aryakangler Posted February 12, 2016 Share Posted February 12, 2016 I'm using OS X 10.11.3 on university WiFi networks (2G & 5G APs depending on your location on campus). WPA2-Enterprise [EAP-TTLS (MSCHAPv2)]. I've always been interested in breaking things, but never interested enough to risk violating the ambiguous CFAA. Of course the university also has a strict Computer & Network Security Policy. Therefore, I am in no way attempting to (or asking for information to assist in) violating either of these. My interest is purely in personal privacy and security. I am constantly looking at the available networks and have noticed that although prohibited by the university, you don’t have to wander much to find at least one rogue AP. I suspect these APs are merely personal hotspots, but it seems possible more nefarious reasons could be lurking. One thing I've noticed is occasionally my WiFi connection drops, and a dialog box pops up requesting my login information. When this occurs, I simply close the dialog box, and I am quickly reconnected to the network. This led me to ponder the possibility of someone running a MITM style attack. Having never connected to a WPA2-Enterprise network before, I regretfully didn't pay much attention to the process. I admittedly followed the setup procedures without really questioning things. I cannot find where apple stores the CA I accepted upon first connection, but I am concerned about its validity. I went as far as deleting the network and adding it again but was not presented with a CA. Is this even a concern? If I understand what I've read, allowing users to accept a CA that is not trusted by apple is not a good idea. In these cases it sounds as if manual configuration by IT staff is necessary. I can’t find information regarding the login prompts that occasionally popup, and if they are legitimate, how I am able to stay connected after not providing information. I believe I have located an area on campus that consistently causes a login prompt. However, i'm guessing I've been handed over to several different APs in the network extension so maybe this is why? This question has also led me to wonder what type of activity network admins have access too. Do network admins also have the ability to monitor the pages I view? I.E.: do they know I read The Hacker News daily, or visit Hak5 forums, etc,? I assume a WIDS is in use. But…. then why, or how, are these rogue APs consistently detected. Any sort of useful packet capture over 802.11x networks is next to impossible right? I haven't attempted any sort of network scan other than monitoring APs beaming SSIDs. My interpretation of the CNSP doesn't sound as if they find it acceptable to poke around their network for possible holes. Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.