Obtatining a public key from an access point?
bryan at kadzban.is-a-geek.net
Fri Jul 27 13:07:43 EDT 2007
On Thu, Jul 26, 2007 at 08:08:35PM -0700, Dan Stromberg wrote:
> Anyway, when you set up a windows machine for
> wireless here, it gives you a warning about the certificate, and the admins
> (who apparently don't give out the wireless password) quickly click past the
> warning and call it done.
> And of course, when I asked our admins for the public key, they just ignored
> me. :(
Set up your own AP, configured to talk to your own PEAP RADIUS server.
Get the admins to connect a machine to the wireless in range of your AP
(since the cert is different, it'll have to be a new machine). They'll
just blindly click through the cert warning, and connect -- and you can
then (a) collect the password, since you'll have the private key for the
PEAP cert and control over the RADIUS server, or (b) infect the new
machines with all the latest Windows worms.
Or do both. ;-)
(OK, this is probably a horrible idea, and probably violates several
parts of your employment contract. But this kind of attack is *exactly*
why self-signed certs aren't a good idea unless you verify the
fingerprint every time you set up a new client. And if they're blindly
clicking through, then they're not verifying anything.)
> Which leads to my question: Is there some program I can run on windows
> [...] that'll obtain the public key, and stuff it in a file
Wireshark perhaps? You'd have to sniff the EAPOL frames during the PEAP
setup, but the cert should be part of those frames. Getting it out may
be difficult, but should be doable if you can interpret the server hello
packet in the PEAP exchange.
Depending on your wireless card's driver, though, this may not work --
Wireshark can't always sniff packets from wireless NICs on Windows.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 189 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20070727/2b4873f6/attachment.pgp
More information about the HostAP