Re: Sniffing on WPA

[Eduardo Espina <eduardomx () gmail com>]

The point is, after you do ARP Cache Poisoning, what you get is *plain
text traffic* from all other wireless clients, no WPA encrypted
packets at all.

The AP just decrypt all the traffic from the *poisoned client* then
encrypt the traffic within your own encrypted channel (I mean, the
evil guy WPA channel) with your own key so you can sniff it. Remember,
you have a valid account on the network.

In other words, the AP does the dirty work of decryption and blindly
pass the traffic to the evil guy. Again, you need a valid account on
the network and of course a valid IP, so the AP can forward all the
traffic to you.

As you can see, it doesn't matter that every client has a different
TKIP key for encryption you can sniff every user associated to the AP.
At this point WPA looks like WEP, because if you have the WPA-PSK key
you can sniff all users.

But it isn't limited to WPA-PSK, this attack works even with 802.1x
authentication. I did this on EAP-TLS and got *plain text traffic*
from all the poisoned users.

I hope this clarify my point.

Greets,
Eduardo.



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

i dont understand. if you dont have to break the encrypted channel,
whats the point of sniffing packets if they are encrypted?

Andy

- ------------
from now on, everyday is September 10th in America... - Dan Verton



On Sat, 05 Nov 2005 10:47:08 -0800 Eduardo Espina
<eduardomx () gmail com> wrote:
> Hi,
>
> I don't know if this has been already discussed here (but i don't
> recall it).
> I was doing a pen-test on a wireless network with WPA (TKIP) i
> found that ARP
> Cache Poisoning works as well as on ethernet networks.
>
> In consecuence i can do MITM for HTTP, sniffing on all wireless
> clients, and
> all attacks you can imagine that works on ethernet networks.
>
> Unless you're infrastructure provides a way of isolate every
> wireless client
> on your network they could be in risk. (in some architectures
> isolation may
> not be desirable because of resources sharing, windows domains,
> etc.)
>
> In the case you can't isolate clients you should let the users
> know that WPA
> can't assure confidentiality as most people think. You don't need
> to break the
> encrypted channel, just sit there and fool every client with ARP
> cache poisoning
> and sniff'em all.
>
> We all know that WPA is good (better than WEP, at least), and this
> kind of
> attack is limited to local users, but it's a cool way to show
> people that no
> system is 100%, not even the WPA. Of course you need a valid
> account on the
> network, but, is that a problem?

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------