From: Pieter Danhieux (opr@bsdaemon.be)
Date: Sun Jun 25 2006 - 03:45:01 EDT
Steven,
I have copied this mails also to the wifi-sec mailinglist.
I am pretty sure this will work for non-protected APs or WEP-protected
APs, but I am not sure about WPA. The reason is that the PTK (Primary
Transient Key generation algo is using the MAC adresses of both the
client and the AP as input (next to PMK and 2 random values). A lot of
other keys are than derived from this PTK value (MIC, KEK, KCK, ..)
and all these keys are needed for communication.
That means you would have to do some serieous MAC-fu trickery to make
this work.
victim <----> [fake AP WiFi interface with MAC of real AP] <> [fake AP
WiFi interface with MAC of victim] <---> real AP
2 problems:
- cross your fingers that the victim is not in range of the real AP (else
he will not notice the difference between the fake and real and he could
start communicating with the reak AP during the authentication session)
- you will be a dump "repeater" and all communication will be encrypted
(and you do not have the PTK to calculate the MIC, KEK, KCK to decrypt the
traffic).
conclusion: don't think this is a feasible attack, it would be better to
use cowpatty with pre-generated tables to identify the PMK. But than
again, I could be wrong ...
kind regards,
-- Pieter Danhieux CISSP, GSEC, GCIH, CISA, GCFA On Fri, 23 Jun 2006 steven@lovebug.org wrote: > Greetings, > > I am wondering if anyone has done what I am looking to do or knows of a > recommended way to go about doing it. This may be used for a pen-test in > the future (would be allowed by ROE) or just for my own personal use not > affecting others. I want to setup an access point that clones the SSID of > the valid network that uses WPA. When a users tries to connect to my AP > and they enter in their information to authentication -- I want it to just > be sent to me so I can read what they wrote. Basically then allowing me > to enter this information into my own machine to connect onto the network > with their credentials. Is there a tool that does this already? Perhaps > one of the WRT firmwares that have a logging option or maybe just some > other tool altogether? > > Has anyone tried doing this before? If so how did you go about doing it? > > Thanks. > > Steven > > > ------------------------------------------------------------------------------ > This List Sponsored by: Cenzic > > Concerned about Web Application Security? > Why not go with the #1 solution - Cenzic, the only one to win the Analyst's > Choice Award from eWeek. As attacks through web applications continue to rise, > you need to proactively protect your applications from hackers. Cenzic has the > most comprehensive solutions to meet your application security penetration > testing and vulnerability management needs. You have an option to go with a > managed service (Cenzic ClickToSecure) or an enterprise software > (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can > help you: http://www.cenzic.com/news_events/wpappsec.php > And, now for a limited time we can do a FREE audit for you to confirm your > results from other product. Contact us at request@cenzic.com for details. > ------------------------------------------------------------------------------ > > ------------------------------------------------------------------------------ This List Sponsored by: Cenzic Concerned about Web Application Security? Why not go with the #1 solution - Cenzic, the only one to win the Analyst's Choice Award from eWeek. As attacks through web applications continue to rise, you need to proactively protect your applications from hackers. Cenzic has the most comprehensive solutions to meet your application security penetration testing and vulnerability management needs. You have an option to go with a managed service (Cenzic ClickToSecure) or an enterprise software (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can help you: http://www.cenzic.com/news_events/wpappsec.php And, now for a limited time we can do a FREE audit for you to confirm your results from other product. Contact us at request@cenzic.com for details. ------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:10 EDT