WPA-PSK - can it be copied?

Hi,

We have a classroom setup with a wireless AP and some school notebooks.
Both AP and notebooks are configured to use WPA-PSK encrypted
communication, so studens cannot connect to the AP with their own
notebooks unless they know the key...

Now I was wondering...

- Would it be possible to "copy" the wpa settings from an authorized
school notebook to an unautorized student notebook, so students can
connect to the AP without having to know the WPA key?

- How/where is the WPA key stored on the system (Windows XP Pro, SP2)?

Can anybody give me some more information on these questions?

Cheers,
E.T.

Erik <(E-Mail Removed)> hath wroth:

>We have a classroom setup with a wireless AP and some school notebooks.
>Both AP and notebooks are configured to use WPA-PSK encrypted
>communication, so studens cannot connect to the AP with their own
>notebooks unless they know the key...
>
>Now I was wondering...
>
>- Would it be possible to "copy" the wpa settings from an authorized
>school notebook to an unautorized student notebook, so students can
>connect to the AP without having to know the WPA key?
>
>- How/where is the WPA key stored on the system (Windows XP Pro, SP2)?
>
>Can anybody give me some more information on these questions?

Good question. The location varies a bit depending on OS:

WPA key in XP:
HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfac es
WEP key in XP:
HKLM\SYSTEM\ControlSet001\Control\Class\{Adapter_I D_Number}\xxxx
Windows 2000:
HKLM\SYSTEM\CurrentControlSet\Control\Class\{Adapt er_ID_Number}\xxxx

Wireless WEP Key Password Spy:
http://www.alpinesnow.com/wepkeypassword.shtml

Password system recovery and brute force cracker which includes WPA
from Russia.
http://www.elcomsoft.com/pspr.html
Claims to include:
"Wireless (WEP and WPA-PSK) encryption keys (if stored with WZC)"

My favorite brute force cracker tool, Cain and Able 2.9:
http://www.oxid.it/cain.html
will not successfully crack WPA-PSK keys.

I don't think that WPA-PSK keys are portable (with cut-n-paste)
between machines. However, that's a guess and I haven't tried it.
I'll have two laptops to play with in a few days and will see what
happens.

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

> Good question. The location varies a bit depending on OS:
>
> WPA key in XP:
> HKLM\SOFTWARE\Microsoft\WZCSVC\Parameters\Interfac es
> WEP key in XP:
> HKLM\SYSTEM\ControlSet001\Control\Class\{Adapter_I D_Number}\xxxx
> Windows 2000:
> HKLM\SYSTEM\CurrentControlSet\Control\Class\{Adapt er_ID_Number}\xxxx
>
> Wireless WEP Key Password Spy:
> http://www.alpinesnow.com/wepkeypassword.shtml
>
> Password system recovery and brute force cracker which includes WPA
> from Russia.
> http://www.elcomsoft.com/pspr.html
> Claims to include:
> "Wireless (WEP and WPA-PSK) encryption keys (if stored with WZC)"
>
> My favorite brute force cracker tool, Cain and Able 2.9:
> http://www.oxid.it/cain.html
> will not successfully crack WPA-PSK keys.
>
> I don't think that WPA-PSK keys are portable (with cut-n-paste)
> between machines. However, that's a guess and I haven't tried it.
> I'll have two laptops to play with in a few days and will see what
> happens.
>
> --
> Jeff Liebermann (E-Mail Removed)
> 150 Felker St #D http://www.LearnByDestroying.com
> Santa Cruz CA 95060 http://802.11junk.com
> Skype: JeffLiebermann AE6KS 831-336-2558

Good response!

I'm sure that the IT department would have restricted access to enable
viewing the registry by changing the group security policy to avoid it being
accessed.

On Wed, 20 Sep 2006 15:45:51 +0200, in alt.internet.wireless , Erik
<(E-Mail Removed)> wrote:

>- Would it be possible to "copy" the wpa settings from an authorized
>school notebook to an unautorized student notebook, so students can
>connect to the AP without having to know the WPA key?

Its encrypted in the registry, and a straight binary copy of the bytes
won't work (I believe the encryption hashes with machine SID or
something). You'd have to decrypt it first, which is fairly hard.

--
Mark McIntyre

"Gus Ulton" <(E-Mail Removed)> hath wroth:

>I'm sure that the IT department would have restricted access to enable
>viewing the registry by changing the group security policy to avoid it being
>accessed.

A school with an IT department? None that I've ever seen. It's
mostly instructors doing IT jobs in their "spare" time. Perhaps a
college or trade skool, but not a grade or high skool. Well, the OP
is in Belgium so I don't know how they do things there.

It's all to easy to bypass Windoze Local Security Policies. All it
takes is an administrator password reset floppy or CD. Boot it.
Answer some questions that eventually point to the SAM. Reset the
administrator password. Reboot. Login as administrator and do
whatever seems interesting. Works on anything except EFS (encrypted
file system).

http://www.petri.co.il/forgot_admini...r_password.htm

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

If you drop the wpa security for about an hour... that's all the time
you'd need to program the security code into all the computers...
heck.. why not just change the key while you're at it..

Robert Kim
2611 s highway 101 suite 203
cardiff ca 92007
http://evdo-coverage.com
http://wireless-internet-access-provider.com

Jeff Liebermann wrote:
> "Gus Ulton" <(E-Mail Removed)> hath wroth:
>
> >I'm sure that the IT department would have restricted access to enable
> >viewing the registry by changing the group security policy to avoid it being
> >accessed.
>
> A school with an IT department? None that I've ever seen. It's
> mostly instructors doing IT jobs in their "spare" time. Perhaps a
> college or trade skool, but not a grade or high skool. Well, the OP
> is in Belgium so I don't know how they do things there.
>
> It's all to easy to bypass Windoze Local Security Policies. All it
> takes is an administrator password reset floppy or CD. Boot it.
> Answer some questions that eventually point to the SAM. Reset the
> administrator password. Reboot. Login as administrator and do
> whatever seems interesting. Works on anything except EFS (encrypted
> file system).
>
> http://www.petri.co.il/forgot_admini...r_password.htm
>
> --
> Jeff Liebermann (E-Mail Removed)
> 150 Felker St #D http://www.LearnByDestroying.com
> Santa Cruz CA 95060 http://802.11junk.com
> Skype: JeffLiebermann AE6KS 831-336-2558

On 21 Sep 2006 09:48:30 -0700, "robert evdo hsdpa kim"
<(E-Mail Removed)> wrote:

>If you drop the wpa security for about an hour... that's all the time
>you'd need to program the security code into all the computers...
>heck.. why not just change the key while you're at it..

Dropping encryption on a wireless LAN does not automagically give the
attacker access to all the computers on the network. If the network
uses fairly common LAN based security (Windoze authentication, windoze
domains, password protected shares, etc), then changing the keys on
individual machines will be difficult. Dropping WPA also doesn't give
the attacker access to the wireless router which would be necessary to
change the WPA key.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558 (E-Mail Removed)
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

On Wed, 20 Sep 2006 15:38:29 -0700, in alt.internet.wireless , Jeff
Liebermann <(E-Mail Removed)> wrote:

>It's all to easy to bypass Windoze Local Security Policies. All it
>takes is an administrator password reset floppy or CD. Boot it.

You say that like it was a specific flaw in Windows. Lets bear in mind
that any OS can be cracked if you have access to the right tools.

Any security can be bypassed by someone with physical access and
enough unsupervised time on their hands. I suspect that rebooting a
school computer with a Linux cd might possibly be noticed, and an
audit policy would trap the password change anyway.
--
Mark McIntyre

Mark McIntyre <(E-Mail Removed)> hath wroth:

>On Wed, 20 Sep 2006 15:38:29 -0700, in alt.internet.wireless , Jeff
>Liebermann <(E-Mail Removed)> wrote:
>
>>It's all to easy to bypass Windoze Local Security Policies. All it
>>takes is an administrator password reset floppy or CD. Boot it.

>You say that like it was a specific flaw in Windows.

Yeah, you might say that. I had to deal with C2 security on SCO Unix
so I have a clue how such things should work. In my never humble
opinion, methinks Windoze is designed for user convenience first and
foremost. Everything, including security, comes after convenience. If
there weren't back doors and methods of bypassing Windoze security,
the users would claim that Microsoft is holding their data for ransom
immediately after they had forgotten their password. I would call it
an intentional flaw.

>Lets bear in mind
>that any OS can be cracked if you have access to the right tools.

The C2 level of SCO Unix could not. There was no concept as root,
adminstrator, supervisor, supreme user, or system god with C2. No
single password gave anyone access to the entire system. If you boot
from a floppy or CD, you get nothing. If you want to reinstall, you
get to wipe that part of the system.
| http://www.windowsitpro.com/Article/...2293.html?Ad=1
| http://www.microsoft.com/technet/arc.../security.mspx
| http://aplawrence.com/Blog/B970.html

>Any security can be bypassed by someone with physical access and
>enough unsupervised time on their hands.

Not any, but most that allow this can be bypassed.

>I suspect that rebooting a
>school computer with a Linux cd might possibly be noticed, and an
>audit policy would trap the password change anyway.

True. If the mythical skool IT department ran the skool computers as
some kind of hostile environment, logging would certainly be part of
the protection scheme. In reality, nobody likes to read log files and
some other means (IDS system?) will probably be used. I don't think a
Linux boot will show up anywhere as it's not necessary to get a DHCP
IP address or connect to the network in order to hack the registry. It
can be done stand alone. From personal experience, the only time I
set off IDS alarms is when I'm generating unusual network traffic.

--
Jeff Liebermann (E-Mail Removed)
150 Felker St #D http://www.LearnByDestroying.com
Santa Cruz CA 95060 http://802.11junk.com
Skype: JeffLiebermann AE6KS 831-336-2558

On Thu, 21 Sep 2006 21:35:35 -0700, in alt.internet.wireless , Jeff
Liebermann <(E-Mail Removed)> wrote:

>Mark McIntyre <(E-Mail Removed)> hath wroth:
>
>>You say that like it was a specific flaw in Windows.
>
>Yeah, you might say that. I had to deal with C2 security on SCO Unix
>so I have a clue how such things should work.

Apparently not, if you think that SCO Unix is capable of it, and
Windows is not - wander over to the NTSC webpile sometime and find
out.

Its also worth verifying buzzwords before using them as ammo in
debates. C2 is pretty simple to meet.

>In my never humble
>opinion, methinks Windoze is designed for user convenience first and
>foremost.

Then your opinion in this matter is junk. I don't intend to enter into
a flame war with you tho, so I'll just threadplink the topic.

>>Lets bear in mind
>>that any OS can be cracked if you have access to the right tools.
>
>The C2 level of SCO Unix could not. There was no concept as root,
>adminstrator, supervisor, supreme user, or system god with C2.

I disagree that this contradicts my previous statement, even if it
were relevant (which its not). If you have obtained a suitably
privileged login to the system, you've cracked it. It need not be able
to wipe the f/s or read all files (heck, its trivial to configure the
Administrator account in windows the same way as you suggest).

>Not any, but most that allow this can be bypassed.

Any that don't have some hardware support for encryption of the
operating system.

--
Mark McIntyre