View the failed wireless login password

Was wondering if can log the packet for a failed wifi login attempt and view the password they tried to use...

might make me realise it was that device of mine I forgot to password change, or positive id of a hack attempt and the different passwords they are trying....

and, can I log all packets for a mac address, how?

The authentication process doesn't reveal the password, only whether or not both sides have the same password.

You can set up a monitor mode interface and use kismet, airodump-ng, etc to log packets and filter them.

So is the password hash not available either? Where is that comparison done? device hardware?

So is mac address not available to iptables/whatever, been stripped out at layer N of the stack?

Thanks for reminding me of those wifi tools, probably safer to just set them up on another device and just sniff all packets via wireshark or similar rather than install on openwrt if it's being used as a critical device.

You could try the hostap source code, but what you're asking for is unlikely to be a "standard feature" for a large number of reasons.

Authentication is handled by the kernel packet driver and hostapd. Failed attempts will not make it out of those two processes. A monitor mode interface on the same radio will mirror every packet sent or received by that radio though.

The most common method of hacking WPA2-PSK is offline, testing dictionary passwords against a captured handshake of a legitimate user.

Doesn't "hostapd" log the MAC address from the devices that fail to authenticate?

Thanks! looks like need lot of time to get into detail of the source code when probably it makes sense to obfuscate the password of a failed wifi login attempt made, from the point of it maybe being a legit. mistake and they used the password of their network having clicked on the wrong AP to join.

I was looking for a quick recipe to view details, I see openwrt does log mac details to the system log for failed attempt, good enough, not much you can do about it anyway that is not an attack other than maintain reasonable security precautions.

I'm seeing a regular failed wifi attempt from a fixed mac address in non openwrt router logs, which does not have a regular frequency so seems to me probability of it being an attempt to login deliberately using dictionary or previous cracked password. (or perhaps one of my devices)

Guess the obvious thing to do is try to automate blocking the mac address after N failed attempts, sort of a wifi version of fail2ban or whatever, and keeping a long-term log of mac addresses failed to log in. (dont want to lock yourself out LOL) Also knowledge of what mac addresses your devices are.

Long term log of all unique mac addresses that have logged in or failed to log in on wifi and the last access time would be a very useful thing though... anyone got a recipe for that?

Android devices are configured to test nearby access points for open networks, you will likely see many failed attempts for anybody passing near your home.

1 Like

A Long term log of all unique mac addresses that have logged in or failed to log in on wifi and the last access time would be a very useful thing though... anyone got a recipe for that?

Ah! Of course do it the same way as fail2ban, check the syslog and extract the info to a file using python or whatever in a daemon or crontab script.

Any phone which has used a network anywhere with the same SSID as yours will attempt to log on to yours when brought into range, and then fail because (hopefully) the password is not the same. That is completely innocent. It would also happen from your own device if you changed the AP password keeping the same SSID and did not update the device to the new password.

To avoid this, add some random characters to the SSID so that it is more certainly unique. This also prevents "rainbow table" attacks based on pre-computed hashes of dictionary passwords with common SSIDs.

Looking up the OUI, the first three bytes of the MAC, is sometimes useful to determine the manufacturer of the device.

2 Likes

OK, Thanks that was interesting....

http://www.adminsub.net/mac-address-finder/

I already had set a new random-ish address for ssid on last password change in light of reading about the rainbow table thing.

mac id sounds not like normal mobile phone chip vendor,
00:0f:55 Datawire Communication Networks Inc.

but quite trivial to spoof a mac address isn't it?

Yes, trivial to use a MAC address of your own choosing, if you're trying to "hide" yourself.

Datawire Communications Network appears to be a vendor for credit-card transaction services. It may be as innocuous as someone having one of their payment-processing terminals somewhere nearby.

I don't "buy into" MAC filtering or hiding SSIDs as worth the effort, as someone with ill intent can easily get the information they need in a couple minutes of listening. I do, however, believe in strong passwords / pass phrases and in isolating guest networks, IoT devices, and the like with VLANs and strict firewall rules.

sure I read somewhere hiding your ssid makes it worse in adding extra stage to negotiation or something....

I know anyone with any good tools can soon see all hidden ssids anyway.

but there are reasons you might want to choose a "random" mac address for legitimate reasons.

and sounds possible local place has a payment terminal in range, maybe even petrol station few hundred metres down the road either way.

Yes you are right, best you can do is be vigilant eh! Trade off between convenience and security!

Yes, many mobile devices now randomize their wireless MAC address for privacy reasons, especially when sending out the "any APs in range, please let me know" broadcasts. Older devices could be tracked by MAC address from these "innocuous" broadcasts.

Turns out it was one of my devices all along, some cheap no name wifi dongle.