AES encrypted passwords
Jonathan.Gazeley at bristol.ac.uk
Fri Sep 30 15:30:53 CEST 2016
On 30/09/16 14:21, freeradius-users at latter.org wrote:
> Is providing Dot11 but not verifying the certificate Good Enough
> in this instance? I would guess that you do not think so. Other
> comments would be welcome. I have not yet formed an opinion.
> I am moving towards Not Good Enough.
I don't think it is good enough. I tested this last year, by configuring
a laptop to use its WiFi interface as an AP, broadcasting an SSID and
running a local FreeRADIUS instance that was configured only to record
the passwords that users sent to it.
Our infosec manager was not happy about me harvesting live user
authentications (for obvious reasons) so I built my honeypot in a
Faraday cage in the engineering dept.
Any clients who have configured their 802.1x profile properly would not
speak to my fake RADIUS server. The lazy ones with the option unticked
just blindly transmitted their password to my honeypot. It took under an
hour to research and set up, and I used this as a demonstration with
some dummy clients to show management that security is important.
This proves that it's easy to do, and all I have to do is sit with my
laptop in the foyer of an airport, etc, and I've got a list of usernames
Senior Systems Administrator
University of Bristol
More information about the Freeradius-Users