Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: wireless access theory/idea, need some input

  1. #1
    Junior Member digitalfriction's Avatar
    Join Date
    Mar 2010
    Posts
    84

    Default wireless access theory/idea, need some input

    Hi, I have been thinking about how WPA/WPA2 is currently cracked, with dictionary attacks, or using precomputed tables, but I was thinking about the AP, which is always involved in these situations, does an access point accept any sort of data without the source NIC using the WPA/WPA2 key?

    The reason I am thinking this is becasue all the AP's I have seen usually offer at least a web configuration page that displays the key in plain text to authenticated users, and considering that a fair amount of routers/APs still have the default password this should not be a problem, and even if the password is changed from default, I think it is easier (quicker) to crack than WPA/WPA2.

    So what I am trying to understand in my newbie mind, is whether there is any possiblity of developing an exploit/code that basically extracts the html page, from the router, without having already known the wireless key to be able to send data to the router/AP?

    Sorry if this sounds complicated, if someone can reword it better please do.

    Many Thanks

  2. #2
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    I am no wireless expert, but I'd say it won't work since you can't pull the page off of the AP if you are not connected. It will just not send you out any information.
    Tiocfaidh ár lá

  3. #3
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007
    Posts
    908

    Default

    Quote Originally Posted by digitalfriction View Post
    Hi, I have been thinking about how WPA/WPA2 is currently cracked, with dictionary attacks, or using precomputed tables, but I was thinking about the AP, which is always involved in these situations, does an access point accept any sort of data without the source NIC using the WPA/WPA2 key?

    The reason I am thinking this is becasue all the AP's I have seen usually offer at least a web configuration page that displays the key in plain text to authenticated users, and considering that a fair amount of routers/APs still have the default password this should not be a problem, and even if the password is changed from default, I think it is easier (quicker) to crack than WPA/WPA2.

    So what I am trying to understand in my newbie mind, is whether there is any possiblity of developing an exploit/code that basically extracts the html page, from the router, without having already known the wireless key to be able to send data to the router/AP?

    Sorry if this sounds complicated, if someone can reword it better please do.

    Many Thanks
    Well the key piece in your scenario is that the configuration page is displayed to authenticated users. IE you can't see it if you aren't authenticated. So really what you're talking about is whether it is better/faster to crack the router's pass than cracking the key.

    Yes and no.

    You are still facing either enumerating default passwords and testing them against the router or brute-forcing it altogether. The assumption of course is that the router password is going to be easier to crack because it is based largely on user input. However, so can the WPA key. It is very much a situational concept, but my 0.02p is that depending on the target you are going to spend the same amount of time/effort cracking the router as you are the WPA key.

    You could always try and reverse-engineering the routers firmware and figure out the key generating algorithm or course. But even then that doesn't help for non default generated keys....



    "The goal of every man should be to continue living even after he can no longer draw breath."

    ~ShadowKill

  4. #4
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    I think the intention was that with the router admin page you don't need to prehash the dictionary.

    But if you are not authenticated you won't be able to get to the admin page.

    It's like doing the second step before the first. Or like wanting to use BT without having any prior Linux experience
    Tiocfaidh ár lá

  5. #5
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007
    Posts
    908

    Default

    Quote Originally Posted by KMDave View Post
    I think the intention was that with the router admin page you don't need to prehash the dictionary.

    But if you are not authenticated you won't be able to get to the admin page.

    It's like doing the second step before the first. Or like wanting to use BT without having any prior Linux experience
    I understood that but my point was that he would have to be authenticated to even get to that page.

    Great analogy by-the-way. Back|Track - Linux Skillz = Hard|Fail



    "The goal of every man should be to continue living even after he can no longer draw breath."

    ~ShadowKill

  6. #6
    Junior Member digitalfriction's Avatar
    Join Date
    Mar 2010
    Posts
    84

    Default

    I suppose what I am trying to understand is what sort of data will the access point 'look at' before the wireless key is needed, there is obviously some data that is accepted because with WEP we can send a request (aireplay-ng -1 0 -a {bssid} -h {mac} -e {essid} ath0) and the AP at least acknowledges the data before the WEP key is known.

    I was wondering if there is any other data that can be broadcast, without the key, that the router will look at, therby giving a 'potential' hole for exploit, probably through manipulating the data that is sent.

    I know it sounds ridiculous but all exploits start with an idea, and I'm just trying to understand how wireless works better, and proving/disproving my idea/thoughts

  7. #7
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    We do not want to discourage you in any way here but help you out with answers.

    Might also be dependend on the router itself.

    Maybe you want to also have a look at OpenWRT and go through their forum and sources (if they are available. Sorry as I said I haven't taken much time to deal with wireless stuff besides the very basics of it).
    Tiocfaidh ár lá

  8. #8
    Junior Member digitalfriction's Avatar
    Join Date
    Mar 2010
    Posts
    84

    Default

    I was thinking it would be router dependant, so I was hoping that if it could be proven that a possibility of exploit exists, then different codes could be sent in the exploit for different router types. I'm sure over time a more sophisticated tool which sends all code, or detects the router type (maybe by the logo/branding stored in the firmware?) could then be developed. I will take a look at OpenWRT now, thanks for the input guys !

  9. #9
    Moderator KMDave's Avatar
    Join Date
    Jan 2010
    Posts
    2,281

    Default

    Maybe you should start with your router. Run an nmap against it, see if it can footprint it.

    You could go ahead and develop something automated like fast-track but just for routers.
    Tiocfaidh ár lá

  10. #10
    Member imported_blackfoot's Avatar
    Join Date
    Jun 2007
    Posts
    386

    Default admin

    As far as I know most default settings are to allow pulling the index.html page only when directly connected to the router. It might be that a user has opened remote administration in which case it will be accessible by wireless.

    This enables administration of the WAN, LAN and wifi.

    Even if the page were to be served wirelessly it would require association and authentication first. The router needs to be aware of the MAC and to have assigned an IP address within the subnet to permit access to the admin index.

    In this case the user will already have the correct validation key.

    I have been successful with communicating with other users of system with or without using WEP yet without router association/authentication or IP but I have not tried it with WPA. In theory therefore it is possible to also communicate directly with the router but any responses would be encrypted.

    Indeed, do understand that although it is possible to communicate with the WEP encryption in place the key is still necessary to dissect/build both incoming and outgoing traffic.

    Either way therefore the user needs the correct key.
    Lux sit

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •