2

When you connect to a ap using ethernet it requires no authentication but the traffic must be encrypted with a handshake shouldn't it? So wouldn't an attacker be able to write a script when he plugs a raspberry pi for instance into a ap he would be able to find the password?

Aidan
  • 21
  • 1
  • 2
    Unless the access point's control panel is left unsecured, having access to the ethernet network does not allow extraction of the wireless password. When wireless is used, the handshake and wireless encryption occurs between the client and the access point. The connection between the access point and the wired network is standard ethernet. – tlng05 Jul 29 '16 at 19:32
  • @tlng05 but can you find a ap password in the device you connect it to? – Aidan Jul 29 '16 at 19:52
  • What do you mean by "it"? – tlng05 Jul 29 '16 at 19:53
  • It should be noted that @tlng05's assumption that the only way into the access point is through its control panel is ***WAY*** too generous regarding the security of access points, especially those built into home routers. Router security code is almost always obsolete and unpatched, and usually wasn't ever any good to start with. If I'm on the local network side of a router, especially via Ethernet (which is usually more trusted than WiFi), I can probably get your WiFi password (and more) even if you ever bothered to "secure" the access point control panel. – CBHacking Jul 29 '16 at 22:46
  • @CBHacking Yeah wps and the default password and stuff but are you saying you could get my wifi password with physical access to the router within reason e.g. no reseting the router – Aidan Aug 11 '16 at 11:52
  • @CBHacking and how would you go about this brute force dictionary? Something else – Aidan Aug 11 '16 at 12:09
  • A huge number of mass-market routers have "remote management" backdoors. These are easy to find and can be used to get (or set) router configurations. Every single home router I've personally checked is vulnerable to CSRF, which makes it easily exploitable if the admin signs into the control portal. None of them use up-to-date OpenSSL versions... but they don't use HTTPS anyhow, usually, so an attacker on the network can just ARP spoof and get the router's login password. As a last resort, yes, most routers have no protection against a password dictionary attack. – CBHacking Aug 11 '16 at 17:53

1 Answers1

3

The key exchange is done wirelessly, not over the wire, so the wired clients are unable to intercept those transmissions. There is no reason why the AP should rebroadcast the handshake to its wired clients, so no, the scenario you describe is not possible.

Moreover, knowledge of the handshake does not allow someone to get the WPA2 key. For more on this side of things, see Are WPA2 connections with a shared key secure?

Community
  • 1
Jesse K
  • 1,068
  • 6
  • 13
  • Okay because I know you can use airodump-ng and stuff to intercept wpa handshakes and run a brute force or dictionary attack. So if you mitm a wired connection 1) is it possible and 2) is the data in plain text? – Aidan Jul 29 '16 at 19:50
  • 1
    @Aidan There is no way to obtain a wireless handshake over the wired network; however, traffic flowing over the wired network will already be in plain text as long as no other encryption is used (like TLS/HTTPS). Adding wireless capabilities to a network does not change anything regarding the wired portion. – tlng05 Jul 29 '16 at 19:57
  • @tlng05 So a ethernet connection has absolutely no encryption and has no way to find the WPA2 PSK? – Aidan Jul 29 '16 at 20:03
  • 1
    @Aidan Yep. An ethernet-only device knows nothing about the wireless portion of the network, not even the fact that it exists. The access point seamlessly translates between wired and wireless protocols to allow wired clients to communicate with wireless ones as if they were wired. – tlng05 Jul 29 '16 at 20:13