If a user spoofs their MAC address, are they still associated with their passkey's User ID?

  • 1
  • Question
  • Updated 4 years ago
  • Answered
I have a user known for thinking they can hack. I checked their Client sessions and found 2 devices with the same name but with these obscure MAC addresses from companies called AmbiCom and ALFA. This is a high school campus so I would expect standard mobile devices.
Photo of Jeff Studer

Jeff Studer

  • 5 Posts
  • 1 Reply Like
  • undecided

Posted 4 years ago

  • 1
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
I am not sure that I fully understand your question. If you are using an Open SSID, then yes I believe that spoofing the MAC of an associated client will allow your device to connect (and will lead to strange behavior), but since it's an Open SSID I don't see why you would do that. If there are protections on the SSID, then merely spoofing the MAC of an associated client won't give you the group key or individual key for that client, so I don't think you'll get the results you desire.

Does this answer your question, or did I misunderstand you?
Photo of Jeff Studer

Jeff Studer

  • 5 Posts
  • 1 Reply Like
I should have stated that users have Private PSK for the SSID and on their own VLAN for that SSID.  My concern is that they might be able to somehow associate with another USER ID for a Private PSK if they spoofed someone else's MAC address.

As I think about it, its still using the same encryption key -- I think  thats how Private PSK works -- so they can't really change Private PSKs, right?  So, is the User ID statically attached to the Private PSK (no matter if they try to ARP poison or some other attack)?

This leads to another question, but I will keep that to a separate thread.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
ARP poisoning is a different concern as there are so many easy to use 'tools' out there. It is an issue I've raised previously that affects a L2 broadcast domain, I won't rehash it. Presently, we only have flood protection, not filtering based on a DHCP snooping table.
(Edited)
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
Jeff -

They would not be able to obtain another user's key in the sense of a usable key. At most they would get a hashed key value. If the 'hacker' has the the ability to scan promiscuously, they could gather this data without even spoofing the MAC address, due to the nature of how WiFi is using open airwaves. 

More details on how standard PSK works: http://en.wikipedia.org/wiki/IEEE_802.11i-2004 PPSK adds on this functionality by providing each user with their own key. This makes it extremely complex for a 'hacker' to find out what the key is as it differs from user to user.

http://www.aerohive.com/pdfs/Aerohive-Solution_Brief-Aerohive_Private_Pre-shared_Key.pdf
Photo of Jeff Studer

Jeff Studer

  • 5 Posts
  • 1 Reply Like
I feel like this answers my question.

Thank you for the help.  This helps me see that hackers have a hard time hiding their identity when they use their own Private PSK.
Photo of Nick Lowe

Nick Lowe, Official Rep

  • 2491 Posts
  • 451 Reply Likes
Exactly! I think this sentiment applies:

Photo of Jeff Studer

Jeff Studer

  • 5 Posts
  • 1 Reply Like
Though getting other PPSKs is somewhat of a concern, I feel I do well keeping my passwords safe.  I try to look for higher than normal CLients for a PPSK to detect this, manually.

He booted a Linux distro called "kali" and it showed up in the Client Sessions for the device name.  As my network is still sort of new, I know I need to take his approach and hunt down all my holes.  I don't know what Kali LInux can do to find out passwords and such -- I will plan for the worst.
Photo of Matt Kopp

Matt Kopp

  • 47 Posts
  • 12 Reply Likes
Kali is the updated (/rebirth of) BackTrack.  If you aren't familiar with BackTrack, it would be advisable to get familiar.  If you know who he actually is, plant a Pineapple (https://hakshop.myshopify.com/collections/sale/products/wifi-pineapple) near him...  That might keep him busy for a while.

The other thing you could potentially do in the interest of mitigation is create a user profile for Linux (provided you aren't using it in your production network...).

With Kali nee BackTrack, you can do some damage - IF you actually know what you're doing.

And remember...
Photo of Crowdie

Crowdie, Champ

  • 972 Posts
  • 272 Reply Likes
As somebody who broke into the network at my secondary school (one year ban from non-monitored computer access) and university (three month ban from all remote access) I would like to put my two cents in here.

Don't stomp on this student.  Network security is a challenge that some students can't resist taking on.  These students could go on to be the next security engineers.  Your challenge is to keep them out and that requires you to know more than them.

Kali Linux is also my attack tool of choice and, if I was in these student's situation (and of the same age), I would probably be doing the same basic attacks they are.  If you are using PPSKs you need to know the following limitations:

  • The key generated by the passphrase-PSK mapping formula is always the same for each unique passphrase (PPSK).  This differs from 802.1X EAP types, such as PEAP and EAP-TLS, which have dynamic key generation.  Therefore, if you are using short and/or weak passphrases your wireless network is vulnerable of offline dictionary attacks.  The longer you make the minimum passphrase length the better.  Forcing the passphrase to have letters, numbers and special characters also significantly increases the length of time an offline dictionary attack will take to complete.

  • If you are allowing more than one simultaneous connection per PPSK then you are making life much easier for these students.
If you really want to encourage them and move their focus away from your main wireless network I would create a new PSK SSID and start a competition to see who can obtain the passphrase the quickest.  Only have this new PSK SSID broadcasting in the computer lab (or don't have it broadcasting and tell the students they have to find it) so you can have some control.
(Edited)
Photo of Jeff Studer

Jeff Studer

  • 5 Posts
  • 1 Reply Like
I do have a limit of 5 devices per PPSK.  That used to be generous.

I'm currently not doing anything to the student, but I am taking action to tighten my network security that has been on my to-do list.  I guess a kudos to him for reminding me why its a priority.  I plan to use this tool, too, to help me find my problem areas.  I just need to learn how to use it.

I'm going to pass on the competition for now, but thanks for the suggestion.
Photo of Sam

Sam

  • 120 Posts
  • 31 Reply Likes
Jeff - 

If you are using the PPSK mechanism built into the APs and not IDM, you can limit the amount of devices a single PPSK is good for within the SSID modification page.