13

https://en.wikipedia.org/wiki/Evil_twin_%28wireless_networks%29

My question: it's OK that someone can make an AP with the same MAC and SSID as the original AP. And with stronger signal. But what I don't understand is how can a rogue AP be configured in a way that will accept the password? (the password is for the original AP).

UPDATE: Are there any ways to configure an AP with ex.: WPA2-PSK that accepts any passwords?? (and so, the password will be stored?)

merours
  • 103
  • 5
evachristine
  • 633
  • 5
  • 9
  • See also: [Can someone get my WPA2 password with honeypots?](http://security.stackexchange.com/q/16317/12139) – unor Mar 29 '14 at 19:53

3 Answers3

7

The evil twin attack works because with most versions of WPA there is no validation of the AP. When connecting to an AP a system authenticates trusts that the AP is what it says it is. This isn't a good design frankly, however we are stuck with it.

WPA enterprise allows the use of certificates for verification of both AP and connecting system, however it really isn't a viable solution outside of companies which control their infrastructure.

GdD
  • 17,321
  • 2
  • 41
  • 63
  • Your update isn't clear, I'm not sure what you are asking. – GdD Mar 25 '14 at 10:53
  • 1
    I think they're asking "Could the malicious AP steal the good AP's password when you connect (because you entered it thinking you're connecting to the 'good' AP)?" And could the malicious AP be designed to connect you to the internet regardless of the password you input. To which I'd say: it's all just software, it can do whatever it wants, so yes and yes. – kristina Apr 01 '14 at 19:25
3

I am not an expert in how WPA works however I don't think there is a way to set up an AP which accepts any password; the 4-way handshake is a lot more complicated than just client sending password to AP and asking if it's correct.

Traditional evil twins work by already knowing the password and are used for launching different kinds of attacks on clients, not finding out the password for an existing network.

There are tools designed to make this process of luring a target onto a network the attacker controls easier. Notably Airbase-ng and Wifish. Wifish in particular exploits the way wifi clients try to reconnect to previously known networks. As I recall it works well for unsecured and WEP protocols. The webpage makes vagues mentions to WPA too but I don't remember the details, I saw the presentation a while ago.

This is something you can investigate if you are interested. You can find the presentation on youtube.

http://www.airtightnetworks.com/home/resources/knowledge-center/wifish-finder.html

user2675345
  • 1,651
  • 9
  • 10
2

The real problem is that if you setup a rouge AP with same SSID of the original, NO encryption at all and with a stronger wifi signal then the client will connect to the rogue AP. So you don't have to setup a rogue AP with encryption enabled.

It's just a matter of broadcasting a DeAuth packet (which unfortunately is not authenticated)

At this point you have established a connection with the client and can retrieve the WPA password by other means (e.g. metasploit) You can even make an automatic redirect to a fake page asking for the wpa password of the router.

Gianluca Ghettini
  • 131
  • 5