Authentication on Unencrypted WLANs

Toggle sidebar Toggle sidebar
P

PantherModern1

Member
Jul 15, 2005
36
0
0
A lot of WLANs that are unecrypted (like at universities) have a simple entrance authentication that assigns people temporary IPs and then redirects their requests to a username/password form. After that the Access points will accomodate them until the session times out.

What's to prevent someone from using that same IP address at the same time or after the legitimate stops using the internet but doesn't log out/time out, thereby "assuming" someone else's session?
 
P

PantherModern1

Member
Jul 15, 2005
36
0
0
Fair enough. But one could at least maintain that particular session as long as a legitimate user could.
And I don't see why it would even be necessary to mac spoof to accomplish this. The mac would be used only in the dhcp that the legitimate user did anyway. Seems like all it would take is the ip and default gateway in order to assume the session.
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
the mac and its associated IP are only good for a period of time.

You would have to spoof the mac and IP. The access points maintain this information/mapping.
 
P

PantherModern1

Member
Jul 15, 2005
36
0
0
OK. So it's not as simple as just manually configuring an IP address. But combined with mac spoofing, it sure seems doable if the network only authenticates once at the beginning of the session.
Is this impractical? Why isn't this done more?
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
because there are other measures as well.

for one if the wireless system sees duplicate macs at any time it shuts them down.

Plus you can't just manually configure an IP address. The wireless system simply will not allow it. The address must be configured with DHCP.

the APs and control software monitor all of this.
 
L

LOFBenson

Member
Sep 11, 2000
123
1
0
Doesn't really matter if you do get in. The packet shaper won't let you do anything they dont want you to do anyways and I'm sure the wireless is at least a separate VLAN. You also didn't mention what exactly it is you are logging into after the connection. Just because the wireless signal is not encrypted does not mean the transmissions are totally open for spoofing.
 
P

PantherModern1

Member
Jul 15, 2005
36
0
0
Logging on just for the sake of free wifi. Nothing more.
What countermeasures could there possibly be? Duplicate MAC addresses? The access points have no way of distinguishing whether the "duplicates" are coming from one computer (legitimate) or two (wifi theft).
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Originally posted by: PantherModern1
Logging on just for the sake of free wifi. Nothing more.
What countermeasures could there possibly be? Duplicate MAC addresses? The access points have no way of distinguishing whether the "duplicates" are coming from one computer (legitimate) or two (wifi theft).
Click to expand...

yes they can, yes they do.

different signal strengths and being seen by 3 or more radios and then perform triangulation. Heck depending on how good the system is it can even locate you with a fair degree of accuracy.

Good discussion though.

Other access points will still "hear" your radio even though you may not be associated with them.
 
P

PantherModern1

Member
Jul 15, 2005
36
0
0
That's interesting spidey, thanks for your help.
Yeah there's a security certificate, one of those standard public key ones for ecrypting the password, that's all.
Most of your objections seem to assume a sophisticated system. If it was less secure, and for example, had areas that only one access point reached, it still seems possible.
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Originally posted by: PantherModern1
That's interesting spidey, thanks for your help.
Yeah there's a security certificate, one of those standard public key ones for ecrypting the password, that's all.
Most of your objections seem to assume a sophisticated system. If it was less secure, and for example, had areas that only one access point reached, it still seems possible.
Click to expand...

Could be.

But it all depends on how it is setup. I'm sure you are aware of just how difficult it is to setup a secure wireless network for hot-spot access - most of the people that do are clueless.
 
N

nweaver

Diamond Member
Jan 21, 2001
6,813
1
0
They may also use time based certificates to validate you (tls authentication). WiFi insecurity may still be big in home's craptastic companies, but any company who has a wifi initive will lock the network down so tight that you won't be able to get in. Cisco is now adding Network Admissions to Control to their wireless stuff, that will work with their other NAC stuff to authenticate and verify the state of the connecting computer.
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Originally posted by: LOFBenson
Originally posted by: spidey07
Originally posted by: LOFBenson
One of these would spot you
Click to expand...

Guess you can tell I'm intimately familiar with them?

;)
Click to expand...

I don't get to play with them :( Yet :) Just similar stuff for non-wireless.
Click to expand...

If you have multiple access points just get one. Or look into the airspace offerings (cisco bought them). good stuff there as well.
 
P

PantherModern1

Member
Jul 15, 2005
36
0
0
<Plus you can't just manually configure an IP address. The wireless system simply will not allow it. The address must be configured with DHCP.>

mac and countermeasure issues aside, why not? what's the difference between one user receiving an ip through dhcp, and another user typing in the ip address, default gateway, etc. manually into the windows control panel's network configuration?
 
S

ScottMac

Moderator<br>Networking<br>Elite member
Mar 19, 2001
5,471
2
0
Many / most / all of the captive portals install a cookie or SSL cert on the host when it's authenticated (watch the session change from http: to httpS: )

That prevents man-in-the-middle and spoofing intrusions.

Many / most "hotspot" type setups also prevent one client from directly talking to other clients ... it's a setting on the (commercial) APs and security systems.

It wouldn't make sense to go through all the bother of installing this stuff to have it so easily defeated.

Sometimes they get smart people to design this stuff ...

FWIW

Scott
 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Originally posted by: PantherModern1
<Plus you can't just manually configure an IP address. The wireless system simply will not allow it. The address must be configured with DHCP.>

mac and countermeasure issues aside, why not? what's the difference between one user receiving an ip through dhcp, and another user typing in the ip address, default gateway, etc. manually into the windows control panel's network configuration?
Click to expand...

The APs and security system will not allow a node to communicate unless it has seen the appropriate DHCP request, offer and acknoldegement. Like I said earlier these bindings and mappings are maintained by the security system and the APs get their orders from the security system. You can also have the APs themselves track it.

In cisco world this is called "trust", an untrusted network is one that doesn't allow static IPs. Do I trust nodes on the wireless and should I allow them to have static addresses or do I use the intelligence of the network to disallow this?

ScottMac brings up another excellent point. A lot of times the "captive portal" controls all of this and works in concert with the APs.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom