Penetration Testing mailing list archives
Re: Sniffing on WPA
From: "Andy Meyers" <andy.meyers () hushmail com>
Date: Sat, 5 Nov 2005 19:52:01 -0800
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 i dont understand. if you dont have to break the encrypted channel, whats the point of sniffing packets if they are encrypted? Andy - ------------ from now on, everyday is September 10th in America... - Dan Verton On Sat, 05 Nov 2005 10:47:08 -0800 Eduardo Espina <eduardomx () gmail com> wrote:
Hi, I don't know if this has been already discussed here (but i don't recall it). I was doing a pen-test on a wireless network with WPA (TKIP) i found that ARP Cache Poisoning works as well as on ethernet networks. In consecuence i can do MITM for HTTP, sniffing on all wireless clients, and all attacks you can imagine that works on ethernet networks. Unless you're infrastructure provides a way of isolate every wireless client on your network they could be in risk. (in some architectures isolation may not be desirable because of resources sharing, windows domains, etc.) In the case you can't isolate clients you should let the users know that WPA can't assure confidentiality as most people think. You don't need to break the encrypted channel, just sit there and fool every client with ARP cache poisoning and sniff'em all. We all know that WPA is good (better than WEP, at least), and this kind of attack is limited to local users, but it's a cool way to show people that no system is 100%, not even the WPA. Of course you need a valid account on the network, but, is that a problem? Tested on a variety of Linksys APs and 2wire. Greets, Eduardo. -- Eduardo Espina Garcia <eespina () seguridad unam mx> Departamento de Seguridad en Computo - UNAM-CERT DGSCA, UNAM http://www.seguridad.unam.mx Tel.: 5622-8169 Fax: 5622-8043 GPG Key Fingerprint: "8E86 932F C364 03BE 39B8 3F9D D27E 438A 3C6A 750F" "No matter how hard you try to keep your secret, it's a universal law that sooner or later it will be discovered." ------------------------------------------------------------------- ----------- Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 ------------------------------------------------------------------- ------------
-----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Version: Hush 2.4 wkYEARECAAYFAkNtfeYACgkQnZu7yPmLRpCOZACfWfB+EHPzfR/IpLNZiS/gano7iM8A niq39f6dLg+TpyPOar/WO/KXN7fN =S7K3 -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Sniffing on WPA Eduardo Espina (Nov 05)
- Re: Sniffing on WPA Cedric Blancher (Nov 06)
- Sniffing on WPA Eduardo Espina (Nov 06)
- Re: Sniffing on WPA Cedric Blancher (Nov 07)
- Re: Sniffing on WPA Eduardo Espina (Nov 07)
- Sniffing on WPA Eduardo Espina (Nov 06)
- Re: Sniffing on WPA Cedric Blancher (Nov 06)
- <Possible follow-ups>
- Re: Sniffing on WPA Andy Meyers (Nov 06)
- Re: Sniffing on WPA Eduardo Espina (Nov 06)
- Re: Sniffing on WPA Paul Day (Nov 07)
- Re: Sniffing on WPA Eduardo Espina (Nov 06)