Stealing NT passwords through WiFi?

[Ugen <ugen () xonix com>]

Microsoft supplicant for wireless connections supports either TLS 
(certificate)
or PEAP using MS-CHAP v1. and v2. as modes of authentication. When using
PEAP/MS-CHAP, it is designed to use regular NT login credentials.
In various organizations the latter is being chosen as a de-facto 
standard due to
"easy implementation".

So, here is what I am thinking:

- Attacker sets up his own access point and authentication server in a 
location away
from the target organization. The condition is that one of the org. 
users visits that location
with his/her mobile device, perhaps a local Starbucks, or even user's 
own backyard.

- The AP advertises same SSID as org. wireless system. The authenticator 
server is
equipped with server certificate signed by one of the common cert. 
authorities,  from the
list that is present by default on a Windows installation, to pass 
client's certificate check
during PEAP initial connection.

- User's wireless device senses the presence of known SSID and attempts 
to automatically
connect to the network.

- The rogue authenticator server challenges the wireless device by 
MS-CHAP v2.
Potentially, they may request MS-CHAP v1 and/or craft the session key to 
simplify
subsequent cracking of the password.

- The wireless device responds and authenticator "denies access", left 
with a copy of
encrypted password hash. The process may be repeated with different 
session keys,
and a number of times.

In the end user is never prompted or notified of any communication 
(spare some blinking of
the wireless card "Link" led). The attacker is left with a user ID and 
password hash to be broken.

Does it make sense to anyone else?
--Gene