0

I'm not finding a lot of information on this topic although it seems so simple, so I assume it isn't possible, but I was wondering if it is possible or not to create a fake acces point that looks like it's password-secured with the same SSID as the targeted AP, but without a real password. Instead, the fake AP would allow the user to connect, no matter the password entered, but log the password the user or device has entered in order to obtain the password of the target-AP. Is this possible and if not, why not?

AJ Henderson
  • 42,081
  • 5
  • 65
  • 112
eds1999
  • 111
  • 3
  • 1
    As in the link WPA uses a challenge response sytem instead of sending the actual password. An example system would be someone giving you a random number. You concatenate the password with the number and take a hash of it. The system can then calculate the hash itself (because it knows the password) and check your value matches. – Hector Nov 03 '17 at 11:32
  • If it's challenge-response, wouldn't it be possible to get the hash and crack it by forwarding the challenge and response to the real AP similar to attacks on NTLM? – Daniel Grover Nov 09 '17 at 15:01

1 Answers1

-1

If you come at this from a different angle then yes.

Effectively what you are asking is "can I fool the user into typing there real Wifi AP password into a prompt that you control."

Yes this is possible in various ways. In previous pen and social engineering tests I have got the victim onto a website I control then conditionally display various prompts that look and act exactly like system prompts.

Some users fall for it others don't.

To harvest Wifi creds you can display a wifi re-prompt for the password, many will just input there PW without thinking. The more convincing the prompt the higher the success. A targeted attack will first have the SSID to correctly set the one displayed in the prompt. This can be combined with a persistent de-auth beacon to add a convincer that there wifi has dropped out.

Time all of the above right, with the correct info on the target and this attack vector is very successful.

TrickyDupes
  • 2,849
  • 1
  • 15
  • 27