Jump to content


Photo
- - - - -

Security of managed WPA wireless access points.


  • Please log in to reply
3 replies to this topic

#1 digitalchameleon

digitalchameleon

    Will I break 10 posts?

  • Members
  • 9 posts
  • Country:
  • Gender:Male

Posted 13 March 2012 - 12:52 PM

Airodump output:
 ENC  CIPHER AUTH ESSID
OPN              XYZ-open    
WPA2 CCMP   MGT  XYZ-authorized

Logging onto XYZ-open directs you to a webpage asking for a username and password, which I'm assuming will then allow you access to XYZ-authorized. Can anybody provide information about how this happens exactly? I've been searching google and aircrack forums with no luck. Is this AP vulnerable to WPA handshake capture? Can the webpage passwords be sniffed form the XYZ-open network?

Edited by digitalchameleon, 13 March 2012 - 12:54 PM.


#2 nyphonejacks

nyphonejacks

    Dangerous free thinker

  • Members
  • 793 posts
  • Gender:Male
  • Location:718

Posted 13 March 2012 - 02:45 PM

Airodump output:

 ENC  CIPHER AUTH ESSID
OPN              XYZ-open    
WPA2 CCMP   MGT  XYZ-authorized

Logging onto XYZ-open directs you to a webpage asking for a username and password, which I'm assuming will then allow you access to XYZ-authorized. Can anybody provide information about how this happens exactly? I've been searching google and aircrack forums with no luck. Is this AP vulnerable to WPA handshake capture? Can the webpage passwords be sniffed form the XYZ-open network?

sounds like the open one is a guest network behind a walled garden... traffic between the open and WPA networks would be isolated, and logging into the open network would not provide you with credentials for logging into the WPA protected network..

#3 digitalchameleon

digitalchameleon

    Will I break 10 posts?

  • Members
  • 9 posts
  • Country:
  • Gender:Male

Posted 13 March 2012 - 02:55 PM

The only page I can get through XYZ-open says:

Access XYZ internet.
Username:_____________
Password:_____________

All packets seem to end up here, with this http server. I have seen clients access XYZ-open shortly before their MAC address appears associated with XYZ-authorized.

#4 systems_glitch

systems_glitch

    Dangerous free thinker

  • Moderating Team
  • 1,652 posts
  • Gender:Male

Posted 18 March 2012 - 11:19 AM

It's likely a newer Cisco/Linksys wireless router. They do indeed provide a walled garden for allowing visitors to your house/business/whatever to access the Internet but not the machines on the secure portion of the network. From what I've seen, the "visitor" side is just running a gateway auth service and has no bearing on who can associate with the "secure" side.

I do a similar thing with m0n0wall/pfSense -- my wireless router (a little ALIX board running m0n0wall) runs with no encryption but requires gateway auth login before a machine can connect to anything. The access point's WAN interface is connected to a switch on the untrusted interface of my pfSense box. You can only route to the public Internet through the untrusted interface, but if you need to access something on my internal LAN, you can connect to an OpenVPN daemon on the pfSense untrusted interface using a pre-shared key and tunnel into the trusted LAN network.




BinRev is hosted by the great people at Lunarpages!