• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

Authentication on Unencrypted WLANs

P

PantherModern1

Member
A lot of WLANs that are unecrypted (like at universities) have a simple entrance authentication that assigns people temporary IPs and then redirects their requests to a username/password form. After that the Access points will accomodate them until the session times out.

What's to prevent someone from using that same IP address at the same time or after the legitimate stops using the internet but doesn't log out/time out, thereby "assuming" someone else's session?
 
Fair enough. But one could at least maintain that particular session as long as a legitimate user could.
And I don't see why it would even be necessary to mac spoof to accomplish this. The mac would be used only in the dhcp that the legitimate user did anyway. Seems like all it would take is the ip and default gateway in order to assume the session.
 
the mac and its associated IP are only good for a period of time.

You would have to spoof the mac and IP. The access points maintain this information/mapping.
 
OK. So it's not as simple as just manually configuring an IP address. But combined with mac spoofing, it sure seems doable if the network only authenticates once at the beginning of the session.
Is this impractical? Why isn't this done more?
 
because there are other measures as well.

for one if the wireless system sees duplicate macs at any time it shuts them down.

Plus you can't just manually configure an IP address. The wireless system simply will not allow it. The address must be configured with DHCP.

the APs and control software monitor all of this.
 
Doesn't really matter if you do get in. The packet shaper won't let you do anything they dont want you to do anyways and I'm sure the wireless is at least a separate VLAN. You also didn't mention what exactly it is you are logging into after the connection. Just because the wireless signal is not encrypted does not mean the transmissions are totally open for spoofing.
 
Logging on just for the sake of free wifi. Nothing more.
What countermeasures could there possibly be? Duplicate MAC addresses? The access points have no way of distinguishing whether the "duplicates" are coming from one computer (legitimate) or two (wifi theft).
 
Originally posted by: PantherModern1
Logging on just for the sake of free wifi. Nothing more.
What countermeasures could there possibly be? Duplicate MAC addresses? The access points have no way of distinguishing whether the "duplicates" are coming from one computer (legitimate) or two (wifi theft).
Click to expand...

yes they can, yes they do.

different signal strengths and being seen by 3 or more radios and then perform triangulation. Heck depending on how good the system is it can even locate you with a fair degree of accuracy.

Good discussion though.

Other access points will still "hear" your radio even though you may not be associated with them.
 
That's interesting spidey, thanks for your help.
Yeah there's a security certificate, one of those standard public key ones for ecrypting the password, that's all.
Most of your objections seem to assume a sophisticated system. If it was less secure, and for example, had areas that only one access point reached, it still seems possible.
 
Originally posted by: PantherModern1
That's interesting spidey, thanks for your help.
Yeah there's a security certificate, one of those standard public key ones for ecrypting the password, that's all.
Most of your objections seem to assume a sophisticated system. If it was less secure, and for example, had areas that only one access point reached, it still seems possible.
Click to expand...

Could be.

But it all depends on how it is setup. I'm sure you are aware of just how difficult it is to setup a secure wireless network for hot-spot access - most of the people that do are clueless.
 
They may also use time based certificates to validate you (tls authentication). WiFi insecurity may still be big in home's craptastic companies, but any company who has a wifi initive will lock the network down so tight that you won't be able to get in. Cisco is now adding Network Admissions to Control to their wireless stuff, that will work with their other NAC stuff to authenticate and verify the state of the connecting computer.
 
<Plus you can't just manually configure an IP address. The wireless system simply will not allow it. The address must be configured with DHCP.>

mac and countermeasure issues aside, why not? what's the difference between one user receiving an ip through dhcp, and another user typing in the ip address, default gateway, etc. manually into the windows control panel's network configuration?
 
Many / most / all of the captive portals install a cookie or SSL cert on the host when it's authenticated (watch the session change from http: to httpS: )

That prevents man-in-the-middle and spoofing intrusions.

Many / most "hotspot" type setups also prevent one client from directly talking to other clients ... it's a setting on the (commercial) APs and security systems.

It wouldn't make sense to go through all the bother of installing this stuff to have it so easily defeated.

Sometimes they get smart people to design this stuff ...

FWIW

Scott
 
Originally posted by: PantherModern1
<Plus you can't just manually configure an IP address. The wireless system simply will not allow it. The address must be configured with DHCP.>

mac and countermeasure issues aside, why not? what's the difference between one user receiving an ip through dhcp, and another user typing in the ip address, default gateway, etc. manually into the windows control panel's network configuration?
Click to expand...

The APs and security system will not allow a node to communicate unless it has seen the appropriate DHCP request, offer and acknoldegement. Like I said earlier these bindings and mappings are maintained by the security system and the APs get their orders from the security system. You can also have the APs themselves track it.

In cisco world this is called "trust", an untrusted network is one that doesn't allow static IPs. Do I trust nodes on the wireless and should I allow them to have static addresses or do I use the intelligence of the network to disallow this?

ScottMac brings up another excellent point. A lot of times the "captive portal" controls all of this and works in concert with the APs.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top