Penetration Testing mailing list archives
Sniffing on WPA
From: Eduardo Espina <eduardomx () gmail com>
Date: Sun, 6 Nov 2005 14:01:44 -0600
I'm not pointing that it is a WPA flaw, i agree with you. But there is a popular belief that clients using WPA can't be sniffed at all. WEP was criticized as being weak in confidentiality: you get the key and you can sniff all the clients within range. With this problem in mind (among others) WPA uses unique key for every user, so no one can sniff another client within range, well, with ARP cache poisoning you simply avoid this security feature. And this problem is worst in WPA-PSK, we know of dictionary-based attacks; if the attacker successfully cracks the passphrase, it doesn't just get an IP on the network but access to all the network traffic, just like WEP. (i'm not talking about statistics attacks, replay attacks, etc., WPA does well in that arena.) The point is, it would be ALMOST the same thing to have a universal key for all the wireless clients (like in WEP) than the per-user key used in WPA when it comes to confidentiality. Obviously, as long as you can do ARP cache poisoning. Greets, Eduardo. -- Eduardo Espina Garcia <eespina () seguridad unam mx> Departamento de Seguridad en Computo - UNAM-CERT DGSCA, UNAM http://www.seguridad.unam.mx Tel.: 5622-8169 Fax: 5622-8043 GPG Key Fingerprint: "8E86 932F C364 03BE 39B8 3F9D D27E 438A 3C6A 750F" "No matter how hard you try to keep your secret, it's a universal law that sooner or later it will be discovered." On 11/6/05, Cedric Blancher <blancher () cartel-securite fr> wrote:
Le samedi 05 novembre 2005 à 12:47 -0600, Eduardo Espina a écrit :In consecuence i can do MITM for HTTP, sniffing on all wireless clients,andall attacks you can imagine that works on ethernet networks.So you've been granted access to the WPA network, right ? So why stating WPA has anything to do with it ? You can do exactly the same thing on any kind of ethernet-like network, should it be wired (copper, fibre) or wireless (WEP, WPA, WPA2).We all know that WPA is good (better than WEP, at least), and this kindofattack is limited to local users, but it's a cool way to show people thatnosystem is 100%, not even the WPA.WPA point is to protect the layer 2 communication link between client and AP. Period. Goal is to reach a comparable level of security as the one given be an ethernet cable between your station and a hub/switch. Such an ethernet network is vulnerable to ARP cache poisoning. So why a WPA network would not be as well ? Remember to what WEP means ? Wired Equivalent Privacy... That's the only goal of WiFi security. No more. Thus, client isolation is another problem. On wired network, you can deploy PVLAN stuff. On wireless network, you can activate station isolation, feature available on Linksys products as an example. -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EEHi! I'm your friendly neighbourhood signature virus. Copy me to your signature file and help me spread!
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Sniffing on WPA Eduardo Espina (Nov 05)
- Re: Sniffing on WPA Cedric Blancher (Nov 06)
- Sniffing on WPA Eduardo Espina (Nov 06)
- Re: Sniffing on WPA Cedric Blancher (Nov 07)
- Re: Sniffing on WPA Eduardo Espina (Nov 07)
- Sniffing on WPA Eduardo Espina (Nov 06)
- Re: Sniffing on WPA Cedric Blancher (Nov 06)
- <Possible follow-ups>
- Re: Sniffing on WPA Andy Meyers (Nov 06)
- Re: Sniffing on WPA Eduardo Espina (Nov 06)
- Re: Sniffing on WPA Paul Day (Nov 07)
- Re: Sniffing on WPA Eduardo Espina (Nov 06)