Capturing Essid Credentials?

[Jonathan Frias]

I haven't seen anything about this yet, but I just wanted to know if there is anything that'll capture the wifi network credentials.

Are they encrypted?

We're already the man-in-the-middle, so would this be difficult?

[Mr-Protocol]

They are encrypted/hashed/salted.

[niggizito]

I haven't seen anything about this yet, but I just wanted to know if there is anything that'll capture the wifi network credentials.

Are they encrypted?

We're already the man-in-the-middle, so would this be difficult?

Hi Jonathan,

If you're asking to capture the shared passphrases used to authenticate users against an AP (WEP, WPA, etc..) then I don't think it's possible at all. Since you can "impersonate" those SSID, it really doesn't matter what encryption/authentication that SSID is using. Because you're actually saying: Yes, I'm that SSID!. So, people will connect to you automatically.

Hope I answered your question.

Cheers!

[Mr-Protocol]

If their OS decides to "fall back" to open, non-encrypted connection, that is true. But it is rare for OS now a days to do so. They would need an open, non-encrypted network saved to their device and then it would connect to the pineapple if set to auto-connect. You cannot impersonate a secure network due to how the handshaking works and validating the password in the handshaking process.

[Vulture]

This shouldn't be too difficult though. Basically aircrack provides this capability for WEP networks and the ability to capture the handshakes of WPA/WPA2 networks. What I would see is a module for capturing IVs (WEP) and Handshakes (WPA)then sending them to a remote host for processing.

You then have Reaver which exploits a vulnerability is WPS for WPA/WPA2 networks which is very effective just time consuming.

You should read over the documentation for aircrack and reaver to get a full understanding of what they are doing. Reaver from my understanding is installed on the Pineapple but does not function yet. I can not confirm the working status but I know it is installed.

[Mr-Protocol]

This shouldn't be too difficult though. Basically aircrack provides this capability for WEP networks and the ability to capture the handshakes of WPA/WPA2 networks. What I would see is a module for capturing IVs (WEP) and Handshakes (WPA)then sending them to a remote host for processing.

You then have Reaver which exploits a vulnerability is WPS for WPA/WPA2 networks which is very effective just time consuming.

You should read over the documentation for aircrack and reaver to get a full understanding of what they are doing. Reaver from my understanding is installed on the Pineapple but does not function yet. I can not confirm the working status but I know it is installed.

I think reaver is ssh/cli only currently. No fancy GUI for it yet.

[niggizito]

If their OS decides to "fall back" to open, non-encrypted connection, that is true. But it is rare for OS now a days to do so. They would need an open, non-encrypted network saved to their device and then it would connect to the pineapple if set to auto-connect. You cannot impersonate a secure network due to how the handshaking works and validating the password in the handshaking process.

Hmmm, I was at the Motorola AirDefence demo showing how easy it was to "impersonate" ANY wirelsess networks. The guy was using one of the first version of Fonera router/AP. I found myself connected to our 802.1x network SSID (WPA2 Enterprise/AES) at that very place.

Edited April 6, 2012 by niggizito

[Mr-Protocol]

The Fonera or any pineapple/jasager for that matter cannot emulate WPA/WEP/Encryption without knowing the actual password, even then I'm not sure Jasager has an option for it.

[digininja]

Hmmm, I was at the Motorola AirDefence demo showing how easy it was to "impersonate" ANY wirelsess networks. The guy was using one of the first version of Fonera router/AP. I found myself connected to our 802.1x network SSID (WPA2 Enterprise/AES) at that very place.

The closest you could get would be to use Freedradius-wpe http://www.willhackforsushi.com/FreeRADIUS_WPE.html which runs a RADIUS server which automatically accepts any authentication offered it. You may be technically authenticated but you won't actually be able to send any traffic as the server won't know the actual credentials so won't be able to encrypt/decrypt the traffic.

[RebelCork]

I have been thinking of one Social Engineering hack using the pineapple to gain the user creds of wifi networks.

My "theoretical" hack is:

Here, where I live, the cable company offers really cheap TV/internet packages, and I live in a student area of my town, so almost every wifi ssid is a variation of "***123456" with the cable company's name as part of the SSID. I have created a fake landing page with their logo, and a simple "Enter your wireless password in this field" - type box.

Then using mdk3/aireplay-ng, i deauth all clients on the network I want the password for, hopefully the computer connects to the pineapple, as I am now the available signal.

Using the phishing scripts, I would be able to get passwords of other users.

Social Engineering 101 with a little pineapple as garnish

[Jonathan Frias]

Interesting.. Thanks guys! :)

[niggizito]

The closest you could get would be to use Freedradius-wpe http://www.willhackforsushi.com/FreeRADIUS_WPE.html which runs a RADIUS server which automatically accepts any authentication offered it. You may be technically authenticated but you won't actually be able to send any traffic as the server won't know the actual credentials so won't be able to encrypt/decrypt the traffic.

Hmm, yes, I found myself connected to our enterprise SSID. But I was so astonished so I didn't check the possibility to browse. So I can't say anything. And I do remember the guy showed us the FREERADIUS patch from Josh Wright. Well, I thought that Mark iv exploits management packets. Looks like I was wrong...or maybe partially :-)

Anyway, good discussion.

[digininja]

The 'exploit' we use is that the client probe for us (management packets) and tell us what they are looking for, we just say yes, we are here, in the probe responses (also management packets).

As we don't know any credentials we can reply to requests for encrypted networks of any kind so the association phase completes successfully but then when the authentication starts things fail as we don't know the keys so can't understand what the other side is saying.

If you had a really fast machine, and a client who was sticking around, then you could potentially collect credentials using Josh's app and crack them then feed them back into the server so you could talk to the client. Possible, but not on a pineapple.

[barry99705]

The 'exploit' we use is that the client probe for us (management packets) and tell us what they are looking for, we just say yes, we are here, in the probe responses (also management packets).

As we don't know any credentials we can reply to requests for encrypted networks of any kind so the association phase completes successfully but then when the authentication starts things fail as we don't know the keys so can't understand what the other side is saying.

If you had a really fast machine, and a client who was sticking around, then you could potentially collect credentials using Josh's app and crack them then feed them back into the server so you could talk to the client. Possible, but not on a pineapple.

I don't think anyone has a machine that fast!

[digininja]

It depends on how strong the password is and how long you have. If someone is on a flight and leaves their wifi on then you could have a few hours, that is plenty of time to crack it.

[niggizito]

It depends on how strong the password is and how long you have. If someone is on a flight and leaves their wifi on then you could have a few hours, that is plenty of time to crack it.

Very good clarification! Thx a bunch!