Why Rogue Access Points Cannot Sniff Cleartext WPA/2 Passphrase?


(Brian Waltse) #1

I was wondering, why can rougeAPs not capture wpa passkeys.

I know that several wireless cards have the ability to create an access point, and after a user connects they can be phished and spoofed. I know that they cannot currently capture passwords because it requires a 4 way handshake, and your AP must already know the passphrase. What i am wondering is since the AP must compare the passwords in some way, why can an access point not have a password of all like Password='*' and then send the passphrase to the user. Even if this was a “re-invent the wheel” situation wouldn’t it be worth it?
This makes me wonder if a hacker could re-invent other services to get protected data.

(Hardeep Singh) #2
  1. A ‘*’ is semantically a regular expression which means “everything” but to resolve it to everything either there should be an underlying subset of some values, or some strings being provided in real time to include in an empty subset.
    Neither of which is the case in a 4 way handshake.

  2. Even if an asterisk (*) works. It would mean any random password WILL WORK for any random WiFi access point.
    If that’s true, then the whole ourpose of WiFi security is defeated even before switching to an encryption mechanism.

  3. Now the real thing. The passphrase you enter is passed to a function named PBKDF2 (Password Based Key Derivation Function, 2 for WPA2). The password is then hashed with the Access Point name (SSID) and SSID length. and it is then hashed using SHA-256, over 4096 iterations of the same hash is done. and the output is a 256-bit key called the PSK or Pre Shared Key (wpa_passphrase <SSID> <password> will give you one). Since the passphrase and SSID along with the SSID length makes the whole psk unique. there is really no way left for the ‘*’ for amy hacker to implement or use.
    That’s why all the alternatives to get the key, wither hashed or plain text. But there is really no room for any regular expression in the process. else there is no need for WPA2.
    Open wireless was perfectly fine to use.

How to Speed up Dictionary Attack?
GenPMK cmd Error - Kali Linux
(Hardeep Singh) #3

Bumping up the thread. As it is totally relevant and I think this is a very useful thread and can help a lot of beginners in the WiFi security field.

(hello kitty) #4

Your asking several very good questions:

Because even if you create a network on the same channel, ESSID and BSSID, (where basically everything up to step 3 of the 4wayhandshake is the same) the final PMKID will be different without the exact password --When you connect to a WPA2 network, and it ask for password, your password is actually never sent to the router, its not necasarily encrypted either in the traditional protected WPA2 password encrypted frames, BUT Your OS hashes the password you entered with the MAC Address and sends it to the router in a weird seperate frame (where all the EAPOL stuff happens) and if its the right PMKID hash.

the weird part is even unauthenticated users can still sniff up this portion even if their not directly connected to the IPv4 level, their is probably a huge exploit in being able to sniff it in theory and than reverse hash it with the clients MAC Address to calculate what the password entered was but thats a little to far for me

to awnser your second question, despite the fact that different routers use different firmware and different languages to accomplish the end goal, they all most follow a very strict IEEE / wifi alliance standardized process that comes out pretty much exactly the same no matter how different each router chooses to impliment it, attacks like using: “Password=’*’” format will only work if the password is databased somewhere into the router, Im not sure how and where exactly the WPA2 password is saved into the router, but its not a database so injection type attacks or magic passwords wont work, (unless in theory you are able to create such a weird password that when hashed with your mac address creates the exact same hash that an authenticated user with right password would equate to [public collision encryption attack] but that may be impossable

for the actual administrative panel for the routers themselves however, to log in to change ESSID/port forward (etc) plenty of those actually are vulnerable, and are vulnerable to XSS/CSRF attacks that can provide password, and further some use very multi layered languages like JSP to render pages and within that a whole bunch of exploits…

(Hardeep Singh) #5

That’s because of the unencrypted management frame. Although 802.11w is a patch to this vulnerability, but unfortunately isn’t applied on majority of the routers. Maybe because WPA3 was more important to the alliance.

by the way, It’s refreshing to see knowledgeable people like you sharing knowledge with a fellow beginner. Really feels good :slight_smile: Thanks for contributing to this community @josepherickson135 Would love to see more WiFi stuff or, maybe other as well, from you in coming time :slight_smile: