12

I have a large scale wireless network secured using WPA/WPA2 Enterprise authentication. Recently, I was made aware of the possibility that someone may use a dd-wrt router and a computer to spoof the wireless network and grab usernames and passwords as devices attempt to connect to it.

To test this theory, I succeeded in spoofing the SSID and authentication method. I set up a local RADIUS sever and could see my device (which remembered my credentials) trying to connect to it. However, I did not see my password anywhere in the RADIUS server logs (but then again, logs might not contain such information, even in debugging mode), or using Wireshark placed between the Wireless AP and the RADIUS server.

Is there any way to capture my password from a connection attempt, or does that require information only the actual RADIUS server will have? (My device has authenticated with the actual network before)

And are there any steps I (not the network admin) can take on my clients that will ensure they do not attempt to connect to similar rogue APs?

AviD
  • 72,708
  • 22
  • 137
  • 218
Soumya
  • 450
  • 3
  • 13
  • For the second part of your question (how to prevent connecting to rogue APs), it has been answered well at http://security.stackexchange.com/questions/4089/how-can-i-ensure-that-i-connect-to-the-right-wireless-access-point – AviD Jun 15 '11 at 04:52
  • ... And for the first part see [Any advantage to securing WiFi with a PSK, other than to keep out unauthorized - IT Security - Stack Exchange](http://security.stackexchange.com/questions/4435/any-advantage-to-securing-wifi-with-a-psk-other-than-to-keep-out-unauthorized?answertab=votes#tab-top) and or [How to get hold of and use WPA session keys? - IT Security - Stack Exchange](http://security.stackexchange.com/questions/4498/how-to-get-hold-of-and-use-wpa-session-keys) – nealmcb Jun 15 '11 at 05:18
  • This is an interesting question, especially its implication to [eduroam](http://security.stackexchange.com/a/114737/16831). – cnst Feb 16 '16 at 03:07
  • For more info and an answer to this question see my answer at: http://security.stackexchange.com/questions/35780/why-is-wpa-enterprise-more-secure-than-wpa2/137606#137606 – Terrence de Kat Sep 23 '16 at 06:41
  • For more info and an answer to this question see my answer at: http://security.stackexchange.com/questions/35780/why-is-wpa-enterprise-more-secure-than-wpa2/137606#137606 – Terrence de Kat Sep 23 '16 at 06:43

2 Answers2

5

This is one small part of a much larger answer to this question.....

One method of protecting against rogue access point is the use of rogue mitigation. There are multiple systems available which will allow a company to conduct scanning and deauthing of rogue wireless nodes. Some of these systems will actually allow you to upload a trusted device list (a company asset list) and block according to that list. Some are also able to correlate wired data with wireless transmissions to determine if the rogue AP is actually connected to your network or not.

For instance, if you have a worker's laptop and it connects to a spoofed corporate SSID, these sensors would be able to determine that a trusted asset is connecting to an untrusted device using a trusted network name (dona via mac addresses).

The fun part, if you see the device on your network, is using the same system to triangulate the location of the rogue device to track it down and see where it is plugged in to your network.

These methods also allow you to stay neutral towards any device that is not one of your company assets (which helps greatly from the legal side of things). You would only be targeting systems which are owned by your company or are connected to creating unauthorized connections to your corporate network.

Ormis
  • 1,940
  • 13
  • 18
  • This is more appropriate for the network admin, but helpful nonetheless – Soumya Jul 06 '11 at 18:57
  • 1
    I don't believe rogue mitigation will do anything to Jaseger to prevent the authentication from happening. By the time the device has authenticated, it has done it's job. – Ori Jul 06 '11 at 20:42
  • This is an interesting answer, but it doesn't appear to cover things like [eduroam](http://security.stackexchange.com/a/114737/16831) at all, where you don't physically have any direct connection with the on-premises network – cnst Feb 16 '16 at 03:06
0

For the first part of your question, capturing the plain passwords from the fake router is not possible. It is because the RADIUS server verifies the clients by executing an authentication protocol which does not involve sending the passwords to it. The detail of the protocol depends on the authentication method that the server deploys. You can find more information here: http://www.opus1.com/nac/whitepapers-old/04-eap_options-lv05.pdf

However, it is possible to run brute-force attacks to discover the passwords. Here is a talk in Defcon few years ago about how it can be done with MSCHAPv2 authentication: http://www.revolutionwifi.net/revolutionwifi/2012/07/is-wpa2-security-broken-due-to-defcon.html

Thanh Bui
  • 214
  • 1
  • 6