Re: Pen-Testing Users/Wireless APs?

[Pieter Danhieux <opr () bsdaemon be>]

Steven,

I have copied this mails also to the wifi-sec mailinglist.

I am pretty sure this will work for non-protected APs or WEP-protected 
APs, but I am not sure about WPA. The reason is that the PTK (Primary 
Transient Key generation algo is using the MAC adresses of both the 
client and the AP as input (next to PMK and 2 random values). A lot of 
other keys are than derived from this PTK value (MIC, KEK, KCK, ..)
and all these keys are needed for communication.

That means you would have to do some serieous MAC-fu trickery to make 
this work.

victim <----> [fake AP WiFi interface with MAC of real AP] <> [fake AP 
WiFi interface with MAC of victim] <---> real AP

2 problems:
- cross your fingers that the victim is not in range of the real AP (else 
he will not notice the difference between the fake and real and he could 
start communicating with the reak AP during the authentication session)
- you will be a dump "repeater" and all communication will be encrypted 
(and you do not have the PTK to calculate the MIC, KEK, KCK to decrypt the 
traffic).

conclusion: don't think this is a feasible attack, it would be better to 
use cowpatty with pre-generated tables to identify the PMK. But than 
again, I could be wrong ...

kind regards,

--
Pieter Danhieux
CISSP, GSEC, GCIH, CISA, GCFA

On Fri, 23 Jun 2006 steven () lovebug org wrote:

> Greetings,
>
> I am wondering if anyone has done what I am looking to do or knows of a
> recommended way to go about doing it.  This may be used for a pen-test in
> the future (would be allowed by ROE) or just for my own personal use not
> affecting others.  I want to setup an access point that clones the SSID of
> the valid network that uses WPA.  When a users tries to connect to my AP
> and they enter in their information to authentication -- I want it to just
> be sent to me so I can read what they wrote.  Basically then allowing me
> to enter this information into my own machine to connect onto the network
> with their credentials.  Is there a tool that does this already?  Perhaps
> one of the WRT firmwares that have a logging option or maybe just some
> other tool altogether?
>
> Has anyone tried doing this before?  If so how did you go about doing it?
>
> Thanks.
>
> Steven
>
>
> ------------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Concerned about Web Application Security?
> Why not go with the #1 solution - Cenzic, the only one to win the Analyst's
> Choice Award from eWeek. As attacks through web applications continue to rise,
> you need to proactively protect your applications from hackers. Cenzic has the
> most comprehensive solutions to meet your application security penetration
> testing and vulnerability management needs. You have an option to go with a
> managed service (Cenzic ClickToSecure) or an enterprise software
> (Cenzic Hailstorm). Download FREE whitepaper on how a managed service can
> help you: http://www.cenzic.com/news_events/wpappsec.php
> And, now for a limited time we can do a FREE audit for you to confirm your
> results from other product. Contact us at request () cenzic com for details.
> ------------------------------------------------------------------------------

------------------------------------------------------------------------------
This List Sponsored by: Cenzic

Concerned about Web Application Security? 
Why not go with the #1 solution - Cenzic, the only one to win the Analyst's 
Choice Award from eWeek. As attacks through web applications continue to rise, 
you need to proactively protect your applications from hackers. Cenzic has the 
most comprehensive solutions to meet your application security penetration 
testing and vulnerability management needs. You have an option to go with a 
managed service (Cenzic ClickToSecure) or an enterprise software 
(Cenzic Hailstorm). Download FREE whitepaper on how a managed service can 
help you: http://www.cenzic.com/news_events/wpappsec.php 
And, now for a limited time we can do a FREE audit for you to confirm your 
results from other product. Contact us at request () cenzic com for details.
------------------------------------------------------------------------------