I wonder if the follwing is possible:
Assume you want to gain access to the AP "ap".
Isn't it possible to set up a hotspot with the same BSSID, so that clients think that you are ap and send the password to authenticate?
Please explain if this / why this is not possible. Thank you!
Let's start by thinking of what would it happen if we had 2 different networks with same SSID (say SSID_share), but evidently different BSSIDs (MAC addresses).
Each router sends radio waves which are then decoded by your wifi software manager. It will probably understand that both networks are actually the same, since they have same SSIDs. So it shows you only one SSID to connect to. Now, depending on which AP is closer to your wireless network interface, you are going to connect to one network or another.
For instance, consider your legitimate network A has password MyPass and the fake one B has password MyFakePass. If a client is really close to A's AP (say in the same room) and significantly farther from B's AP (say another level), then B won't affect him.
Suppose now a client is closer to the fake AP than to the legitimate one. Without noticing it, he is going to connect to the fake SSID_share. He will not be able to authenticate, though, since passwords are different.
That acctually depends on the authentication system being used. Fortunately, for WPA2-PSK (pre-shared key) the answer is NO. WPA2 does not send the password to the gateway. In fact, the gateway sends a time-changing challenge created using the plaintext password. When a client wants to authenticate it generates a one-way answer to that challenge 1. So the attacker will never get the password in your logs. The best he could do is try to use brute force techinques.
PS.: Don't know why but I have a strong feeling you did not ask this question for noble purpose :)
WiFi authentication doesn't simply send the password over the wire, but uses EAP and a series of cryptographic exchanges for both sides to authenticate one another without explicitly sending the password.
