WPA2 Enterprise...

[curriegrad2004]

...has it been already cracked a while back? I'm somewhat worried about this because my users on my network are complaining that they can't connect to the access point at specific times or they've been getting Server Authentication issues. Is that a sign that somebody really wants to get in my wireless network?

BTW, I use PEAP with MSCHAPv2 as the inner authenticating method... And the clients are all Windows XP based with them configured to actually verifying the server's SSL certificate before they can even logon to the Wireless Network.

[imported_vvpalin]

...has it been already cracked a while back? I'm somewhat worried about this because my users on my network are complaining that they can't connect to the access point at specific times or they've been getting Server Authentication issues. Is that a sign that somebody really wants to get in my wireless network?

BTW, I use PEAP with MSCHAPv2 as the inner authenticating method... And the clients are all Windows XP based with them configured to actually verifying the server's SSL certificate before they can even logon to the Wireless Network.

WPA2 TKIP has been cracked .. but only with a dictionary. There is also the proof of concept Michael attack but you need to have QOS enabled.

WPA2 AES has NOT been cracked yet .. it can still be DOS'd tho.

What someone could be doing is deauthing your clients, however if i was the attacker a far more effective attack would be to look at the probe requests from each client and run a rogue AP. If you can gain access to just one of the users PC's your basically inside the network as you can obviously recover the wireless keys and any other keys you use for authentication.

[curriegrad2004]

Yeah, I suspected the possibility of an Rouge AP too, but it turned out that there are 2 AP's with the same SSID attempting to fool the users into logging on the rouge access point.

But setting up an Rouge AP isn't enough right? Especially when my clients are configured to verify the Server's SSL Certificate before sending any details. Would they have to physically break in and steal the server's private key and certificate from the Certificate Store and carry on from there? I'm just somewhat getting worried because somebody really wants to get in and peek on what my network is doing.

[streaker69]

Yeah, I suspected the possibility of an Rouge AP too, but it turned out that there are 2 AP's with the same SSID attempting to fool the users into logging on the rouge access point.

But setting up an Rouge AP isn't enough right? Especially when my clients are configured to verify the Server's SSL Certificate before sending any details. Would they have to physically break in and steal the server's private key and certificate from the Certificate Store and carry on from there? I'm just somewhat getting worried because somebody really wants to get in and peek on what my network is doing.

Might be time to start to track down the Rogue. Maybe it's someone that's actually at your company that decided to buy an AP from RadioShack and set it up in their office. Rogue hunts can be fun. There's several places you can research on how to conduct one, and what to do when you find it.

[purehate]

WPA2 AES has NOT been cracked yet .. it can still be DOS'd tho.

This is not entirely true. Both AES ans TKIP are both vulnerable to a dictionary attack provided they use a PSK (pre Shared Key). If there are using a radius server though for authentication (which shows in airodump as MGT) then it is not vulnerable.

[imported_vvpalin]

This is not entirely true. Both AES ans TKIP are both vulnerable to a dictionary attack provided they use a PSK (pre Shared Key). If there are using a radius server though for authentication (which shows in airodump as MGT) then it is not vulnerable.

I was under the assumption that AES could not be brute forced, and if it could it wasn't feasible as it would take much much longer. Besides isnt there problems grabbing the handshake in the first place?

But setting up an Rouge AP isn't enough right? Especially when my clients are configured to verify the Server's SSL Certificate before sending any details. Would they have to physically break in and steal the server's private key and certificate from the Certificate Store and carry on from there? I'm just somewhat getting worried because somebody really wants to get in and peek on what my network is doing.

If you get a client to connect to your AP you can basically do whatever you want against them. Say you can root one of the boxes if it has a known exploit .. well the keys could easily be found and copied. Then you could connect with your own pc or even with a specially crafted RAT to get past the firewall rules of the network.

Also you might want to check out sslstrip, currently it doesn't support finding ssl keys but givin the right coder it definitely could and honestly you wouldn't even know.

This all depends tho on how you have the clients laptops set up and if they are allowed to modify them in anyway, because if there locked down then even if they do connect to a rogue not much could happen. However if the users are allowed to modify them then easily something could go wrong .. especially if there tech knowledge isnt high.

If you really are concerned that someone is trying to gain access and you think there skill level is high. You need to sit down and have a proper security talk with all your employees. Hell i would even be concerned with people trying to gain access to a users home network as that can have a cascading effect really really quickly.

As a smart guy here once said ... if its a high security environment don't even think about running wireless!

[Archangel-Amael]

I was under the assumption that AES could not be brute forced, and if it could it wasn't feasible as it would take much much longer. Besides isnt there problems grabbing the handshake in the first place?

There are really subtle differences in the two.
have a look at these two links for a bit more info.
here
Then here .
They are similar in that one goes through a list of candidate passwords one by one; the list may be explicitly enumerated or implicitly defined, can incorporate knowledge about the victim, and can be linguistically derived.

[imported_vvpalin]

I know and i apologize, ive been saying brute force lately and ive actually in most cases been referring to a dictionary attack. I definitely know the difference and just assumed most people would understand what i meant.

I still wonder tho is it just as easy for AES as it is for TKIP? Like i said i was under the assumption that as of now its not feasible to attack WPA2/AES.

[purehate]

AES and TKIP both use a PSK are are both just as vulnerable to a dictionary attack and the handshake is just as easy to grab from deauthing a client.

[curriegrad2004]

Hm... Checked the place today, as far as I can tell I can't see an unauthorized Access Point being operated in my location. So yes, there is a rouge access point kicking around.

Oh well, I would have to thank Group Policy on Active Directory on not letting any users changing the Wireless Settings on their laptops at all. So yeah, even if I find the rouge AP, how would I exactly take that access point down using legal means or the other 'legal' means.