Security Basics mailing list archives
Re: Wireless Security vs Performance
From: Archangel Amael <archangel.amael () gmail com>
Date: Tue, 14 Sep 2010 12:45:52 +0200
Cowpatty is not just for WPA2-PSK,~ "coWPAtty is designed to audit the pre-shared key (PSK) selection for WPA networks based on the TKIP protocol." - Joshua Wright. Versions of cowpatty 4.0 and above have the ability to take advantage of WPA2. (http://wirelessdefence.org/Contents/coWPAttyMain.htm) Let us also not forget the newly released Hole 196 WPA2 Vulnerabiltiy, which affects all implementations of WPA and WPA2, regardless of authentication (PSK or 802.1x) or encryption (AES) used. http://www.airtightnetworks.com/wpa2-hole196 There are also published side channel attacks against AES. http://www.schneier.com/blog/archives/2005/05/aes_timing_atta_1.html peap has also suffered from several vulnerabilities as well. MS09-071, CVE-2009-2505 http://www.codealias.info/technotes/security_vulnerabilities_in_tunneled_eap_methods On Mon, Sep 13, 2010 at 11:38 AM, Paul Johnston <paul.johnston () pentest co uk> wrote:
Hi, Just to clarify - cowpatty is only for WPA2-PSK. In enterprise mode, some of the EAPs (authentication schemes) are vulnerable to brute force, such as LEAP (http://www.willhackforsushi.com/Asleap.html), but others, such as PEAP, are not. Paul On 10/09/2010 20:57, Adam Mooz wrote:Shailesh, WPA and WPA2 are both 100% vulnerable to brute force attacks, take a look at cowpatty. It's supposed to take a very long time. It's extremely possible to brute force WPA/2, google it. Adam Mooz-- Pentest - When a tick in the box is not enough Paul Johnston - IT Security Consultant / Tiger SST Pentest Limited - ISO 9001 (cert 16055) / ISO 27001 (cert 558982) Office: +44 (0) 161 233 0100 Mobile: +44 (0) 7817 219 072 Email policy: http://www.pentest.co.uk/legal.shtml#emailpolicy Registered Number: 4217114 England & Wales Registered Office: 26a The Downs, Altrincham, Cheshire, WA14 2PU, UK ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: Wireless Security vs Performance shailesh . sf (Sep 10)
- Re: Wireless Security vs Performance Adam Mooz (Sep 10)
- Re: Wireless Security vs Performance Paul Johnston (Sep 13)
- Re: Wireless Security vs Performance Archangel Amael (Sep 14)
- RE: Wireless Security vs Performance Toby Reynolds (Sep 13)
- Re: Wireless Security vs Performance Paul Johnston (Sep 13)
- RE: Wireless Security vs Performance Matthew Reed (Sep 10)
- Re: Wireless Security vs Performance Adam Mooz (Sep 10)