Security of mobile campus WLAN

 

I wrote an unposted article on the hard disk a long time ago. Because it uses RADIUS Authentication, the concept of how to hack the campus WLAN to be released next time is conceptual.

========================================================== ========================================================== =

Preface

The WLAN (Wireless LAN) Service launched by mobile covers many colleges and universities. It has been launched in our school for more than a year. It is more mature than before, and more people are using it, I am also one of the users who can basically meet daily needs. In colleges and universities, users only need to activate the mobile WLAN service just like activating the normal mobile phone service, and then use terminal devices with wireless functions (such as laptops) for wireless Internet access.

However, its disadvantages are obvious, because the wireless point access method is used to access the Internet. Compared with the wired access method, stability has become a significant problem, the signal will remain unstable due to the region and the surrounding environment. In order to solve this problem as much as possible, mobile has multiple aps in the dormitory and teaching building corridor, so as to ensure its stability as much as possible. Generally, we can see the white iron box with two antennas "ears" on the wall in the corridor. It is the Wireless Access Point of the mobile WLAN. 1:

Figure 1

The wireless SSID for a mobile WLAN is "CMCC-EDU ". The authentication is open authentication. Any terminal device with a wireless network card can connect to it. After the connection, any Internet access will go to an authentication page, then, perform identity authentication on the page. You need to use the mobile phone number and the password you set when activating the mobile WLAN service. 2 is the certification page of our school:

Figure 2

 

Figure 3 shows the successful authentication page. Once the authentication is successful, you can access the Internet normally, but you cannot close this webpage.

Figure 3

 

Security Analysis

Because the architecture and configuration of each region are different, the following three security risks exist:

 

First, because the AP Uses Open Authentication and allows any device with a wireless network card to connect, an IP address is assigned by default after the connection is successful. Therefore, you can perform security detection on the gateway. If the route does not have a MAC address filter, you can directly access the WEB management interface of the route, and then launch a guess attack on the WEB management account of the router, for example, the default account used to try the route. If the MAC address is filtered out, you can obtain the MAC address of the Administrator's computer and bypass it. However, this probability is not very high.

 

2. After the connection is successful, you must pass the authentication on the webpage. Now that you can access the authentication webpage, you can perform security attacks on the server where you are located. For example, Tomcat is the service software used on the server where our website authentication is located. Because the RADIUS Authentication is used, even if the web server is used, it cannot access the Internet for free, because account authentication occurs on a remote server, but you can modify the WEB login interface to mount Trojans and phishing.

 

 

 

Third, the data submitted during verification is not encrypted. Once the AP is connected, you can sniff other hosts and find other submitted accounts and passwords. The method is feasible, depending on whether you are willing to wait. Is the local verification data I captured with Wireshark:

 

From: Fresh blog