Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Reversed WPA/2 attacking? thoughts/idea/brainstorm

  1. #1
    Just burned his ISO
    Join Date
    Nov 2010
    Posts
    1

    Default Reversed WPA/2 attacking? thoughts/idea/brainstorm

    Prologue
    Since cracking a WPA/WPA2 could mean spending some serious time crunching passphrases which might not always be very benefitially compatible. Im thinking of a alternative approach but since my lack of better knowledge this might not be possible at all since im not sure how the authentication process works.

    Main idea
    Setup a fake accesspoint with the same ESSID as the target network. Then run the airreplay deauth command to force the connected victim off the network and to reconnect and since our fake AP will have better signal strength (due to the roaming capability) the client will most likely try to reconnect to the fake AP. This is where the supposed magic would happen and also where the contradiction begins.

    I assume that the password must be sent in a plaintext format to the AP since the client got deauthenticated (by the aireplay command) before. Meaning that the client must be reauthenticated by the AP. Only this time the AP is our fake AP which will act a bit different and only aquire the passphrase being sent and when the password is aquired just drop the role as fake AP and disappear into the darkness.


    However as I said before I'm not that sure this would be possible. Mostly because I personally dont think the authentication process could be that primitive? Because that would be a major vulnarbility if exploited correctly.

    Is this something that is technologically feasible? Please let me hear your thoughts on the topic!

    Regards

  2. #2
    Senior Member
    Join Date
    May 2010
    Posts
    198

    Default Re: Reversed WPA/2 attacking? thoughts/idea/brainstorm

    The assumption that the password is sent in plaintext is incorrect. If this were the case then WPA would have been cracked a long time ago.

    The only successful WPA attack outside of getting the handshake is to get the client associated to your fakeap with an ssid that is unencrypted (like a hotel or coffee shop they go to) then you can exploit the machine and take the keys. Ive successfully done this on my test computers. WPA is a long way off of being cracked. (but it will happen eventually)
    "Never do anything against conscience -- even if the state demands it."
    -- Albert Einstein

  3. #3
    Junior Member 5cardcharlie's Avatar
    Join Date
    Sep 2010
    Location
    Ohio
    Posts
    45

    Default Re: Reversed WPA/2 attacking? thoughts/idea/brainstorm

    Wow, seriously? If the key were sent in plaintext, why would you have to set up a fake AP, anyway? You could just grab the handshake with airodump.

    "...since im not sure how the authentication process works." This would seem like something that should be taken care of before you post ideas for cracking WPA... Especially since it would only take like two minutes on wikipedia or google to get the basic idea of it.

  4. #4
    Just burned his ISO
    Join Date
    Feb 2010
    Location
    uk
    Posts
    23

    Default Re: Reversed WPA/2 attacking? thoughts/idea/brainstorm

    I also think this subject needs some brainstorming. My knowledge is not good enough.
    We know there is a 4 way hand shake which easy got in a cap file. Could this handshake be spoofed.
    First thing how do you breakdown the cap file into the 4 separate parts. Could you use tshark or something?
    I wish I had the brain power but never mind, somebody out there could chip in their two pence (or two cents) worth of know how and we may start to build the ideas.
    Keep Thinking.

  5. #5
    Very good friend of the forum killadaninja's Avatar
    Join Date
    Oct 2007
    Location
    London, United Kingdom.
    Posts
    526

    Default Re: Reversed WPA/2 attacking? thoughts/idea/brainstorm

    A station would not connect to a rouge access point just because it has the same name, that`s not how it works, there is a version of this attack in which your fake ap just replies "Yes I am the router your asking for" to all probes sent by users and authenticates them, however there are a few down sides to this attack, namely the it will only connect users whom,

    1. Have auto-connect feature enabled on their computer to un-encrypted Ap`s.
    2. Have auto-connect feature enabled to encrypted AP`s providing your rouge AP key matches theirs, for said network (yes in other words you would already have to have their key).

    I am shortly going to build a tool that works on the basic principles of your idea, exploiting the fact that MOST users do fill said #1 requirement above. A successful real world attack HAS been made against wpa, also some other research is taking place right now that could be fatal for the majority (at least in Europe) of wpa USERS, not necessarily the protocol it`s self, however I am not at liberty to speak about that right now.
    It will not be long now
    Sometimes I try to fit a 16-character string into an 8–byte space, on purpose.

  6. #6
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default Re: Reversed WPA/2 attacking? thoughts/idea/brainstorm

    There is a option in the wireless header used for roaming, if they are connected to there AP, you can send a packet to make it then try to connect to you AP,there might be some other types of exchanges but you could get the handshake from the oringal AP and the station
    rfc 802.11n-2009 , www.ietf.com

  7. #7
    Just burned his ISO
    Join Date
    Feb 2010
    Location
    uk
    Posts
    23

    Default Re: Reversed WPA/2 attacking? thoughts/idea/brainstorm

    Getting the handshake is no problem. How do you disassemble the handshake to find out what is being sent in each direction.

  8. #8
    Senior Member
    Join Date
    Jan 2010
    Posts
    173

    Default Re: Reversed WPA/2 attacking? thoughts/idea/brainstorm

    Check out g0tmilks Fake AP script this does exactly wot u want and works so well.

    Regards Dee

  9. #9
    Just burned his ISO
    Join Date
    Feb 2010
    Location
    uk
    Posts
    23

    Default Re: Reversed WPA/2 attacking? thoughts/idea/brainstorm

    Check out g0tmilks Fake AP script this does exactly wot u want and works so well.
    This does not crack the password. I thought the idea was to try and find a way of cracking WPA without using a dictionary.
    My thought is there an possibility that the 4 way handshake could be taken apart and then spoofed.

  10. #10
    Senior Member
    Join Date
    Jan 2010
    Posts
    173

    Default Re: Reversed WPA/2 attacking? thoughts/idea/brainstorm

    With fake ap you dont even have to crack the keys ur given the keys by the exploit all wpa networked keys and wep are extracted to a txt file.

Page 1 of 2 12 LastLast

Similar Threads

  1. wireless equipment : your thoughts please
    By thecheekymonkey in forum OLD Wireless
    Replies: 4
    Last Post: 06-03-2009, 11:54 AM
  2. S.L.A.M.P ... thoughts?
    By Oneiroi in forum OLD Specialist Topics
    Replies: 1
    Last Post: 11-10-2008, 09:02 AM
  3. thoughts on 2 vs 4 gb ram?
    By prelate in forum OLD Newbie Area
    Replies: 6
    Last Post: 12-28-2007, 07:26 PM
  4. [Off-Topic] Portable Pen Testing Unit - Your thoughts...
    By Eristic in forum OLD Newbie Area
    Replies: 1
    Last Post: 05-29-2007, 01:55 PM
  5. usb dongle thoughts?
    By blargman in forum OLD Newbie Area
    Replies: 4
    Last Post: 04-27-2007, 04:34 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •