Jump to content


Photo
- - - - -

did i just think up a way to defeat wifi security?


  • Please log in to reply
10 replies to this topic

#1 nyphonejacks

nyphonejacks

    Dangerous free thinker

  • Members
  • 793 posts
  • Gender:Male
  • Location:718

Posted 09 December 2011 - 12:12 AM

I was just looking thru a white paper about rouge access points... it said something along the lines of a client connecting to the AP with the best signal..

first off, i do not believe that i have the technical expertise in this field, so it may not be possible at all..

this would have to assume that the AP would have to have a way to log attempted/failed security keys....

my theory is this:

install an AP with the same SSID as the target network.
set the same security as the target network - WEP/WPA, etc.
possibly clone the MAC of the target AP (not sure if necessary)

my thoughts on how this would work (if it is even possible i do not know)
client thinks your AP is the AP that it has the credentials for, and tries to connect to it..
your AP then receives the key from the client - since you do not know the key for the target AP it will not connect, but it would log the attempt so you should have the key for the target network - i would assume that this would be encrypted

if this is possible, it seems like a better/faster method to obtain credentials for a wireless AP than sniffing wireless traffic waiting to get the key...

seems like it would make for a great penetration test..

anyone know if this is possible?

it seems to me that it would not matter what type of security was enabled on the target AP as long as you were able to log and decrypt the keys of legitimate clients that attempt to access the network...

if possible, having the fake AP change its SSID or shut its wireless radio off after someone attempts to log in should hopefully keep the key from being changed on the target AP - or drawing too much suspicion from the networks admin that many wireless clients are failing to connect.

#2 redoom

redoom

    the 0ne

  • Members
  • 1 posts
  • Gender:Male

Posted 09 December 2011 - 12:54 AM

If I understand what you're saying, no, wifi encryption doesn't work this way.

Imagine how a encrypted zip file works. If you create a zip file with a password, the contents of it are scrambled in such a way that only that exact same password could be used with the same encryption algorithm to decrypt the password. Without that exact password, decrypting the file is impossible.

Wireless encryption, at a very basic level, works the same. If you put a password in your computer to access the wireless access point, that password is not ever transmitted to the access point. If it was, it could be intercepted. Instead, the password is used to encrypt information being transmitted, and the reciever uses the password to decrypt the data. Nobody else without the password could view the traffic.

WPA takes this up a notch with private key public key handshaking. But at a simple level, the concept is still the same.

#3 nyphonejacks

nyphonejacks

    Dangerous free thinker

  • Members
  • 793 posts
  • Gender:Male
  • Location:718

Posted 09 December 2011 - 07:37 PM

good to know that it is not possible as i imagined it...

#4 Powermaniac7

Powermaniac7

    mad 1337

  • Members
  • 138 posts
  • Country:
  • Gender:Male

Posted 09 December 2011 - 10:02 PM

nyphonejacks aren't you just talking about collecting the password key by making people log into a fake wifi address which logs the password they entered? Thus after they discover it doesn't work they then go and try to log into the other real wifi address but you now have the WEP/WPA/WPA2 key.

#5 nyphonejacks

nyphonejacks

    Dangerous free thinker

  • Members
  • 793 posts
  • Gender:Male
  • Location:718

Posted 10 December 2011 - 12:08 PM

nyphonejacks aren't you just talking about collecting the password key by making people log into a fake wifi address which logs the password they entered? Thus after they discover it doesn't work they then go and try to log into the other real wifi address but you now have the WEP/WPA/WPA2 key.


yes this is what i am trying to say...

#6 Afterm4th

Afterm4th

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 399 posts
  • Country:
  • Gender:Male
  • Location:way up north eh

Posted 10 December 2011 - 07:25 PM


nyphonejacks aren't you just talking about collecting the password key by making people log into a fake wifi address which logs the password they entered? Thus after they discover it doesn't work they then go and try to log into the other real wifi address but you now have the WEP/WPA/WPA2 key.


yes this is what i am trying to say...



yes this would work. You just need to overpower their signal and log the password entered

#7 nyphonejacks

nyphonejacks

    Dangerous free thinker

  • Members
  • 793 posts
  • Gender:Male
  • Location:718

Posted 10 December 2011 - 10:45 PM

yes this would work. You just need to overpower their signal and log the password entered


would this work for all methods of encryption, or just weaker wifi security like WEP?

this just brought up another related flaw...
my cable provider offers free wifi hotspots all over the city - as does many other ISPs...
the WiFi is open - no security, but until you enter your user name and password for your account you are stuck in a walled garden. sure you can store your devices MAC address to prevent you from having to log in every time, but would someone really question if they had to do it again?

The problem with this method of authentication is it is extremely prone to MiTM attacks. anyone can set up an AP with the SSID that the ISP uses, and use a fake redirect page to require you to sign in.

this not only grants the person running AP pretending to be from the ISP access to all of that ISPs WiFi hotspots at no cost (with activity being traced back to the account holder who he stole the credentials for) it also gives the person running the fake AP the credentials to log into that persons ISP account.

I am not sure what could be done to close those security holes, but it seems that there is a risk in using these open hotspots.

#8 ALMarshun

ALMarshun

    the 0ne

  • Members
  • 1 posts
  • Country:
  • Gender:Male

Posted 23 December 2011 - 09:58 AM

yes this works and in fact the aircrack suite has tools to accomplish this (namely airbase). This would work for any encryption type but its tricky with more advanced encryptions. with WEP its a piece of cake. but for WPA and WPA2 what you will be recieving is not the key, but the WPA 4-way handshake. You still need to cap the packets and then run the handshake through a cracker to get the WPA key, which still requires that you have a good dictionary file and that the key is already in your dictionary.

Simply put, this is just another method for capping packets when you may not have access to the AP itself but you do have access to a roaming client.

EDIT: forgot to comment on your latest post. This is also possible. You can go about it by either social engi like you said by setting up a fake site to snatch up credentials, or take a look at the protocols used in the walled garden. For example if it uses ssl then you can easily MitM the AP and strip the ssl data to get the credentials without giving *almost* any "red flags" to the victim that they may be a target.

Edited by ALMarshun, 23 December 2011 - 10:03 AM.


#9 resistor X

resistor X

    Mack Daddy 31337

  • Members
  • 214 posts
  • Gender:Not Telling
  • Location:Linux Heaven

Posted 27 December 2011 - 09:33 AM


yes this would work. You just need to overpower their signal and log the password entered


would this work for all methods of encryption, or just weaker wifi security like WEP?

this just brought up another related flaw...
my cable provider offers free wifi hotspots all over the city - as does many other ISPs...
the WiFi is open - no security, but until you enter your user name and password for your account you are stuck in a walled garden. sure you can store your devices MAC address to prevent you from having to log in every time, but would someone really question if they had to do it again?

The problem with this method of authentication is it is extremely prone to MiTM attacks. anyone can set up an AP with the SSID that the ISP uses, and use a fake redirect page to require you to sign in.

this not only grants the person running AP pretending to be from the ISP access to all of that ISPs WiFi hotspots at no cost (with activity being traced back to the account holder who he stole the credentials for) it also gives the person running the fake AP the credentials to log into that persons ISP account.

I am not sure what could be done to close those security holes, but it seems that there is a risk in using these open hotspots.


"...but would someone really question if they had to do it again? "

I doubt it.

#10 nyphonejacks

nyphonejacks

    Dangerous free thinker

  • Members
  • 793 posts
  • Gender:Male
  • Location:718

Posted 27 December 2011 - 07:56 PM

"...but would someone really question if they had to do it again? "

I doubt it.

i do not think in this scenario that someone would put up a red flag if they had to re-enter their credentials, they would probably just pass it off as a glitch in the system

#11 serrath

serrath

    SUP3R 31337

  • Members
  • 181 posts
  • Country:
  • Gender:Male

Posted 10 January 2012 - 09:41 PM

This would provide no advantage over deauthing WPA clients and listening in on their handshakes.

See: http://mobilesociety...inside_the.html'

I believe a later post suggested spoofing unsecured networks which required a user to authenticate through a web frontend; it's my understanding that the SET has a tool for this.

Edited by serrath, 10 January 2012 - 09:44 PM.





BinRev is hosted by the great people at Lunarpages!