Penetration Testing mailing list archives

Re: Sniffing on WPA

From: Cedric Blancher <blancher () cartel-securite fr>
Date: Mon, 07 Nov 2005 09:22:05 +0100

Le dimanche 06 novembre 2005 à 14:01 -0600, Eduardo Espina a écrit :

I'm not pointing that it is a WPA flaw, i agree with you.
But there is a popular belief that clients using WPA
can't be sniffed at all.


As it is a popular belief that you can't sniff traffic on a switched
network...

With this problem in mind (among others) WPA uses unique key for
every user, so no one can sniff another client within range,
well, with ARP cache poisoning you simply avoid this security
feature.


Yes, but it's out of WPA field.

And this problem is worst in WPA-PSK


WPA-PSK PTK calculation is definitly weak.

The point is, it would be ALMOST the same thing to have a universal
key for all the wireless clients (like in WEP) than the per-user
key used in WPA when it comes to confidentiality. Obviously, as long
as you can do ARP cache poisoning.


I totally disagree. 802.11 is a physical/link layer protocol and WPA is
there to secure it. You can use plenty of other protocols than IP over
it, including ones that do not require ARP.
My point is ARP cache poisoning being a specific upper layer protocol,
it's out of layer 2 mecanisms to take care of it.

But it isn't limited to WPA-PSK, this attack works even with 802.1x
authentication. I did this on EAP-TLS and got *plain text traffic*
from all the poisoned users.


And it works as well for 802.11i or anything using any form of
authentication and ciphering you can think of. To extend the point, it
also works with OpenVPN in ethernet bridge mode... OpenVPN fault ?

And by the way, this is not quite a news. A lot of people that gave
talks about layer 2 attacks and ARP cache poisoning in particular
mentionned the fact. Some of my talks that come in mind:

http://sid.rstack.org/pres/0207_LSM02_ARP.pdf
http://sid.rstack.org/pres/0305_ESIEA_LANAttacks.pdf


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE

Hi! I'm your friendly neighbourhood signature virus.
Copy me to your signature file and help me spread!


------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

Sniffing on WPA Eduardo Espina (Nov 05)
- Re: Sniffing on WPA Cedric Blancher (Nov 06)
  - Sniffing on WPA Eduardo Espina (Nov 06)
    - Re: Sniffing on WPA Cedric Blancher (Nov 07)
    - Re: Sniffing on WPA Eduardo Espina (Nov 07)
- <Possible follow-ups>
- Re: Sniffing on WPA Andy Meyers (Nov 06)
  - Re: Sniffing on WPA Eduardo Espina (Nov 06)
    - Re: Sniffing on WPA Paul Day (Nov 07)