04-04-2020, 06:01 PM
No, I'm talkink about unrevealed PSKs, some long-runners that might be out of date by the time Charlie finally reveals em. Same ESSIDs.
I understand that. Still a legit technique tho in case you able to capture air on 24/7 basis (or close enough). As soon as Charlie sees series of M12' from one or several known stations followed by full M1-4 it's quite safe to say that Charlie should cut his losses, mark resources spent on old PSK as wasted, capture new eapol and start over (I assume he needs access and does not need ability to decrypt old traffic).
It's been proven to work but has obvious flaws so I'm fishing for new signs to raise red flags in my home-brew notification system. I mentioned side-channel approach since I do believe there is nothing to score within hasdshake per se (which I also might be wrong about). I dunno... some known implementation flaws, proprietary extensions, another behavioral patterns, anything even remotely related that could be recorded and utilized to raise warning.
(04-04-2020, 08:18 AM)ZerBea Wrote: We must assume, that if the PSK changed by admin, authorized users will change their PSK, too.
I understand that. Still a legit technique tho in case you able to capture air on 24/7 basis (or close enough). As soon as Charlie sees series of M12' from one or several known stations followed by full M1-4 it's quite safe to say that Charlie should cut his losses, mark resources spent on old PSK as wasted, capture new eapol and start over (I assume he needs access and does not need ability to decrypt old traffic).
It's been proven to work but has obvious flaws so I'm fishing for new signs to raise red flags in my home-brew notification system. I mentioned side-channel approach since I do believe there is nothing to score within hasdshake per se (which I also might be wrong about). I dunno... some known implementation flaws, proprietary extensions, another behavioral patterns, anything even remotely related that could be recorded and utilized to raise warning.