0

How do Access Points check whether the provided password (given by the device wishing to authenticate) is actually the correct password of the Access Point?

If a user attempts to join a secured network (whether that's WEP/WPA/WPA2) with a password, I assume that password is somehow sent to the Access Point. I have no questions about information encryption & transmission over Wi-Fi. My questions is, do the Access Points finally have the attempted password in plaintext and then see if it matches with the one in their system or what?

If that's the case, isn't every Access Point able to capture every attempted password and output them all into a .txt file?

Coto
  • 3
  • 1
  • 6
    Possible duplicate of [can wpa2 wifi be hacked by capturing data on an evil twin?](https://security.stackexchange.com/questions/79343/), [Obtain credentials by spoofing WPA/WPA2 Enterprise network?](https://security.stackexchange.com/questions/4565/), [Four-way Handshake in WPA-Personal (WPA-PSK)](https://security.stackexchange.com/questions/17767/). – Steffen Ullrich Mar 08 '18 at 19:58
  • @SteffenUllrich It seems like this isn't possible on WPA/WPA2. But what about WEP? – Coto Mar 08 '18 at 20:02
  • WEP is also using a challenge response authentication were the transport is not actually transferred and thus cannot captured by a rouge AP, see [wikipedia](https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy#Authentication). – Steffen Ullrich Mar 08 '18 at 20:24

1 Answers1

1

No, the actual password isn't logged because the four-way handshake ensures that the password is never sent over open air, as this Wikipedia entry explains:

The four-way handshake is designed so that the access point (or authenticator) and wireless client (or supplicant) can independently prove to each other that they know the PSK/PMK, without ever disclosing the key. Instead of disclosing the key, the access point & client each encrypt messages to each other—that can only be decrypted by using the PMK that they already share—and if decryption of the messages was successful, this proves knowledge of the PMK. The four-way handshake is critical for protection of the PMK from malicious access points—for example, an attacker's SSID impersonating a real access point—so that the client never has to tell the access point its PMK.

You can, however, capture that an attempt was made using Wireshark, which is explained in the WPA Packet Capture Explained tutorial:

This is quick and dirty explanation of two sample WPA capture files. The first file (wpa.full.cap) is a capture of a successful wireless client WPA connection to an access point. The second file (wpa.bad.key.cap) is a capture of a wireless client attempting to use the wrong passphrase to connect to the AP.

Updating to include Steffen Ullrich's response concerning WEP:

WEP is also using a challenge response authentication were the transport is not actually transferred and thus cannot captured by a rouge AP, see wikipedia

  • It seems like this isn't possible on WPA/WPA2. But what about WEP? – Coto Mar 08 '18 at 20:05
  • @Coto on WEP it doesn't work that way either, on WEP it happens with a challenge-reponse, if it's done with the right key, you can also check that on [Wikipedia](https://en.wikipedia.org/wiki/Wired_Equivalent_Privacy#Authentication) – Azteca Mar 09 '18 at 21:47