Dailydave mailing list archives
Re: WPA attack improved to 1min, MITM
From: Mike Kershaw <dragorn () kismetwireless net>
Date: Thu, 27 Aug 2009 12:28:04 -0400
On Thu, Aug 27, 2009 at 10:21:00AM +0200, Cedric Blancher wrote:
Le mercredi 26 ao?t 2009 ? 16:49 -0700, Joshua Wright a ?crit :Simplified, this attack can break WPA in 1 minute if it was already broken by the Beck/Tews technique (Hat tip: Beck, Tews).Or their own "improvement", based on a MITM that is definitely not that trivial to implement. And actually not that useful compared to DoSing communication channel with a directional antenna.
I think MITM is actually quite trivial in this case (lets disregard the other components). If you assume MITM on the same channel, then you get all sorts of problems - you can maybe isolate an edge user on a large multi-ap network by replicating a far-away AP with a very strong signal to override local APs that the user would use, but it might still be tricky. However, beacon frames are still unprotected. As long as the BSSID and WPA IE fields are the same, there's no reason you can't rewrite them to advertise a different channel (or even a different band, jump from 2.4 up to 5). With a dual-radio repeater it should be trivial. If rewriting the packet makes you nervous, filter beacons entirely and generate your own with the same BSSID and WPA info. Combine with some disassoc/deauth packets on the original AP channel and you should be able to shuffle all the users over to your repeater without much fuss, and have them far enough away from the original that overlapping packet delivery is a non-issue. So at the least, it would seem like they've removed QoS as a restriction, so long as they can successfully maintain the repeater (and so long as the client doesn't wander away when it stops getting data packets for 10 minutes, of course). -m -- Mike Kershaw/Dragorn <dragorn () kismetwireless net> GPG Fingerprint: 3546 89DF 3C9D ED80 3381 A661 D7B2 8822 738B BDB1 TRANSLATE(:SITE,'pLA','Place','.') returns the value 'pivAviskA LAk. pLA..'. -- IBM Db2 Server SQL Reference SC09-2404-00 pp. 138
Attachment:
_bin
Description:
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- WPA attack improved to 1min, MITM Dragos Ruiu (Aug 26)
- Re: WPA attack improved to 1min, MITM Mike Patterson (Aug 26)
- Re: WPA attack improved to 1min, MITM Dragos Ruiu (Aug 26)
- Re: WPA attack improved to 1min, MITM Joshua Wright (Aug 26)
- Re: WPA attack improved to 1min, MITM Cedric Blancher (Aug 27)
- Re: WPA attack improved to 1min, MITM Mike Kershaw (Aug 27)
- Re: WPA attack improved to 1min, MITM Cedric Blancher (Aug 27)
- Message not available
- Re: WPA attack improved to 1min, MITM Mike Kershaw (Aug 30)
- Re: WPA attack improved to 1min, MITM Dragos Ruiu (Aug 26)
- Re: WPA attack improved to 1min via MITM Dragos Ruiu (Aug 30)
- Re: WPA attack improved to 1min, MITM Mike Patterson (Aug 26)