AES encrypted passwords

Jonathan Gazeley Jonathan.Gazeley at bristol.ac.uk
Fri Sep 30 15:30:53 CEST 2016


On 30/09/16 14:21, freeradius-users at latter.org wrote:
>
> Is providing Dot11 but not verifying the certificate Good Enough
> in this instance?  I would guess that you do not think so.  Other
> comments would be welcome.  I have not yet formed an opinion.
> I am moving towards Not Good Enough.


I don't think it is good enough. I tested this last year, by configuring 
a laptop to use its WiFi interface as an AP, broadcasting an SSID and 
running a local FreeRADIUS instance that was configured only to record 
the passwords that users sent to it.

Our infosec manager was not happy about me harvesting live user 
authentications (for obvious reasons) so I built my honeypot in a 
Faraday cage in the engineering dept.

Any clients who have configured their 802.1x profile properly would not 
speak to my fake RADIUS server. The lazy ones with the option unticked 
just blindly transmitted their password to my honeypot. It took under an 
hour to research and set up, and I used this as a demonstration with 
some dummy clients to show management that security is important.

This proves that it's easy to do, and all I have to do is sit with my 
laptop in the foyer of an airport, etc, and I've got a list of usernames 
and passwords.

Cheers,
Jonathan

-- 
Jonathan Gazeley
Senior Systems Administrator
IT Services
University of Bristol


More information about the Freeradius-Users mailing list