Page 1 of 3 123 LastLast
Results 1 to 10 of 22

Thread: WPA2 Enterprise...

  1. #1
    Just burned his ISO
    Join Date
    Oct 2008
    Posts
    5

    Default WPA2 Enterprise...

    ...has it been already cracked a while back? I'm somewhat worried about this because my users on my network are complaining that they can't connect to the access point at specific times or they've been getting Server Authentication issues. Is that a sign that somebody really wants to get in my wireless network?

    BTW, I use PEAP with MSCHAPv2 as the inner authenticating method... And the clients are all Windows XP based with them configured to actually verifying the server's SSL certificate before they can even logon to the Wireless Network.

  2. #2
    Member imported_vvpalin's Avatar
    Join Date
    Apr 2009
    Posts
    442

    Default

    Quote Originally Posted by curriegrad2004 View Post
    ...has it been already cracked a while back? I'm somewhat worried about this because my users on my network are complaining that they can't connect to the access point at specific times or they've been getting Server Authentication issues. Is that a sign that somebody really wants to get in my wireless network?

    BTW, I use PEAP with MSCHAPv2 as the inner authenticating method... And the clients are all Windows XP based with them configured to actually verifying the server's SSL certificate before they can even logon to the Wireless Network.
    WPA2 TKIP has been cracked .. but only with a dictionary. There is also the proof of concept Michael attack but you need to have QOS enabled.

    WPA2 AES has NOT been cracked yet .. it can still be DOS'd tho.

    What someone could be doing is deauthing your clients, however if i was the attacker a far more effective attack would be to look at the probe requests from each client and run a rogue AP. If you can gain access to just one of the users PC's your basically inside the network as you can obviously recover the wireless keys and any other keys you use for authentication.
    Using backtrack for the first time is like being 10 years old again with the keys to a Ferrari.

  3. #3
    Just burned his ISO
    Join Date
    Oct 2008
    Posts
    5

    Default

    Yeah, I suspected the possibility of an Rouge AP too, but it turned out that there are 2 AP's with the same SSID attempting to fool the users into logging on the rouge access point.

    But setting up an Rouge AP isn't enough right? Especially when my clients are configured to verify the Server's SSL Certificate before sending any details. Would they have to physically break in and steal the server's private key and certificate from the Certificate Store and carry on from there? I'm just somewhat getting worried because somebody really wants to get in and peek on what my network is doing.

  4. #4
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by curriegrad2004 View Post
    Yeah, I suspected the possibility of an Rouge AP too, but it turned out that there are 2 AP's with the same SSID attempting to fool the users into logging on the rouge access point.

    But setting up an Rouge AP isn't enough right? Especially when my clients are configured to verify the Server's SSL Certificate before sending any details. Would they have to physically break in and steal the server's private key and certificate from the Certificate Store and carry on from there? I'm just somewhat getting worried because somebody really wants to get in and peek on what my network is doing.
    Might be time to start to track down the Rogue. Maybe it's someone that's actually at your company that decided to buy an AP from RadioShack and set it up in their office. Rogue hunts can be fun. There's several places you can research on how to conduct one, and what to do when you find it.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  5. #5
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    WPA2 AES has NOT been cracked yet .. it can still be DOS'd tho.
    This is not entirely true. Both AES ans TKIP are both vulnerable to a dictionary attack provided they use a PSK (pre Shared Key). If there are using a radius server though for authentication (which shows in airodump as MGT) then it is not vulnerable.

  6. #6
    Member imported_vvpalin's Avatar
    Join Date
    Apr 2009
    Posts
    442

    Default

    Quote Originally Posted by pureh@te View Post
    This is not entirely true. Both AES ans TKIP are both vulnerable to a dictionary attack provided they use a PSK (pre Shared Key). If there are using a radius server though for authentication (which shows in airodump as MGT) then it is not vulnerable.
    I was under the assumption that AES could not be brute forced, and if it could it wasn't feasible as it would take much much longer. Besides isnt there problems grabbing the handshake in the first place?

    But setting up an Rouge AP isn't enough right? Especially when my clients are configured to verify the Server's SSL Certificate before sending any details. Would they have to physically break in and steal the server's private key and certificate from the Certificate Store and carry on from there? I'm just somewhat getting worried because somebody really wants to get in and peek on what my network is doing.
    If you get a client to connect to your AP you can basically do whatever you want against them. Say you can root one of the boxes if it has a known exploit .. well the keys could easily be found and copied. Then you could connect with your own pc or even with a specially crafted RAT to get past the firewall rules of the network.

    Also you might want to check out sslstrip, currently it doesn't support finding ssl keys but givin the right coder it definitely could and honestly you wouldn't even know.

    This all depends tho on how you have the clients laptops set up and if they are allowed to modify them in anyway, because if there locked down then even if they do connect to a rogue not much could happen. However if the users are allowed to modify them then easily something could go wrong .. especially if there tech knowledge isnt high.

    If you really are concerned that someone is trying to gain access and you think there skill level is high. You need to sit down and have a proper security talk with all your employees. Hell i would even be concerned with people trying to gain access to a users home network as that can have a cascading effect really really quickly.

    As a smart guy here once said ... if its a high security environment don't even think about running wireless!
    Using backtrack for the first time is like being 10 years old again with the keys to a Ferrari.

  7. #7
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    Quote Originally Posted by vvpalin View Post
    I was under the assumption that AES could not be brute forced, and if it could it wasn't feasible as it would take much much longer. Besides isnt there problems grabbing the handshake in the first place?
    There are really subtle differences in the two.
    have a look at these two links for a bit more info.
    here
    Then here .
    They are similar in that one goes through a list of candidate passwords one by one; the list may be explicitly enumerated or implicitly defined, can incorporate knowledge about the victim, and can be linguistically derived.
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

  8. #8
    Member imported_vvpalin's Avatar
    Join Date
    Apr 2009
    Posts
    442

    Default

    I know and i apologize, ive been saying brute force lately and ive actually in most cases been referring to a dictionary attack. I definitely know the difference and just assumed most people would understand what i meant.

    I still wonder tho is it just as easy for AES as it is for TKIP? Like i said i was under the assumption that as of now its not feasible to attack WPA2/AES.
    Using backtrack for the first time is like being 10 years old again with the keys to a Ferrari.

  9. #9
    Developer
    Join Date
    Mar 2007
    Posts
    6,126

    Default

    AES and TKIP both use a PSK are are both just as vulnerable to a dictionary attack and the handshake is just as easy to grab from deauthing a client.

  10. #10
    Just burned his ISO
    Join Date
    Oct 2008
    Posts
    5

    Default

    Hm... Checked the place today, as far as I can tell I can't see an unauthorized Access Point being operated in my location. So yes, there is a rouge access point kicking around.

    Oh well, I would have to thank Group Policy on Active Directory on not letting any users changing the Wireless Settings on their laptops at all. So yeah, even if I find the rouge AP, how would I exactly take that access point down using legal means or the other 'legal' means.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •