Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Wireless Pen Test

From: "Kevin Horvath" <kevin.horvath () gmail com>
Date: Fri, 28 Nov 2008 10:05:44 -0500
Anshuman,

Yes there are many tools that look just for the 802.11 frames but what
you will need to look at is all the frames so you can see the EAP
frames also.....so put your card in RFMON/monitor mode and use tcpdump
or wireshark on that interface.  As for sniffing the actual auth
frames you can but depending on what they use for their EAP type will
determine what you can see.  The EAP-MSCHAP you refer too is not the
EAP type but the auth type that is passed through the EAP tunnel such
as through EAP-PEAP.  So if they are using EAP-PEAP then the username
and domain will be disclosed (such as in many EAP types except TLS and
TTLS as I mentioned in my response to you earlier below) in clear
text.  Although the password can be recovered unless they are using
cisco's LEAP.  You can determine the EAP type by looking at the raw
packet captures.  If  they are using something such as EAP-PEAP or TLS
or TTLS then you wont be able to hack it directly but there are other
attacks such as client attacks.

_______________________________previous response___________________
Assuming you are referring to WPA2-psk you can use aircrack-ng to
brute force the WPA(2) passphrase by providing it a dictionary and the
SSID which is used as the salt.  Its not cracking the encryption (AES)
is just brute forcing the hashed output to recover the key.  If you
have the passphrase in your dictionary and the 4 way handshake then
you can recover it.  WEP is broken and cracked but WPA (TKIP
encryption) is not fully broken yet but the guys from the aircrack
team (Hirte especially) already discovered the first kink in its
armor.  Although while its not fully broken you can perform the same
bruteforce attack as mentioned above against it also.

Also if your telling a client that using WPA(2) psk is secure then you
are doing an injustice to your client....Yes even if the key is very
long and complex and not in any dictionary.  The whole point of having
a shared key is insecure since all it takes is for one laptop to get
hacked or stolen and then your compromised.  If you want to tell a
client they are secure then you need to be recommending wpa(2)
enterprise using EAP-TLS or EAP-TTLS.

Please dont tell a client WPA2/CCMP/AES - PSK is secure (for
businesses that is) as you are only as secure as your weakest client.

Kevin
____________________________

On Fri, Nov 28, 2008 at 9:44 AM, anshuman sharma <anshuman251 () gmail com> wrote:


Thanks a lot to all of you for all your answers.

To give you all move details. The authentication for getting the
access to the Wireless Network is through RADIUS, thus you require
domain logins for authentication. Then on AP WPA2 AES is used.

So, is there any tool available to sniff the wireless traffic. I am
taking an example that an employee near by to the office wants to log
in to the network through wireless and near by another user using a
tool (possible Wireshark) to sniff the traffic. Now when the user
tries to login, he will send the credential for authentication and the
AP will forward the request to RADIUS for authentication. Can this
packet be sniffed and can the credential be recovered. Authentication
type is EAP-MSCHAP.

Thanks and Regards
Anshuman

On Thu, Nov 27, 2008 at 8:38 AM, Kevin Horvath <kevin.horvath () gmail com> wrote:

Assuming you are referring to WPA2-psk you can use aircrack-ng to brute
force the WPA(2) passphrase by providing it a dictionary and the SSID which
is used as the salt.  Its not cracking the encryption (AES) is just brute
forcing the hashed output to recover the key.  If you have the passphrase in
your dictionary and the 4 way handshake then you can recover it.  WEP is
broken and cracked but WPA (TKIP encryption) is not fully broken yet but the
guys from the aircrack team (Hirte especially) already discovered the first
kink in its armor.  Although while its not fully broken you can perform the
same bruteforce attack as mentioned above against it also.

Also if your telling a client that using WPA(2) psk is secure then you are
doing an injustice to your client....Yes even if the key is very long and
complex and not in any dictionary.  The whole point of having a shared key
is insecure since all it takes is for one laptop to get hacked or stolen and
then your compromised.  If you want to tell a client they are secure then
you need to be recommending wpa(2) enterprise using EAP-TLS or EAP-TTLS.

Please dont tell a client WPA2/CCMP/AES - PSK is secure (for businesses that
is) as you are only as secure as your weakest client.

On Wed, Nov 26, 2008 at 10:37 AM, anshuman sharma <anshuman251 () gmail com>
wrote:


Hi All,

Is there any tool available to break WAP2 encryption (I searched a lot
but was not able to find any). I know using Aircrack (Airodump and
Aireplay), WEP and WPA key can be breaked. But if the encyption is
WPA2 can we give a reasonable assurance to the client that the Wifi
network is secure from outside.

Thanks and Regards
Anshuman

------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------






------------------------------------------------------------------------
This list is sponsored by: Cenzic

Security Trends Report from Cenzic
Stay Ahead of the Hacker Curve!
Get the latest Q2 2008 Trends Report now

www.cenzic.com/landing/trends-report
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: