troyhunt Posted April 29, 2013 Share Posted April 29, 2013 Quickie question guys: I's seeing probes for WPA protected networks, which I'd expect, and the client can't connect through to those which is also the behaviour I'd also expect. The question is this: if the WPA password is known, can the Pineapple successfully emulate both the SSID and credentials effectively allowing the same experience as Karma creates with open networks? And if not, is there something in the wireless protocol that prohibits this or it's simply not a feature in the Pineapple? Quote Link to comment Share on other sites More sharing options...
Lordx18 Posted April 29, 2013 Share Posted April 29, 2013 I'm pretty sure there's threads asking this same question, but I'm pretty sure it can't. Quote Link to comment Share on other sites More sharing options...
Lordx18 Posted April 29, 2013 Share Posted April 29, 2013 http://forums.hak5.org/index.php?/topic/29329-faking-wpa2-networks/?fromsearch=1 Might be what you're looking for (: Quote Link to comment Share on other sites More sharing options...
Sebkinne Posted April 29, 2013 Share Posted April 29, 2013 The answer is no. 4 way handshake means the password is never sent. Quote Link to comment Share on other sites More sharing options...
vidkun Posted April 29, 2013 Share Posted April 29, 2013 The answer is no. 4 way handshake means the password is never sent. True, the PSK is never sent during the 4 way handshake. But it is used along with the SSID (both known values at this point) to derive the PMK. So if we have the PSK and the SSID, why isn't it possible (at least theoretically) for Karma to derive the PMK, generate and send an ANonce, receive the client's SNonce, then verify the PTK of the SNonce, and complete the authentication/association process? Quote Link to comment Share on other sites More sharing options...
Johnnie Posted April 30, 2013 Share Posted April 30, 2013 Nice wikipedia article here: http://en.wikipedia.org/wiki/IEEE_802.11i-2004#The_Four-Way_Handshake TBH I don't fully understand all the technical details of the process but I think this phrase is very clear "the access point (AP) still needs to authenticate itself to the client station (STA)" It's a bit of a relief to know that actually. As long as one can stay away from unprotected networks, they can be immune to karma attack then. Quote Link to comment Share on other sites More sharing options...
vidkun Posted April 30, 2013 Share Posted April 30, 2013 Nice wikipedia article here: http://en.wikipedia.org/wiki/IEEE_802.11i-2004#The_Four-Way_Handshake TBH I don't fully understand all the technical details of the process but I think this phrase is very clear "the access point (AP) still needs to authenticate itself to the client station (STA)" It's a bit of a relief to know that actually. As long as one can stay away from unprotected networks, they can be immune to karma attack then. The AP does not "authenticate" that it is a legitimate AP to the client. It "authenticates" itself by confirming that it knows the correct pre-shared key which is verified by successfully completing the 4-way handshake. So if I sit in your parking lot and setup an AP advertising your SSID and I configure it to use the same PSK that your legit APs are using, then your clients will still successfully associate to my rogue AP. That is a misleading use of the term authenticate in that article. Quote Link to comment Share on other sites More sharing options...
Johnnie Posted April 30, 2013 Share Posted April 30, 2013 The AP does not "authenticate" that it is a legitimate AP to the client. It "authenticates" itself by confirming that it knows the correct pre-shared key which is verified by successfully completing the 4-way handshake. So if I sit in your parking lot and setup an AP advertising your SSID and I configure it to use the same PSK that your legit APs are using, then your clients will still successfully associate to my rogue AP. That is a misleading use of the term authenticate in that article. I see. So the attack is technically possible only if you know the pre-shared key but not supported currently. I still find it a low risk though. At least for myself, considering the networks I connect to. Maybe it could be viable option for a targeted attack. Quote Link to comment Share on other sites More sharing options...
condor Posted May 1, 2013 Share Posted May 1, 2013 Jam their ssid, then watch for probe requests being generated by the lost clients, re-configure according to your "objective". There arent many targets you WONT get. Quote Link to comment Share on other sites More sharing options...
vidkun Posted May 1, 2013 Share Posted May 1, 2013 Johnnie: Yes, as far as I understand WPA2, it is technically possible if the attacker knowns the PSK (which was a stated condition of the OP's question). Condor: After watching your signature in utter amazement for a good 5-10 minutes, I'm missing the point of your post. Or maybe it's the early hour and lack of both coffee and sleep. What were you getting at? Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.