Penetration Testing mailing list archives
Re: Sniffing on WPA
From: Cedric Blancher <blancher () cartel-securite fr>
Date: Mon, 07 Nov 2005 09:22:05 +0100
Le dimanche 06 novembre 2005 à 14:01 -0600, Eduardo Espina a écrit :
I'm not pointing that it is a WPA flaw, i agree with you. But there is a popular belief that clients using WPA can't be sniffed at all.
As it is a popular belief that you can't sniff traffic on a switched network...
With this problem in mind (among others) WPA uses unique key for every user, so no one can sniff another client within range, well, with ARP cache poisoning you simply avoid this security feature.
Yes, but it's out of WPA field.
And this problem is worst in WPA-PSK
WPA-PSK PTK calculation is definitly weak.
The point is, it would be ALMOST the same thing to have a universal key for all the wireless clients (like in WEP) than the per-user key used in WPA when it comes to confidentiality. Obviously, as long as you can do ARP cache poisoning.
I totally disagree. 802.11 is a physical/link layer protocol and WPA is there to secure it. You can use plenty of other protocols than IP over it, including ones that do not require ARP. My point is ARP cache poisoning being a specific upper layer protocol, it's out of layer 2 mecanisms to take care of it.
But it isn't limited to WPA-PSK, this attack works even with 802.1x authentication. I did this on EAP-TLS and got *plain text traffic* from all the poisoned users.
And it works as well for 802.11i or anything using any form of authentication and ciphering you can think of. To extend the point, it also works with OpenVPN in ethernet bridge mode... OpenVPN fault ? And by the way, this is not quite a news. A lot of people that gave talks about layer 2 attacks and ARP cache poisoning in particular mentionned the fact. Some of my talks that come in mind: http://sid.rstack.org/pres/0207_LSM02_ARP.pdf http://sid.rstack.org/pres/0305_ESIEA_LANAttacks.pdf -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
Hi! I'm your friendly neighbourhood signature virus. Copy me to your signature file and help me spread!
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Sniffing on WPA Eduardo Espina (Nov 05)
- Re: Sniffing on WPA Cedric Blancher (Nov 06)
- Sniffing on WPA Eduardo Espina (Nov 06)
- Re: Sniffing on WPA Cedric Blancher (Nov 07)
- Re: Sniffing on WPA Eduardo Espina (Nov 07)
- Sniffing on WPA Eduardo Espina (Nov 06)
- Re: Sniffing on WPA Cedric Blancher (Nov 06)
- <Possible follow-ups>
- Re: Sniffing on WPA Andy Meyers (Nov 06)
- Re: Sniffing on WPA Eduardo Espina (Nov 06)
- Re: Sniffing on WPA Paul Day (Nov 07)
- Re: Sniffing on WPA Eduardo Espina (Nov 06)