Penetration Testing mailing list archives
Re: Wireless Pen Test
From: "Kevin Horvath" <kevin.horvath () gmail com>
Date: Fri, 28 Nov 2008 10:05:44 -0500
Anshuman, Yes there are many tools that look just for the 802.11 frames but what you will need to look at is all the frames so you can see the EAP frames also.....so put your card in RFMON/monitor mode and use tcpdump or wireshark on that interface. As for sniffing the actual auth frames you can but depending on what they use for their EAP type will determine what you can see. The EAP-MSCHAP you refer too is not the EAP type but the auth type that is passed through the EAP tunnel such as through EAP-PEAP. So if they are using EAP-PEAP then the username and domain will be disclosed (such as in many EAP types except TLS and TTLS as I mentioned in my response to you earlier below) in clear text. Although the password can be recovered unless they are using cisco's LEAP. You can determine the EAP type by looking at the raw packet captures. If they are using something such as EAP-PEAP or TLS or TTLS then you wont be able to hack it directly but there are other attacks such as client attacks. _______________________________previous response___________________ Assuming you are referring to WPA2-psk you can use aircrack-ng to brute force the WPA(2) passphrase by providing it a dictionary and the SSID which is used as the salt. Its not cracking the encryption (AES) is just brute forcing the hashed output to recover the key. If you have the passphrase in your dictionary and the 4 way handshake then you can recover it. WEP is broken and cracked but WPA (TKIP encryption) is not fully broken yet but the guys from the aircrack team (Hirte especially) already discovered the first kink in its armor. Although while its not fully broken you can perform the same bruteforce attack as mentioned above against it also. Also if your telling a client that using WPA(2) psk is secure then you are doing an injustice to your client....Yes even if the key is very long and complex and not in any dictionary. The whole point of having a shared key is insecure since all it takes is for one laptop to get hacked or stolen and then your compromised. If you want to tell a client they are secure then you need to be recommending wpa(2) enterprise using EAP-TLS or EAP-TTLS. Please dont tell a client WPA2/CCMP/AES - PSK is secure (for businesses that is) as you are only as secure as your weakest client. Kevin ____________________________ On Fri, Nov 28, 2008 at 9:44 AM, anshuman sharma <anshuman251 () gmail com> wrote:
Thanks a lot to all of you for all your answers. To give you all move details. The authentication for getting the access to the Wireless Network is through RADIUS, thus you require domain logins for authentication. Then on AP WPA2 AES is used. So, is there any tool available to sniff the wireless traffic. I am taking an example that an employee near by to the office wants to log in to the network through wireless and near by another user using a tool (possible Wireshark) to sniff the traffic. Now when the user tries to login, he will send the credential for authentication and the AP will forward the request to RADIUS for authentication. Can this packet be sniffed and can the credential be recovered. Authentication type is EAP-MSCHAP. Thanks and Regards Anshuman On Thu, Nov 27, 2008 at 8:38 AM, Kevin Horvath <kevin.horvath () gmail com> wrote:Assuming you are referring to WPA2-psk you can use aircrack-ng to brute force the WPA(2) passphrase by providing it a dictionary and the SSID which is used as the salt. Its not cracking the encryption (AES) is just brute forcing the hashed output to recover the key. If you have the passphrase in your dictionary and the 4 way handshake then you can recover it. WEP is broken and cracked but WPA (TKIP encryption) is not fully broken yet but the guys from the aircrack team (Hirte especially) already discovered the first kink in its armor. Although while its not fully broken you can perform the same bruteforce attack as mentioned above against it also. Also if your telling a client that using WPA(2) psk is secure then you are doing an injustice to your client....Yes even if the key is very long and complex and not in any dictionary. The whole point of having a shared key is insecure since all it takes is for one laptop to get hacked or stolen and then your compromised. If you want to tell a client they are secure then you need to be recommending wpa(2) enterprise using EAP-TLS or EAP-TTLS. Please dont tell a client WPA2/CCMP/AES - PSK is secure (for businesses that is) as you are only as secure as your weakest client. On Wed, Nov 26, 2008 at 10:37 AM, anshuman sharma <anshuman251 () gmail com> wrote:Hi All, Is there any tool available to break WAP2 encryption (I searched a lot but was not able to find any). I know using Aircrack (Airodump and Aireplay), WEP and WPA key can be breaked. But if the encyption is WPA2 can we give a reasonable assurance to the client that the Wifi network is secure from outside. Thanks and Regards Anshuman ------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Cenzic Security Trends Report from Cenzic Stay Ahead of the Hacker Curve! Get the latest Q2 2008 Trends Report now www.cenzic.com/landing/trends-report ------------------------------------------------------------------------
Current thread:
- Re: Wireless Pen Test, (continued)
- Re: Wireless Pen Test Cedric Blancher (Nov 28)
- Re: Wireless Pen Test Leandro Machado (Nov 28)
- RE: Wireless Pen Test Harit, Saurabh (IE10) (Nov 28)
- Re: Wireless Pen Test m0rebel (Nov 28)
- RE: Wireless Pen Test Rui Pereira (WCG) (Nov 28)
- RE: Wireless Pen Test Cedric Blancher (Nov 28)
- Re: Wireless Pen Test Paul Melson (Nov 28)
- RE: Wireless Pen Test Rui Pereira (WCG) (Nov 28)
- Re: Wireless Pen Test Samuel Korpi (Nov 28)
- Re: Wireless Pen Test Joshua Wright (Nov 28)
- Message not available
- Re: Wireless Pen Test anshuman sharma (Nov 28)
- Re: Wireless Pen Test Kevin Horvath (Nov 28)
- Re: Wireless Pen Test Kevin Horvath (Nov 30)
- Re: Wireless Pen Test anshuman sharma (Nov 28)
- Wireless Pen Test christopher . riley (Nov 28)