Re: WPA attack improved to 1min, MITM

[Cedric Blancher <blancher () cartel-securite fr>]

Le jeudi 27 août 2009 à 12:28 -0400, Mike Kershaw a écrit : 
> However, beacon frames are still unprotected.  As long as the BSSID and
> WPA IE fields are the same, there's no reason you can't rewrite them to
> advertise a different channel.

That's a very good point.
When I was saying trivial, I was meaning no need to implement something
specific to handle that situation. But that's only generating beacons
and forwarding frames from one radio to another, no big deal indeed. And
it is way easier to do than playing with QoS actually :) 

> So at the least, it would seem like they've removed QoS as a
> restriction, so long as they can successfully maintain the repeater (and
> so long as the client doesn't wander away when it stops getting data
> packets for 10 minutes, of course).

That's where their "1min improvement" might become useful. Because they
don't use 802.11e, they can only inject 1 frame per keystream, against
multiple ones (one per usable channel) for original Beck&Tews attack.
But their ability to retrieve new ARPs more often partly compensate
that.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> > Hi! I'm your friendly neighbourhood signature virus.
> > Copy me to your signature file and help me spread!
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave