23

Yesterday I went to my cousin's home and I saw that I'm not connected to his wireless (for internet access). Then I have looked up the list of wireless points. I have found his name and clicked it connect, I have entered his password (which I know) and it didn't connect. Then I've asked him whether he changed the password and he told me that he didn't and it is because just the wireless device is closed. So I thought, could it possible that the password I have entered was "taken" by the guy next door?

I don't know whether the plain password is send to the device. And I think you call it Access Point.

Iszi
  • 26,997
  • 18
  • 98
  • 163
ilhan
  • 415
  • 2
  • 4
  • 10

3 Answers3

25

Yes and no. They may not have your password in plaintext, but they have enough to potentially guess it and verify that guess (i.e. offline brute forcing).

WPA2 authentication is performed through a four-way handshake. Instead of just sending your password in plaintext to any access point you connect to, this handshake ensures that unless both parties already know the password, the password (or any attempt at it) is not revealed. However, enough of that four-way handshake can be recovered to make offline password cracking possible.

Please understand you risk this every day. The network manager on your computer/device is probably configured to automatically 1) search for familiar access points by sending out beacons (thus advertising what is familiar to it and essentially how to mimic it) and then 2) automatically connecting to any familiar access points that responds. Even if you are currently connected to a wireless network, an attacker could disconnect you via a deauthentication attack and then lure your device into connecting to their honeypot.

What can you do to protect yourself?

  • Chose a password that is tough to crack.
  • On your device, disable automatic connections to so called "familiar devices".
  • Refuse to connect to wireless networks with weak passwords.
    • Friends don't let friends chose weak passwords.
  • Stay away from any WEP or unencrypted networks. Seriously.

If you are interested in 802.11 (aka WiFi) security, check out Vivek's "WLAN-Security-Megaprimer" on SecurityTube. There is a lot of FUD and misinformed articles on wireless security, but the material of Vivek Ramachandran and (when you're ready to try attacking yourself) the documentation on the aircrack-ng wiki are solid. I can not recommend Vivek's material enough. Also, this article on the security of WEP, WPA, and WPA2 seems promising.

You are doing a great job thinking about security and asking the right questions. The next step is to attack yourself. Remember to stay paranoid.

chao-mu
  • 2,801
  • 18
  • 22
  • You should increase the security of a WPA2 connection with AES. WPA considering its less secure then WPA2 should not be used unless you have no choice in the matter. If you have to use WPA then increase its security by using AES with it also. – Ramhound Jun 21 '12 at 16:48
  • "_you risk this every day_" This seems like a good reason to implement WPA-Enterprise on every Wifi AP. – curiousguy Jun 22 '12 at 02:11
  • curiousguy, do you have a link to easy setup instructions for that? I'd love to include it. – chao-mu Jun 22 '12 at 13:47
  • 1
    @curiousguy Does WPA-Enterprise mitigate this problem? Does it negate the possibility of WiFi honeypots? – Naftuli Kay Dec 09 '13 at 21:56
4

No, WPA2 Passwords are not sent in plaintext. If this were the case, anyone could deauth you from the network and sniff the password directly from reconnection handshake.

They can, on the other-hand grab the encrypted handshake and crack it using aircrack-ng. Other than a faraday cage, you really can't prevent this.

There are mitigation methods like NAC for example. This would stop someone from gaining access to the trusted network segment if they didn't have a corporate (read properly configured) computer.

ZnArK
  • 587
  • 1
  • 5
  • 10
  • There are other related ways of taking advantage of wireless connections. [hax5 pineapple](http://hakshop.myshopify.com/products/wifi-pineapple) – ZnArK Jun 21 '12 at 14:45
2

I have quite a bit of experience with hacking tools, and from this i can tell you the following (I'm a guest so I can't comment):

  1. It is shocking how easy de-authentication attacks really are. It's as simple as:

    airmon-ng start (insert your wifi device here (e.g. wlan0))  
airodump-ng mon0  
 (Write down the channel)  
iwconfig mon0 channel (insert channel here); iwconfig wlan0 channel (channel again)  
aireplay-ng -a (insert target bssid here) --ignore-negative-one --deauth 0 mon0

  2. There are even scripts to set up honeypots so be very careful.

How to protect yourself:

Use WPA2 Enterprise. It requires setting up a RADIUS server. It is really secure when you use TLS authentication (cert-based) or even TTLS (Tunneled normal auth) as long as you have the CA certificate used to set up RADIUS with you. This would prevent you from connecting to rogue APs.

schroeder
  • 123,438
  • 55
  • 284
  • 319
theHackerofAll
  • 29
  • 1