Dailydave mailing list archives

Re: WPA attack improved to 1min, MITM

From: Mike Kershaw <dragorn () kismetwireless net>
Date: Thu, 27 Aug 2009 12:28:04 -0400

On Thu, Aug 27, 2009 at 10:21:00AM +0200, Cedric Blancher wrote:

Le mercredi 26 ao?t 2009 ? 16:49 -0700, Joshua Wright a ?crit :

Simplified, this attack can break WPA in 1 minute if it was already
broken by the Beck/Tews technique (Hat tip: Beck, Tews).


Or their own "improvement", based on a MITM that is definitely not that
trivial to implement. And actually not that useful compared to DoSing
communication channel with a directional antenna.


I think MITM is actually quite trivial in this case (lets disregard the
other components).

If you assume MITM on the same channel, then you get all sorts of
problems - you can maybe isolate an edge user on a large multi-ap
network by replicating a far-away AP with a very strong signal to
override local APs that the user would use, but it might still be
tricky.

However, beacon frames are still unprotected.  As long as the BSSID and
WPA IE fields are the same, there's no reason you can't rewrite them to
advertise a different channel (or even a different band, jump from 2.4
up to 5).  With a dual-radio repeater it should be trivial.  If
rewriting the packet makes you nervous, filter beacons entirely and
generate your own with the same BSSID and WPA info.

Combine with some disassoc/deauth packets on the original AP channel and
you should be able to shuffle all the users over to your repeater
without much fuss, and have them far enough away from the original that
overlapping packet delivery is a non-issue.

So at the least, it would seem like they've removed QoS as a
restriction, so long as they can successfully maintain the repeater (and
so long as the client doesn't wander away when it stops getting data
packets for 10 minutes, of course).

-m

-- 
Mike Kershaw/Dragorn <dragorn () kismetwireless net>
GPG Fingerprint: 3546 89DF 3C9D ED80 3381  A661 D7B2 8822 738B BDB1

TRANSLATE(:SITE,'pLA','Place','.')
returns the value 'pivAviskA LAk. pLA..'.
     -- IBM Db2 Server SQL Reference SC09-2404-00 pp. 138

Attachment: _bin
Description:

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

WPA attack improved to 1min, MITM Dragos Ruiu (Aug 26)
- Re: WPA attack improved to 1min, MITM Mike Patterson (Aug 26)
  - Re: WPA attack improved to 1min, MITM Dragos Ruiu (Aug 26)
    - Re: WPA attack improved to 1min, MITM Joshua Wright (Aug 26)
    - Re: WPA attack improved to 1min, MITM Cedric Blancher (Aug 27)
    - Re: WPA attack improved to 1min, MITM Mike Kershaw (Aug 27)
    - Re: WPA attack improved to 1min, MITM Cedric Blancher (Aug 27)
    - Message not available
    - Re: WPA attack improved to 1min, MITM Mike Kershaw (Aug 30)
    - Re: WPA attack improved to 1min via MITM Dragos Ruiu (Aug 30)