Dailydave mailing list archives
Re: WPA attack improved to 1min, MITM
From: Mike Kershaw <dragorn () kismetwireless net>
Date: Thu, 27 Aug 2009 16:35:28 -0400
On Thu, Aug 27, 2009 at 01:05:48PM -0700, George Ou wrote:
Not sure why we're spending time on this attack, when Moxie's SSL attack and Joshua Wright's FreeRadius-WPE would pretty much completely break you into most corporate wireless networks even if they were running WPA-AES. This would be even better than injecting a few arbitrary packets because you'd actually obtain user credentials.
Possibly - it's strongly dependent on how the supplicant validates the certs. *IF* the supplicant uses the CN exclusively, then it's at risk, but this also assumes that they use a global CA chain to start their radius certs (instead of doing an internal CA for their private network). If the supplicant is configured to trust the parent CA of your marlinspike'd cert, then sure - definitely time to be afraid - but this is an insecure setup anyhow, as mentioned in Josh's presentation (some versions of WZC validate the signing authority only, regardless of CN). The moxie stuff is a big vuln in badly set up networks, but not necessarily any bigger of a vuln than the badly set up network was already. If you used a public CA and your users use a supplicant which doesn't check CN, you're just as owned. If I can spike a cert that matches your private CN, you're also... badly owned, without any of these games. It's much more interesting to combine the marlinspike stuff with, say, airpwn or dns hijacking on open networks down the road from your target. -m -- Mike Kershaw/Dragorn <dragorn () kismetwireless net> GPG Fingerprint: 3546 89DF 3C9D ED80 3381 A661 D7B2 8822 738B BDB1 Life is just Natures way of keeping meat fresh -- The Doctor
Attachment:
_bin
Description:
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- WPA attack improved to 1min, MITM Dragos Ruiu (Aug 26)
- Re: WPA attack improved to 1min, MITM Mike Patterson (Aug 26)
- Re: WPA attack improved to 1min, MITM Dragos Ruiu (Aug 26)
- Re: WPA attack improved to 1min, MITM Joshua Wright (Aug 26)
- Re: WPA attack improved to 1min, MITM Cedric Blancher (Aug 27)
- Re: WPA attack improved to 1min, MITM Mike Kershaw (Aug 27)
- Re: WPA attack improved to 1min, MITM Cedric Blancher (Aug 27)
- Message not available
- Re: WPA attack improved to 1min, MITM Mike Kershaw (Aug 30)
- Re: WPA attack improved to 1min, MITM Dragos Ruiu (Aug 26)
- Re: WPA attack improved to 1min via MITM Dragos Ruiu (Aug 30)
- Re: WPA attack improved to 1min, MITM Mike Patterson (Aug 26)