Penetration Testing mailing list archives
Re: Sniffing on WPA
From: Eduardo Espina <eduardomx () gmail com>
Date: Sat, 5 Nov 2005 23:41:20 -0600
The point is, after you do ARP Cache Poisoning, what you get is *plain text traffic* from all other wireless clients, no WPA encrypted packets at all. The AP just decrypt all the traffic from the *poisoned client* then encrypt the traffic within your own encrypted channel (I mean, the evil guy WPA channel) with your own key so you can sniff it. Remember, you have a valid account on the network. In other words, the AP does the dirty work of decryption and blindly pass the traffic to the evil guy. Again, you need a valid account on the network and of course a valid IP, so the AP can forward all the traffic to you. As you can see, it doesn't matter that every client has a different TKIP key for encryption you can sniff every user associated to the AP. At this point WPA looks like WEP, because if you have the WPA-PSK key you can sniff all users. But it isn't limited to WPA-PSK, this attack works even with 802.1x authentication. I did this on EAP-TLS and got *plain text traffic* from all the poisoned users. I hope this clarify my point. Greets, Eduardo. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 i dont understand. if you dont have to break the encrypted channel, whats the point of sniffing packets if they are encrypted? Andy - ------------ from now on, everyday is September 10th in America... - Dan Verton On Sat, 05 Nov 2005 10:47:08 -0800 Eduardo Espina <eduardomx () gmail com> wrote:
Hi, I don't know if this has been already discussed here (but i don't recall it). I was doing a pen-test on a wireless network with WPA (TKIP) i found that ARP Cache Poisoning works as well as on ethernet networks. In consecuence i can do MITM for HTTP, sniffing on all wireless clients, and all attacks you can imagine that works on ethernet networks. Unless you're infrastructure provides a way of isolate every wireless client on your network they could be in risk. (in some architectures isolation may not be desirable because of resources sharing, windows domains, etc.) In the case you can't isolate clients you should let the users know that WPA can't assure confidentiality as most people think. You don't need to break the encrypted channel, just sit there and fool every client with ARP cache poisoning and sniff'em all. We all know that WPA is good (better than WEP, at least), and this kind of attack is limited to local users, but it's a cool way to show people that no system is 100%, not even the WPA. Of course you need a valid account on the network, but, is that a problem?
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Sniffing on WPA Eduardo Espina (Nov 05)
- Re: Sniffing on WPA Cedric Blancher (Nov 06)
- Sniffing on WPA Eduardo Espina (Nov 06)
- Re: Sniffing on WPA Cedric Blancher (Nov 07)
- Re: Sniffing on WPA Eduardo Espina (Nov 07)
- Sniffing on WPA Eduardo Espina (Nov 06)
- Re: Sniffing on WPA Cedric Blancher (Nov 06)
- <Possible follow-ups>
- Re: Sniffing on WPA Andy Meyers (Nov 06)
- Re: Sniffing on WPA Eduardo Espina (Nov 06)
- Re: Sniffing on WPA Paul Day (Nov 07)
- Re: Sniffing on WPA Eduardo Espina (Nov 06)