Sniffing on WPA

From: Eduardo Espina (eduardomx@gmail.com)
Date: Sat Nov 05 2005 - 13:47:08 EST

• Next message: Pete Herzog: "Re: Risk metrics"
• Previous message: inet_inaddr@yahoo.com: "Re: RE: Risk metrics"
• Next in thread: Cedric Blancher: "Re: Sniffing on WPA"
• Reply: Cedric Blancher: "Re: Sniffing on WPA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

I don't know if this has been already discussed here (but i don't recall it).
I was doing a pen-test on a wireless network with WPA (TKIP) i found that ARP
Cache Poisoning works as well as on ethernet networks.

In consecuence i can do MITM for HTTP, sniffing on all wireless clients, and
all attacks you can imagine that works on ethernet networks.

Unless you're infrastructure provides a way of isolate every wireless client
on your network they could be in risk. (in some architectures isolation may
not be desirable because of resources sharing, windows domains, etc.)

In the case you can't isolate clients you should let the users know that WPA
can't assure confidentiality as most people think. You don't need to break the
encrypted channel, just sit there and fool every client with ARP cache poisoning
and sniff'em all.

We all know that WPA is good (better than WEP, at least), and this kind of
attack is limited to local users, but it's a cool way to show people that no
system is 100%, not even the WPA. Of course you need a valid account on the
network, but, is that a problem?

Tested on a variety of Linksys APs and 2wire.

Greets,
Eduardo.

--
Eduardo Espina Garcia <eespina@seguridad.unam.mx>
Departamento de Seguridad en Computo - UNAM-CERT DGSCA, UNAM
http://www.seguridad.unam.mx  Tel.: 5622-8169  Fax: 5622-8043
GPG Key Fingerprint: "8E86 932F C364 03BE 39B8  3F9D D27E 438A 3C6A 750F"
"No matter how hard you try to keep your secret, it's a universal
law that sooner or later it will be discovered."
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: Pete Herzog: "Re: Risk metrics"
• Previous message: inet_inaddr@yahoo.com: "Re: RE: Risk metrics"
• Next in thread: Cedric Blancher: "Re: Sniffing on WPA"
• Reply: Cedric Blancher: "Re: Sniffing on WPA"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:08 EDT