Re: Sniffing on WPA

["Andy Meyers" <andy.meyers () hushmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

i dont understand. if you dont have to break the encrypted channel,
whats the point of sniffing packets if they are encrypted?

Andy

- ------------
from now on, everyday is September 10th in America... - Dan Verton



On Sat, 05 Nov 2005 10:47:08 -0800 Eduardo Espina
<eduardomx () gmail com> wrote:
> Hi,
>
> I don't know if this has been already discussed here (but i don't
> recall it).
> I was doing a pen-test on a wireless network with WPA (TKIP) i
> found that ARP
> Cache Poisoning works as well as on ethernet networks.
>
> In consecuence i can do MITM for HTTP, sniffing on all wireless
> clients, and
> all attacks you can imagine that works on ethernet networks.
>
> Unless you're infrastructure provides a way of isolate every
> wireless client
> on your network they could be in risk. (in some architectures
> isolation may
> not be desirable because of resources sharing, windows domains,
> etc.)
>
> In the case you can't isolate clients you should let the users
> know that WPA
> can't assure confidentiality as most people think. You don't need
> to break the
> encrypted channel, just sit there and fool every client with ARP
> cache poisoning
> and sniff'em all.
>
> We all know that WPA is good (better than WEP, at least), and this
> kind of
> attack is limited to local users, but it's a cool way to show
> people that no
> system is 100%, not even the WPA. Of course you need a valid
> account on the
> network, but, is that a problem?
>
> Tested on a variety of Linksys APs and 2wire.
>
> Greets,
> Eduardo.
>
> --
> Eduardo Espina Garcia <eespina () seguridad unam mx>
> Departamento de Seguridad en Computo - UNAM-CERT DGSCA, UNAM
> http://www.seguridad.unam.mx  Tel.: 5622-8169  Fax: 5622-8043
> GPG Key Fingerprint: "8E86 932F C364 03BE 39B8  3F9D D27E 438A
> 3C6A 750F"
> "No matter how hard you try to keep your secret, it's a universal
> law that sooner or later it will be discovered."
>
>
>
>
> -------------------------------------------------------------------
> -----------
> Audit your website security with Acunetix Web Vulnerability
> Scanner:
>
> Hackers are concentrating their efforts on attacking applications
> on your
> website. Up to 75% of cyber attacks are launched on shopping
> carts, forms,
> login pages, dynamic content etc. Firewalls, SSL and locked-down
> servers are
> futile against web application hacking. Check your website for
> vulnerabilities
> to SQL injection, Cross site scripting and other web attacks
> before hackers do!
> Download Trial at:
>
> http://www.securityfocus.com/sponsor/pen-test_050831
> -------------------------------------------------------------------
> ------------
-----BEGIN PGP SIGNATURE-----
Note: This signature can be verified at https://www.hushtools.com/verify
Version: Hush 2.4

wkYEARECAAYFAkNtfeYACgkQnZu7yPmLRpCOZACfWfB+EHPzfR/IpLNZiS/gano7iM8A
niq39f6dLg+TpyPOar/WO/KXN7fN
=S7K3
-----END PGP SIGNATURE-----



------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------