0

I have already tested how to do a MITM attack, using a fake AP to intercept the WPA-PSK, by presenting the user to a vendor (e.g. Linksys) logon page, before routing network traffic through eth0.

However, for someone with computer expertice this will probably not work.

Instead of presenting the user with a fake logon page in the browser, is it then possible to intercept the passphrase from the Windows logon mechanism (seen below)? To be more specific, is it possible to configure the fake access point to fool Windows into requiring a passphrase (in the fashion below) and send it unencrypted to the AP? This would seem legitimate from the users point-of-view!

Normally, the AP created by airbase-ng is open and does not require logon credentials.

enter image description here

Shuzheng
  • 1,097
  • 4
  • 22
  • 37

1 Answers1

2

For your example (WPA2-Personal), the answer is no, not without bruteforcing it. At least not as long as Windows adheres and continues to adhere to the official standard. Presenting a fake login page like you did is AFAIK the only way to try to get the password, but this may indeed trigger some warnings as it is not standard behaviour.

However, with WPA2-Enterprise, you might be lucky in two cases:

  1. a vulnerable EAP implementation is chosen (e.g. lightweight EAP is considered very insecure, EAP-MSCHAPv2 is also broken). The general recommendation nowadays is to use EAP-TLS or PEAP-MSCHAPV2.
  2. EAP-TLS is chosen, but the supplicant does not validate the server's certificate (or you can forge the real certificate). By extension, PEAP-MSCHAPv2 will also be 'broken' in this case.
Michael
  • 5,393
  • 2
  • 32
  • 57
  • So the reason it doesn't work is because Windows performs the 4-way handshake and this will not result in success, since the attacker doesn't know the PSK required for authentication and derivation of the PTK ? Thanks for your answer, bringing light upon this topic. – Shuzheng Mar 08 '16 at 09:30
  • @NicolasLykkeIversen, indeed – Michael Mar 08 '16 at 09:39
  • May I ask, if you could recommend a good reading source for practical security info, like the knowledge you provide here? – Shuzheng Mar 08 '16 at 10:02
  • @NicolasLykkeIversen, Personally I take a lot of notes and read a lot about the things that interest me.. I do not believe there can be one book that can describe everything for everyone. Every person has different interests and different background knowledge. – Michael Mar 08 '16 at 11:54