Is there any way to log incorrect password attempts on Wi-Fi networks

Question

I’d like to monitor if clients attempt to connect to a Wi-Fi network using an incorrect WPA key. Are there any access points that log such attempts? Is this something that could be observed with a separate Wi-Fi card set to monitor mode?

Answer 1

Thanks for the explanation of the handshake. I wasn't really interested in capturing the incorrect password, just the fact that an attempt had been made. After researching this a bit more, it looks like it's possible through Wireshark: Tutorial: WPA Packet Capture Explained.

This is quick and dirty explanation of two sample WPA capture files. The first file (wpa.full.cap) is a capture of a successful wireless client WPA connection to an access point. The second file (wpa.bad.key.cap) is a capture of a wireless client attempting to use the wrong passphrase to connect to the AP.

Answer 2

No, it’s not possible to log the actual password from the login attempt because of the four-way handshake which makes sure the password is never sent over the air. Here is the Wikipedia explanation of the four-way handshake that explains the concept:

The four-way handshake is designed so that the access point (or authenticator) and wireless client (or supplicant) can independently prove to each other that they know the PSK/PMK, without ever disclosing the key. Instead of disclosing the key, the access point & client each encrypt messages to each other—that can only be decrypted by using the PMK that they already share—and if decryption of the messages was successful, this proves knowledge of the PMK. The four-way handshake is critical for protection of the PMK from malicious access points—for example, an attacker's SSID impersonating a real access point—so that the client never has to tell the access point its PMK.

Answer 3

Okay so I see that someone referrenced you to wireshark, which is a good starting point, and I didn't read the article so I don't know how in depth it goes (AND I realize this article is 7 years old) but I wanted to chime in on a few things just to help anyone in the future with this. Just some main, key points that may save some time and/or energy that may help.

1. Router log: most routers have a logging system, although not all log connection attempts and even if they do, sometimes these logs are hard to access.
2. Monitor mode: A wifi chip has different modes it can go in. For example, a hot spot on a phone changes the mode from "Client" to "Access Point" to accomodate the incoming connections. There are several other modes, but to keep things pointed, one of them is called monitor mode. The basic difference is in Client mode the wifi chip hears, but ignores, any traffic not directed to it. In monitor mode it receives and processes all of it (although it wont do anything different unless you are running wireshark or something)
3. Wireshark: Wireshark logs "packets" from many different types or protocols. Technically, with some cheap equiptment, you can log cellual GSM packets with wireshark. In order to log 802.11 (wifi) packets with it, you must be in monitor/promiscuous mode (I forget the difference between the two but for all intents and purposes of this explaination, they are used synonymously). If you don't put the wifi chip in monitor mode, one of two things will happen. Either you will only see wifi packets to and from your device, or you will only see the TCPIP activity on unencrypted traffic (i.e. a wifi AP that does not have a password).
4. Windows with Monitor Mode: over the past 10 years or so I have messed with trying to get Windows to put a wifi chip in monitor mode, and I only found one program to do it. I forget the name of this program, and it wasn't exactly easy to find originally, but if you are using windows, you cannot use wireshark for this purpose. The other program is the ONLY way (insofar as I know) to put a wifi chip in monitor mode in windows. (It may have been called solar winds)
5. Linux: On the other hand, linux is pretty good with monitor mode. Plus, there are a few different programs you can use, and, if you are interested in this sort of thing, there is a specific Linux distrobution that is for "pentesting" or penetration testing (testing the security of networks), for both 802.11 and TCP/IP (and bluetooth and many others). It is called "Kali Linux". With Kali, you can use "airmon-ng" (part of the aircrack-ng package) to put your card in monitor mode and then either wireshark, or airodump-ng, or kismet to view the traffic
6. 4-way Handshake: This is for WPx encryption (there is also WEP but this encryption mechanism was broken from the start, and now, with Kali linux and a laptop (or even with a watch from Wish), I can get into most WEP networks within 5 minutes (as long as I am close enough). Basically, with WPx encryption there is a 4 way handshake that, sparing the technical details, creates a hash of the password and is only done when a device connects to the network, then, the hash is used in the encryption (i think) so that a device with monitor mode cannot simply steal the hash and masqurade as the device it stole the hash from. I forget exactly how WEP works but there are several hacks to get the password (although there have been times I hacked a wifi access point, with permission of course, and the password I got from it was not actually the password set, but worked to conenct).

5. MAC Address: So when you are looking at 802.11x traffic on wireshark, nothing will have IP addresses because those do not get assigned until after the device sucessfully connects. To identify devices during this process, a unique identifier called a "MAC Address" is used. On some devices, the MAC address can be changed (I think newer iphones do this randomly by default), and therefore, is not a 100% great way to identify devices (although to my knowledge, there is no other unique number that can be used), so even though the accuracy (my guess is that about 10% of devices randomize their MAC addresses) is not 100%, you get what you get. This ID is how you will identify devices that are using an inncorrect password (I think the password exchange will be listed as EOPOL or something like that in Wireshark). Another note about MAC addresses:

00:00:00:11:11:11

That's an example of a MAC address. MAC addresses use 16-bit (hexidecimal) numbering (0-f) and the first three sets of numbers (0's in my example) are the manufacturer's ID code. You can search "MAC ADDRESS LOOKUP" in a search engine to enter a MAC and find the manufacturer, BUT, in my experience, only about 50% of devices (maybe a bit more) have a MAC that resolves to a manufacturer, AND, the manufacturer listed won't be the device manufacturer, but rather, with be the manufacturer of the wifi chip (in this way you may have a Roku TV, for example, coming up as "Samsung").

Anyway I just wanted to chime in with the research I have found over the years and share with anyone leaning this sort of thing and I hope I saved you a bit of research time.

Side note: Technically, with a Man-In-The-Middle attack (MITM) you could log the incorrect passwords, because you would have the missing part of the 4-way handshake

Answer 4

Maybe an IPS or IDS can do this. Palo Alto might have packet capture appliance for this. But failed login attemmpts are usually only logged on device where the authentication happens, so you need to collect those logs (for example application server or identity system)