Sign in to follow this  
Followers 0
nyphonejacks

did i just think up a way to defeat wifi security?

11 posts in this topic

I was just looking thru a white paper about rouge access points... it said something along the lines of a client connecting to the AP with the best signal..

first off, i do not believe that i have the technical expertise in this field, so it may not be possible at all..

this would have to assume that the AP would have to have a way to log attempted/failed security keys....

my theory is this:

install an AP with the same SSID as the target network.

set the same security as the target network - WEP/WPA, etc.

possibly clone the MAC of the target AP (not sure if necessary)

my thoughts on how this would work (if it is even possible i do not know)

client thinks your AP is the AP that it has the credentials for, and tries to connect to it..

your AP then receives the key from the client - since you do not know the key for the target AP it will not connect, but it would log the attempt so you should have the key for the target network - i would assume that this would be encrypted

if this is possible, it seems like a better/faster method to obtain credentials for a wireless AP than sniffing wireless traffic waiting to get the key...

seems like it would make for a great penetration test..

anyone know if this is possible?

it seems to me that it would not matter what type of security was enabled on the target AP as long as you were able to log and decrypt the keys of legitimate clients that attempt to access the network...

if possible, having the fake AP change its SSID or shut its wireless radio off after someone attempts to log in should hopefully keep the key from being changed on the target AP - or drawing too much suspicion from the networks admin that many wireless clients are failing to connect.

-1

Share this post


Link to post
Share on other sites

If I understand what you're saying, no, wifi encryption doesn't work this way.

Imagine how a encrypted zip file works. If you create a zip file with a password, the contents of it are scrambled in such a way that only that exact same password could be used with the same encryption algorithm to decrypt the password. Without that exact password, decrypting the file is impossible.

Wireless encryption, at a very basic level, works the same. If you put a password in your computer to access the wireless access point, that password is not ever transmitted to the access point. If it was, it could be intercepted. Instead, the password is used to encrypt information being transmitted, and the reciever uses the password to decrypt the data. Nobody else without the password could view the traffic.

WPA takes this up a notch with private key public key handshaking. But at a simple level, the concept is still the same.

0

Share this post


Link to post
Share on other sites

good to know that it is not possible as i imagined it...

0

Share this post


Link to post
Share on other sites

nyphonejacks aren't you just talking about collecting the password key by making people log into a fake wifi address which logs the password they entered? Thus after they discover it doesn't work they then go and try to log into the other real wifi address but you now have the WEP/WPA/WPA2 key.

0

Share this post


Link to post
Share on other sites

nyphonejacks aren't you just talking about collecting the password key by making people log into a fake wifi address which logs the password they entered? Thus after they discover it doesn't work they then go and try to log into the other real wifi address but you now have the WEP/WPA/WPA2 key.

yes this is what i am trying to say...

0

Share this post


Link to post
Share on other sites

nyphonejacks aren't you just talking about collecting the password key by making people log into a fake wifi address which logs the password they entered? Thus after they discover it doesn't work they then go and try to log into the other real wifi address but you now have the WEP/WPA/WPA2 key.

yes this is what i am trying to say...

yes this would work. You just need to overpower their signal and log the password entered

0

Share this post


Link to post
Share on other sites

yes this would work. You just need to overpower their signal and log the password entered

would this work for all methods of encryption, or just weaker wifi security like WEP?

this just brought up another related flaw...

my cable provider offers free wifi hotspots all over the city - as does many other ISPs...

the WiFi is open - no security, but until you enter your user name and password for your account you are stuck in a walled garden. sure you can store your devices MAC address to prevent you from having to log in every time, but would someone really question if they had to do it again?

The problem with this method of authentication is it is extremely prone to MiTM attacks. anyone can set up an AP with the SSID that the ISP uses, and use a fake redirect page to require you to sign in.

this not only grants the person running AP pretending to be from the ISP access to all of that ISPs WiFi hotspots at no cost (with activity being traced back to the account holder who he stole the credentials for) it also gives the person running the fake AP the credentials to log into that persons ISP account.

I am not sure what could be done to close those security holes, but it seems that there is a risk in using these open hotspots.

0

Share this post


Link to post
Share on other sites

yes this works and in fact the aircrack suite has tools to accomplish this (namely airbase). This would work for any encryption type but its tricky with more advanced encryptions. with WEP its a piece of cake. but for WPA and WPA2 what you will be recieving is not the key, but the WPA 4-way handshake. You still need to cap the packets and then run the handshake through a cracker to get the WPA key, which still requires that you have a good dictionary file and that the key is already in your dictionary.

Simply put, this is just another method for capping packets when you may not have access to the AP itself but you do have access to a roaming client.

EDIT: forgot to comment on your latest post. This is also possible. You can go about it by either social engi like you said by setting up a fake site to snatch up credentials, or take a look at the protocols used in the walled garden. For example if it uses ssl then you can easily MitM the AP and strip the ssl data to get the credentials without giving *almost* any "red flags" to the victim that they may be a target.

Edited by ALMarshun
0

Share this post


Link to post
Share on other sites

yes this would work. You just need to overpower their signal and log the password entered

would this work for all methods of encryption, or just weaker wifi security like WEP?

this just brought up another related flaw...

my cable provider offers free wifi hotspots all over the city - as does many other ISPs...

the WiFi is open - no security, but until you enter your user name and password for your account you are stuck in a walled garden. sure you can store your devices MAC address to prevent you from having to log in every time, but would someone really question if they had to do it again?

The problem with this method of authentication is it is extremely prone to MiTM attacks. anyone can set up an AP with the SSID that the ISP uses, and use a fake redirect page to require you to sign in.

this not only grants the person running AP pretending to be from the ISP access to all of that ISPs WiFi hotspots at no cost (with activity being traced back to the account holder who he stole the credentials for) it also gives the person running the fake AP the credentials to log into that persons ISP account.

I am not sure what could be done to close those security holes, but it seems that there is a risk in using these open hotspots.

"...but would someone really question if they had to do it again? "

I doubt it.

0

Share this post


Link to post
Share on other sites

"...but would someone really question if they had to do it again? "

I doubt it.

i do not think in this scenario that someone would put up a red flag if they had to re-enter their credentials, they would probably just pass it off as a glitch in the system

0

Share this post


Link to post
Share on other sites

This would provide no advantage over deauthing WPA clients and listening in on their handshakes.

See: http://mobilesociety.typepad.com/mobile_life/2007/02/deep_inside_the.html'

I believe a later post suggested spoofing unsecured networks which required a user to authenticate through a web frontend; it's my understanding that the SET has a tool for this.

Edited by serrath
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0