago to try and 'hack' my wifi with a WPA cracking tool. Needless to say that didnt launch my security career but it was quite interesting. There are plenty of tutorials on how to set you capture device in monitor mode so I wont go into that here. If you are curious here is the Airmon-ng website. Please note only certain chipsets are supported in Kali for this. Atheros cards seem to be the defacto standard for monitor mode support but I had a Comfast CF912 and TPLink Archer T9UH adapter ...

  Source: https://www.sparkfun.com/products/17146                 This is going to be a multi part post going over a little IoT smart plug I picked up on clearance at Walmart. I'll make it clear I'm generally very skeptical about these types of devices so much that I don’t even want my roommates Alexa on the same network as mine. However with these things being so prolific it is best to understand them so we can better protect our networks. Ill start with a little background of the device, how I acquired it, and my research on the brand. I will then do my best to uncover any (hopefully) FCC filings and their documentation. From there we will explore a bit of the theory on how the majority of these cheaper devices connect to our networks. Lastly Ill do my best to capture packets during the join process but we will see how that goes with my limited setup.  I was looking to purchase a new Roku and since Walmart was the closest st...

Association Frames are the last two frames before the STA can connect to the BSS and begin .1x authentication or the 4 way handshake when using PSK. There are two (different) frames as opposed to the two similar frames (with different sequence numbers) in the Authentication exchange. A STA will always send an Association request to an AP. This can be helpful when trying to discern between a STA and BSS in a packet capture if the addresses of each device are not known.You will also find the target BSS in a request frame but not a response frame. Like Authentication frames these are also sent at the minimum required rate for that particular BSS.  Association Request Since the AP already sent out its full list of capabilities in the Probe Response frame, the STA now sends out its full capabilities in the Association Request. With this information the AP now knows if the STA will be able to participate in this BSS or not. Below are two screenshots quickly showing how much additional i...

Authentication Frames in 802.11 are not about verifying the identity of clients or forming a secure connection. These frames are used to ensure each radio is actually a valid .11 device that can communicate on the network. It has been described similarly to plugging a network cable into the wall or switch.  Please note this is only valid for networks using WPA or WPA2. WPA3 introduces SAE (Simultaneous Authentication of Equals) and uses a 4 message exchange for authentication. We will be looking at Open System Authentication frames here.  In the above we have the two frame exchange between the client device and the AP. Each message is the essentially the same and contains a Sequence Number and Status Code to tell whether or not authentication was successful.  As with all other frames we can look at the FCF to verify what type of message it is too. And that's all there really is to it. If each radio can authenticate with one another they can proceed to the Association stag...