And once that person sees the SSID name that the client device is sending on all channels, they only need to then setup a temporary access point with that SSID and the client device will try and authenticate with that, which will result in the password being discovered.

Say I setup a temporary AP with the same SSID as another SSID in range. The client we are trying to compromise will try to connect to my rogue SSID (provided my signal is better than theirs), however all that happens is the 4 way handshake will fail as the encryption passphrase is different. At no stage is the actual password exchanged... The attacker may at best capture the handshake and try to bruteforce it offline, but this can be easily done on SSID hidden / shown.

That's what I was on about, you gain nothing from hiding your SSID, only thing is when the client device is setup to connect using SSID + Encryption Type its not that hard to spoof that SSID and fool that device from connecting to you and when it tries to authenticate the custom written app spoofing the SSID will have their password.

If this is true, explain how I would get their password so easily? The 4 Way handshake would just fail.

Have a listen to this:

https://www.youtube.com/watch?v=9M8kVYFhMDw

Edited by ukhardy07 (Tue 25-Oct-16 15:51:20)

I watched that video a few years back, it has always reminded me of the Apache Digest Authentication.

That guy didn't go into that much detail, I agree with the 4-Way handshake but isn't that just to setup the encryption for both ways, not too sure if the client device encrypts the password using the setup encryption and that the AP device decrypts the password and compares it with its own.
Or if it hashes it and then encrypts that hash and sends it to the AP device to be decrypted and then compared to a hashed version of its password.

So either way you would have a password or a hash password which could be brute forced to get possible passwords, granted there would be loads of wrong passwords returned due to hash collisions.

TBH, I thought it might of used RSA Key Pairs.

Paul

Yes you can capture the handshake and brute force offline. I have done it for clients of mine.

This is possible irrespective of the SSID being broadcast or not. You would never setup your own SSID (the same as another) to get this data though... You would simply do this:
https://www.youtube.com/watch?v=ObwByN6FWwA

& then you can crack offline.

It is surprising how commonly I get the PW back after just a few days of bruteforcing.

In reply to a post by ukhardy07:

Yes you can capture the handshake and brute force offline. I have done it for clients of mine.

This is possible irrespective of the SSID being broadcast or not. You would never setup your own SSID (the same as another) to get this data though... You would simply do this:
https://www.youtube.com/watch?v=ObwByN6FWwA

& then you can crack offline.

It is surprising how commonly I get the PW back after just a few days of bruteforcing.

I agree, I did it to home a few doors down to prove a point that Wi-Fi isn't that safe and wired is more secure.
That took between 4 to 8 hours to do, just left it going over night and it was done when I got up.
A few days later they moved over to wired.

The sad thing is with this way the owner of the AP has no clue apart from one of their wireless devices loosing connection and when their bandwidth is all of a sudden being used up

Not too sure if the software used uses CPU or the CUDA Cores to do all its brute force.
Because CUDA is very good with numbers LOL.

Paul

& then there's WPS lol.

In reply to a post by ukhardy07:

& then there's WPS lol.

LOL, don't get me started there, could be worse it could be WEP

Paul

In reply to a post by ukhardy07:

Yes you can capture the handshake and brute force offline. I have done it for clients of mine.

This is possible irrespective of the SSID being broadcast or not. You would never setup your own SSID (the same as another) to get this data though... You would simply do this:
https://www.youtube.com/watch?v=ObwByN6FWwA

& then you can crack offline.

It is surprising how commonly I get the PW back after just a few days of bruteforcing.

How long are the passwords that you manage to crack? I presume longer passwords are more difficult.

It's generally cracked because they use dictionary words such as

m0n3ay123 - that would be one example.

In reply to a post by ukhardy07:

It's generally cracked because they use dictionary words such as

m0n3ay123 - that would be one example.

Agreed, I've seen some stupid passwords in the past.

I know ours uses the full 64 characters (I think) of random numbers, symbols, mixed case letters.
It takes forever to enter them all in on the phones and tablets LOL.

And if somebody wants to spend all that time getting our password, then they can, I will just change it again to another random 64 or so char password LOL.

Paul

You can check how good your passwords are here...

https://www.grc.com/haystack.htm