Jump to content

Karma and WPA protected access points


troyhunt
 Share

Recommended Posts

Quickie question guys: I's seeing probes for WPA protected networks, which I'd expect, and the client can't connect through to those which is also the behaviour I'd also expect.

The question is this: if the WPA password is known, can the Pineapple successfully emulate both the SSID and credentials effectively allowing the same experience as Karma creates with open networks? And if not, is there something in the wireless protocol that prohibits this or it's simply not a feature in the Pineapple?

Link to comment
Share on other sites

The answer is no.

4 way handshake means the password is never sent.

True, the PSK is never sent during the 4 way handshake. But it is used along with the SSID (both known values at this point) to derive the PMK.

So if we have the PSK and the SSID, why isn't it possible (at least theoretically) for Karma to derive the PMK, generate and send an ANonce, receive the client's SNonce, then verify the PTK of the SNonce, and complete the authentication/association process?

Link to comment
Share on other sites

Nice wikipedia article here: http://en.wikipedia.org/wiki/IEEE_802.11i-2004#The_Four-Way_Handshake

TBH I don't fully understand all the technical details of the process but I think this phrase is very clear "the access point (AP) still needs to authenticate itself to the client station (STA)"

It's a bit of a relief to know that actually. As long as one can stay away from unprotected networks, they can be immune to karma attack then.

Link to comment
Share on other sites

Nice wikipedia article here: http://en.wikipedia.org/wiki/IEEE_802.11i-2004#The_Four-Way_Handshake

TBH I don't fully understand all the technical details of the process but I think this phrase is very clear "the access point (AP) still needs to authenticate itself to the client station (STA)"

It's a bit of a relief to know that actually. As long as one can stay away from unprotected networks, they can be immune to karma attack then.

The AP does not "authenticate" that it is a legitimate AP to the client. It "authenticates" itself by confirming that it knows the correct pre-shared key which is verified by successfully completing the 4-way handshake. So if I sit in your parking lot and setup an AP advertising your SSID and I configure it to use the same PSK that your legit APs are using, then your clients will still successfully associate to my rogue AP. That is a misleading use of the term authenticate in that article.

Link to comment
Share on other sites

The AP does not "authenticate" that it is a legitimate AP to the client. It "authenticates" itself by confirming that it knows the correct pre-shared key which is verified by successfully completing the 4-way handshake. So if I sit in your parking lot and setup an AP advertising your SSID and I configure it to use the same PSK that your legit APs are using, then your clients will still successfully associate to my rogue AP. That is a misleading use of the term authenticate in that article.

I see. So the attack is technically possible only if you know the pre-shared key but not supported currently.

I still find it a low risk though. At least for myself, considering the networks I connect to. Maybe it could be viable option for a targeted attack.

Link to comment
Share on other sites

Jam their ssid, then watch for probe requests being generated by the lost clients, re-configure according to your "objective".

There arent many targets you WONT get.

Link to comment
Share on other sites

Johnnie: Yes, as far as I understand WPA2, it is technically possible if the attacker knowns the PSK (which was a stated condition of the OP's question).

Condor: After watching your signature in utter amazement for a good 5-10 minutes, I'm missing the point of your post. Or maybe it's the early hour and lack of both coffee and sleep. What were you getting at?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...