Re: Authenticated users can sniff WPA traffic?

[coderman <coderman () gmail com>]

On 12/31/06, /dev/null <exceed () email si> wrote:
> ...
> recently I came across this link:
> http://seclists.org/pen-test/2005/Nov/0073.html
>
> Basicaly, it states that authenticated users, in combination with ARP
> poisoning, can sniff WPA traffic. Can anybody confirm this is possible? If
> that's true, is there any way to prevent this?

of course it's true.  don't let ARP poisoning occur on your network.
most good wifi security tools / systems will check for this among the
other usual masquerading (rogue AP's, injection with invalid
timestamps, etc).

note that a mandatory part of this attack is having auth credentials
for WPA-PSK or WPA-Enterprise (EAP/TLS,etc) so you can talk on the
network to mount this ARP poisoning attack.


> I would really appreciate any info/link/paper regarding topic.

any good IP routing text would be useful, particularly the interplay
between ethernet (and other L2 protocols) and IP via ARP/RARP.

as one last side note, if you've got the WPA-PSK secret via dictionary
attack you can combine this with disassociate injection to force all
clients to re-authenticate while you are listening so you can recover
the client keys (TKIP or CCMP) used for communication and get better
results since you no longer need the ARP hack which will be slower and
more brittle (you must remain in the loop) comparatively.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/