Comments on: Can I own your wireless network?

By: AlanRII

AlanRII — Wed, 27 Feb 2008 03:23:01 +0000

Self-signed certs not installed on the supplicant machine would necessitate not validating the cert. Bad mojo.

By: Rusty

Rusty — Sun, 24 Feb 2008 09:31:02 +0000

I’ve found that some admins uncheck “validate server certificate” because sometimes it prevents users from authenticating. If everything is properly configured, then of course validating the server certificate should not be a problem. But in the real world mistakes happen sometimes and unchecking that box can get users authenticated in a pinch.

By: brad

brad — Sat, 23 Feb 2008 17:45:09 +0000

The common response is “well…we couldn’t get the wireless working, so we were playing around with the configuration and we noticed that if we unchecked that box, everything worked!”

unfortunately i’ve heard that more then you can imagine. Nonetheless the validate server certificate box is somewhat misleading in itself. With that checkbox checked, WZC will prompt the user to either “continue” or “cancel”. When it prompts the user, WZC only displays the signing authority of the certificate, and not the certificate name (i.e verisign). An attacker with a couple dollars can buy any verisign certificate to mislead users.

Think about it, if you’re prompted in a similar situation and the first thing you see is “verisign” would you be more inclined to accept it?

Also, in general its never a good idea to put the security of the network in the client’s hands, which by prompting the user, WZC is doing.

By: RNP

RNP — Sat, 23 Feb 2008 03:52:54 +0000

On the WZC supplicant, “validate server certificate” is enabled by default, I am not sure why an organization would remove this configuration.

By: higB

higB — Thu, 21 Feb 2008 19:14:35 +0000

Good job. I’m glad to see a topic that is *not WEP related. What you’re doing here is actually valuable to real enterprise wireless configurations. This technique will certainly be useful on wireless pentests.