We have a classroom setup with a wireless AP and some school notebooks. Both AP and notebooks are configured to use WPA-PSK encrypted communication, so studens cannot connect to the AP with their own notebooks unless they know the key...
Now I was wondering...
- Would it be possible to "copy" the wpa settings from an authorized school notebook to an unautorized student notebook, so students can connect to the AP without having to know the WPA key?
- How/where is the WPA key stored on the system (Windows XP Pro, SP2)?
Can anybody give me some more information on these questions?
Good question. The location varies a bit depending on OS:
WPA key in XP: HKLM\\SOFTWARE\\Microsoft\\WZCSVC\\Parameters\\Interfaces WEP key in XP: HKLM\\SYSTEM\\ControlSet001\\Control\\Class\\{Adapter_ID_Number}\\xxxx Windows 2000: HKLM\\SYSTEM\\CurrentControlSet\\Control\\Class\\{Adapter_ID_Number}\\xxxx
Wireless WEP Key Password Spy:
formatting link
Password system recovery and brute force cracker which includes WPA from Russia.
formatting link
to include: "Wireless (WEP and WPA-PSK) encryption keys (if stored with WZC)"
My favorite brute force cracker tool, Cain and Able 2.9:
formatting link
not successfully crack WPA-PSK keys.
I don't think that WPA-PSK keys are portable (with cut-n-paste) between machines. However, that's a guess and I haven't tried it. I'll have two laptops to play with in a few days and will see what happens.
I'm sure that the IT department would have restricted access to enable viewing the registry by changing the group security policy to avoid it being accessed.
Its encrypted in the registry, and a straight binary copy of the bytes won't work (I believe the encryption hashes with machine SID or something). You'd have to decrypt it first, which is fairly hard.
A school with an IT department? None that I've ever seen. It's mostly instructors doing IT jobs in their "spare" time. Perhaps a college or trade skool, but not a grade or high skool. Well, the OP is in Belgium so I don't know how they do things there.
It's all to easy to bypass Windoze Local Security Policies. All it takes is an administrator password reset floppy or CD. Boot it. Answer some questions that eventually point to the SAM. Reset the administrator password. Reboot. Login as administrator and do whatever seems interesting. Works on anything except EFS (encrypted file system).
If you drop the wpa security for about an hour... that's all the time you'd need to program the security code into all the computers... heck.. why not just change the key while you're at it..
Dropping encryption on a wireless LAN does not automagically give the attacker access to all the computers on the network. If the network uses fairly common LAN based security (Windoze authentication, windoze domains, password protected shares, etc), then changing the keys on individual machines will be difficult. Dropping WPA also doesn't give the attacker access to the wireless router which would be necessary to change the WPA key.
You say that like it was a specific flaw in Windows. Lets bear in mind that any OS can be cracked if you have access to the right tools.
Any security can be bypassed by someone with physical access and enough unsupervised time on their hands. I suspect that rebooting a school computer with a Linux cd might possibly be noticed, and an audit policy would trap the password change anyway.
Yeah, you might say that. I had to deal with C2 security on SCO Unix so I have a clue how such things should work. In my never humble opinion, methinks Windoze is designed for user convenience first and foremost. Everything, including security, comes after convenience. If there weren't back doors and methods of bypassing Windoze security, the users would claim that Microsoft is holding their data for ransom immediately after they had forgotten their password. I would call it an intentional flaw.
The C2 level of SCO Unix could not. There was no concept as root, adminstrator, supervisor, supreme user, or system god with C2. No single password gave anyone access to the entire system. If you boot from a floppy or CD, you get nothing. If you want to reinstall, you get to wipe that part of the system. |
formatting link
|
formatting link
|
formatting link
Not any, but most that allow this can be bypassed.
True. If the mythical skool IT department ran the skool computers as some kind of hostile environment, logging would certainly be part of the protection scheme. In reality, nobody likes to read log files and some other means (IDS system?) will probably be used. I don't think a Linux boot will show up anywhere as it's not necessary to get a DHCP IP address or connect to the network in order to hack the registry. It can be done stand alone. From personal experience, the only time I set off IDS alarms is when I'm generating unusual network traffic.
Apparently not, if you think that SCO Unix is capable of it, and Windows is not - wander over to the NTSC webpile sometime and find out.
Its also worth verifying buzzwords before using them as ammo in debates. C2 is pretty simple to meet.
Then your opinion in this matter is junk. I don't intend to enter into a flame war with you tho, so I'll just threadplink the topic.
I disagree that this contradicts my previous statement, even if it were relevant (which its not). If you have obtained a suitably privileged login to the system, you've cracked it. It need not be able to wipe the f/s or read all files (heck, its trivial to configure the Administrator account in windows the same way as you suggest).
Any that don't have some hardware support for encryption of the operating system.
It's NCSC. Been there. Done that. Microsloth apparently passed C2 security using NT 3.51 and 4.0. I don't think they've bothered with W2K, XP, or Server 2003 because the governmint dropped the C2 requirement.
SCO bought C2 from Secureware. It was anything but simple to meet in
1993(?). Maybe today, but not back then. My involvement with C2 security was primarily trying to live with it as it was an integral part of SCO Unix and could not be easily disarmed or bypassed. Eventually, SCO disabled parts and pieces that were driving users nuts. Convenience comes first again.
No problem, but I do enjoy technical flame wars, especially when I'm right. The more trivial and obscure the topic, the better.
Fine. I'll conceed that gaining entry to a user account does somewhat compromise the system. However, I was talking about tweaking the registry which requires administrator level permission.
I once was on a rampage over why backup tape manufacturers don't bother to encrypt their tapes. The resultant discussion expanded into encrypted filesystems and hardware encrypted hard disks. It seems that encryption tends to randomize the data on the drive. Modern hard disks and tape drives use statistical algorithms to guess whether the garbage waveform read from the drive or tape is a zero or one. That's the only way to obtain the current levels of tape and drive densities. However, if the transitions or bits are randomized, the data extraction algorithms have problems and tend to generate bad guesses. Hardware encryption would be nice, but apparently at the price of increased drive and tape errors. Note that this does not apply to EFS (encrypted file system) which encrypts the stored data blocks and not the native data transitions on the drive or tape. Of course, convenience is more important that security to Microsoft, so they are removing some encryption features from Vista: |
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here.
All logos and trade names are the property of their respective owners.