Penetration Testing mailing list archives
Re: Sniffing on WPA
From: Eduardo Espina <eduardomx () gmail com>
Date: Mon, 7 Nov 2005 11:56:01 -0600
The point is, it would be ALMOST the same thing to have a universal key for all the wireless clients (like in WEP) than the per-user key used in WPA when it comes to confidentiality. Obviously, as long as you can do ARP cache poisoning.I totally disagree. 802.11 is a physical/link layer protocol and WPA is there to secure it. You can use plenty of other protocols than IP over it, including ones that do not require ARP. My point is ARP cache poisoning being a specific upper layer protocol, it's out of layer 2 mecanisms to take care of it.
As I noted before, as long as you can do ARP cache poisoning, I'm not talking about other protocols. You just have to see what you get after a break-in. If you break WEP you get sniffing capabilities, if you break WPA you get sniffing capabilities (ARP cache poisoning required). Yes, it's out of WPA's scope, I don't blame WPA for that, but the problem it's still there. Then, all wireless users should be aware that WPA with ARP-included protocols does not differ much from a hotspot (talking about confidentiality) and that users shouldn't feel so secure because they are on WPA.
And by the way, this is not quite a news. A lot of people that gave talks about layer 2 attacks and ARP cache poisoning in particular mentionned the fact. Some of my talks that come in mind: http://sid.rstack.org/pres/0207_LSM02_ARP.pdf http://sid.rstack.org/pres/0305_ESIEA_LANAttacks.pdf
As I wrote, I don't remember a discussion on this topic here. Yes, it's not "fresh news", but today it's a problem more than ever. It would be interesting to see how new generation switch-based networks handle this. (aruba, cisco-airespace, etc.) In SOHO networks the impact is limited to users associated to the same AP. Would centralized switched networks (aruba, cisco, etc) attack be limited to the same AP? Greets, Eduardo. -- Eduardo Espina Garcia <eespina () seguridad unam mx> Departamento de Seguridad en Computo - UNAM-CERT DGSCA, UNAM http://www.seguridad.unam.mx Tel.: 5622-8169 Fax: 5622-8043 GPG Key Fingerprint: "8E86 932F C364 03BE 39B8 3F9D D27E 438A 3C6A 750F" "No matter how hard you try to keep your secret, it's a universal law that sooner or later it will be discovered." ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Sniffing on WPA Eduardo Espina (Nov 05)
- Re: Sniffing on WPA Cedric Blancher (Nov 06)
- Sniffing on WPA Eduardo Espina (Nov 06)
- Re: Sniffing on WPA Cedric Blancher (Nov 07)
- Re: Sniffing on WPA Eduardo Espina (Nov 07)
- Sniffing on WPA Eduardo Espina (Nov 06)
- Re: Sniffing on WPA Cedric Blancher (Nov 06)
- <Possible follow-ups>
- Re: Sniffing on WPA Andy Meyers (Nov 06)
- Re: Sniffing on WPA Eduardo Espina (Nov 06)
- Re: Sniffing on WPA Paul Day (Nov 07)
- Re: Sniffing on WPA Eduardo Espina (Nov 06)