Penetration Testing mailing list archives
Re: Pen-Testing Users/Wireless APs?
From: Pieter Danhieux <opr () bsdaemon be>
Date: Sun, 25 Jun 2006 09:45:01 +0200 (CEST)
Steven, I have copied this mails also to the wifi-sec mailinglist.I am pretty sure this will work for non-protected APs or WEP-protected APs, but I am not sure about WPA. The reason is that the PTK (Primary Transient Key generation algo is using the MAC adresses of both the client and the AP as input (next to PMK and 2 random values). A lot of other keys are than derived from this PTK value (MIC, KEK, KCK, ..)
and all these keys are needed for communication.That means you would have to do some serieous MAC-fu trickery to make this work.
victim <----> [fake AP WiFi interface with MAC of real AP] <> [fake AP WiFi interface with MAC of victim] <---> real AP
2 problems:- cross your fingers that the victim is not in range of the real AP (else he will not notice the difference between the fake and real and he could start communicating with the reak AP during the authentication session) - you will be a dump "repeater" and all communication will be encrypted (and you do not have the PTK to calculate the MIC, KEK, KCK to decrypt the traffic).
conclusion: don't think this is a feasible attack, it would be better to use cowpatty with pre-generated tables to identify the PMK. But than again, I could be wrong ...
kind regards, -- Pieter Danhieux CISSP, GSEC, GCIH, CISA, GCFA On Fri, 23 Jun 2006 steven () lovebug org wrote:
Greetings, I am wondering if anyone has done what I am looking to do or knows of a recommended way to go about doing it. This may be used for a pen-test in the future (would be allowed by ROE) or just for my own personal use not affecting others. I want to setup an access point that clones the SSID of the valid network that uses WPA. When a users tries to connect to my AP and they enter in their information to authentication -- I want it to just be sent to me so I can read what they wrote. Basically then allowing me to enter this information into my own machine to connect onto the network with their credentials. Is there a tool that does this already? Perhaps one of the WRT firmwares that have a logging option or maybe just some other tool altogether? Has anyone tried doing this before? If so how did you go about doing it? Thanks. Steven ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details. ------------------------------------------------------------------------------
------------------------------------------------------------------------------ This List Sponsored by: CenzicConcerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------
Current thread:
- Pen-Testing Users/Wireless APs? steven (Jun 23)
- Re: Pen-Testing Users/Wireless APs? Pieter Danhieux (Jun 25)
- <Possible follow-ups>
- Re: Pen-Testing Users/Wireless APs? Jezebel Ali (Jun 25)