Potential School Man in the Middle attack??

What's the best way to setup a home network? Why should I care about BGP?

Potential School Man in the Middle attack??

Post by LostinCyberia on Sat May 04, 2013 10:19 pm
([msg=75481]see Potential School Man in the Middle attack??[/msg])

Okay... stay with me here..our school, a small university in New Jersey has just gotten wifi access all over campus. I work in our school's computer lab, so most come to me when they have questions. Recently we've gotten an influx of people who can't connect to the newly provided wifi by the school. Our IT department gave use instructions on how to help them connect. The instructions are as follows. Go into "manage wireless networks, click add to add a new wifi spot, put in the name lets say it's called NJSCHOOL, click on the security tab, and uncheck the 'validate server certificate' box. Then click on 'configure' and uncheck the 'automatically use my windows logon name'. Then we click on 'advanced settings' and select User Authentication as the authentication mode.

My questions in all of this, is that, is this secure? Having unchecked the "Validate server certificate' option, doesn't that mean, their computers are just accepting any connection that has the name NJSCHOOL?

Couldn't someone easily put up a fake wifi broadcast and let people connect to his computer instead of the school's real wifi? I hope to bring this to the attention of my university if this is the case. Also, can you explain then if this is legit, how this all works? Thank you all!
Remember what the dor-mouse said; Feed your head.
User avatar
LostinCyberia
New User
New User
 
Posts: 13
Joined: Wed Jul 25, 2012 9:42 am
Blog: View Blog (0)


Re: Potential School Man in the Middle attack??

Post by Megaboz on Sun May 05, 2013 1:41 am
([msg=75482]see Re: Potential School Man in the Middle attack??[/msg])

It would be good to know a little more about the wlan in question, but I'm assuming that the network in question is wpa2, 802.1x authenticating against a directory of assigned student/faculty usernames, and that the wireless clients in question aren't joined to an AD domain since the IT instructions are saying to not use Windows login? It would also be good to know the type of authentication, EAP/PEAP/etc, as different methods have different vulnerabilities.

It's true that the clients will join a matching SSID and will attempt to authenticate against it if they don't check for a certificate. The alternative would be the University providing a server certificate, smartcards, or something comparable to ensure the user is connecting to the correct network. It could be the IT department isn't going this route due to the number of support requests it tends to generate, especially on a byod/uncontrolled network like the one you describe - or some other reasons (knowledge, cost/risk analysis, etc).

Keep in mind what will be gained, and other mitigating factors. They probably employ a distributed network of lightweight waps, and may scan for rogue APs. Also, if someone is broadcasting a rogue signal, depending on what type of authentication is in use, the hash they get from the client may not be entirely useful. They could just as easily broadcast an unsecure network with the same SSID, and students may just click on it without reading instructions, and they could be phished with a webpage asking for the user's authentication info.

So, it may be something to talk to with them, but overall, the risk analysis may not make the extra trouble worth it (or it might!) Not sure without knowing more details, but good questions to ask.
Megaboz
New User
New User
 
Posts: 1
Joined: Sun May 05, 2013 1:20 am
Blog: View Blog (0)


Re: Potential School Man in the Middle attack??

Post by Kataclysmic on Wed Oct 09, 2013 10:33 pm
([msg=77644]see Re: Potential School Man in the Middle attack??[/msg])

I am also interested in this type of attack as well. My college uses a campus wide wpa2 wlan that has no password or other type of authentication that I know of. You simple connect to the SSID [collegename] and you will connect. Is there anything I could do with this? Also could I use something like wireshark to capture all packets on the network and obtain information or could the college have done something to prevent this?
http://lawofcode.com
What will you learn?
Kataclysmic
New User
New User
 
Posts: 27
Joined: Wed Oct 09, 2013 10:15 pm
Blog: View Blog (0)


Re: Potential School Man in the Middle attack??

Post by WallShadow on Thu Oct 10, 2013 10:24 am
([msg=77647]see Re: Potential School Man in the Middle attack??[/msg])

Kataclysmic wrote:I am also interested in this type of attack as well. My college uses a campus wide wpa2 wlan that has no password or other type of authentication that I know of. You simple connect to the SSID [collegename] and you will connect. Is there anything I could do with this? Also could I use something like wireshark to capture all packets on the network and obtain information or could the college have done something to prevent this?


if it is using wpa2, then there is a password stored somewhere on the computer you use to connect. if you can get that password, it is a simple task of capturing the traffic (perhaps with airodump-ng or tcpdump), decrypt the packets with airdecap-ng (you will need the password to decrypt it), and viewing the capture file in wireshark. if you want to do it realtime, you can even set up airtun-ng (with the password) and monitor the network in realtime with wireshark.

although another possibility is that your campus is using eap wpa2, in which case everything becomes different. i'm not sure what would work and what wouldn't.
User avatar
WallShadow
Contributor
Contributor
 
Posts: 621
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: Potential School Man in the Middle attack??

Post by 0phidian on Thu Oct 10, 2013 11:04 am
([msg=77652]see Re: Potential School Man in the Middle attack??[/msg])

WallShadow wrote:...


WallShadow!! I havent seen you on here in forever, where the heck have you been?
User avatar
0phidian
Poster
Poster
 
Posts: 270
Joined: Sat Jun 16, 2012 7:04 pm
Blog: View Blog (0)


Re: Potential School Man in the Middle attack??

Post by WallShadow on Thu Oct 10, 2013 9:19 pm
([msg=77656]see Re: Potential School Man in the Middle attack??[/msg])

0phidian wrote:WallShadow!! I havent seen you on here in forever, where the heck have you been?


lots a places, college to name one. it's not an easy time for me right now. sorry :)
User avatar
WallShadow
Contributor
Contributor
 
Posts: 621
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: Potential School Man in the Middle attack??

Post by hellow533 on Fri Oct 11, 2013 3:17 am
([msg=77659]see Re: Potential School Man in the Middle attack??[/msg])

WallShadow wrote:
Kataclysmic wrote:I am also interested in this type of attack as well. My college uses a campus wide wpa2 wlan that has no password or other type of authentication that I know of. You simple connect to the SSID [collegename] and you will connect. Is there anything I could do with this? Also could I use something like wireshark to capture all packets on the network and obtain information or could the college have done something to prevent this?


if it is using wpa2, then there is a password stored somewhere on the computer you use to connect. if you can get that password, it is a simple task of capturing the traffic (perhaps with airodump-ng or tcpdump), decrypt the packets with airdecap-ng (you will need the password to decrypt it), and viewing the capture file in wireshark. if you want to do it realtime, you can even set up airtun-ng (with the password) and monitor the network in realtime with wireshark.

although another possibility is that your campus is using eap wpa2, in which case everything becomes different. i'm not sure what would work and what wouldn't.

I don't know if it's already been said since I only skimmed this, but to capture air traffic you also need an air traffic capturing device. Not just a standard wireless card, either. These can run you for hundreds. I own them for work, but generally you want to try every route possible before you resort to air capturing. I noticed you said there is no password yet you say it uses WPA2 encryption. I don't know if you confused WPA2 with 80211* or not. If you can just connect wirelessly then as stated above, you can just sit there with tcpdump or wireshark. I can't think of the name because I'm fucked right now, but some servers have individual information access. You connect to the server and have almost a single access connection to mirrored databases. Depending on the setup, they can run thousands of users at the same time. So no two computers would have the ability to talk to each other, since you aren't just talking to the same server, but to be connected must be assigned an individual thing. Fuck I can't think of it right now, I'll see if I can remember in the morning. Anyway, it's what a lot of government servers use to keep users from being able to talk to each other. So if you wanted to get around that, you would have to see if the information is sent over the air (though in most cases it would be pointless to run this setup with wireless access as well, if possible at all?)

So yeah, anyway best bet is to use a wireless bridge as opposed to a wireless card. They generally run better with information gathering software last I checked. Unless you plan on using AirPcap, but unless there is an actual password to the access point it would be pointless.
“Teach me how to hack!”
"What, like, with an axe?"
User avatar
hellow533
Contributor
Contributor
 
Posts: 514
Joined: Thu Jan 29, 2009 3:27 pm
Blog: View Blog (0)


Re: Potential School Man in the Middle attack??

Post by WallShadow on Fri Oct 11, 2013 3:33 am
([msg=77660]see Re: Potential School Man in the Middle attack??[/msg])

hellow533 wrote:I don't know if it's already been said since I only skimmed this, but to capture air traffic you also need an air traffic capturing device. Not just a standard wireless card, either. These can run you for hundreds.


not entirely true; you do need a specialized wireless card, but they can come cheap. some laptops already have them built in, but if they don't, a 15$ usb alfa card will work fine (that's what i used for all wireless pen-testing).
User avatar
WallShadow
Contributor
Contributor
 
Posts: 621
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Re: Potential School Man in the Middle attack??

Post by Kataclysmic on Mon Oct 14, 2013 11:34 am
([msg=77677]see Re: Potential School Man in the Middle attack??[/msg])

WallShadow wrote:
hellow533 wrote:I don't know if it's already been said since I only skimmed this, but to capture air traffic you also need an air traffic capturing device. Not just a standard wireless card, either. These can run you for hundreds.


not entirely true; you do need a specialized wireless card, but they can come cheap. some laptops already have them built in, but if they don't, a 15$ usb alfa card will work fine (that's what i used for all wireless pen-testing).

It is a 802.11n network actually I just checked does that make a difference or could I just open wireshark now?
http://lawofcode.com
What will you learn?
Kataclysmic
New User
New User
 
Posts: 27
Joined: Wed Oct 09, 2013 10:15 pm
Blog: View Blog (0)


Re: Potential School Man in the Middle attack??

Post by WallShadow on Mon Oct 14, 2013 4:51 pm
([msg=77680]see Re: Potential School Man in the Middle attack??[/msg])

Kataclysmic wrote:It is a 802.11n network actually I just checked does that make a difference or could I just open wireshark now?


your best bet is to try and see what works, go ahead
User avatar
WallShadow
Contributor
Contributor
 
Posts: 621
Joined: Tue Mar 06, 2012 9:37 pm
Blog: View Blog (0)


Next

Return to Networking

Who is online

Users browsing this forum: No registered users and 0 guests