Sniffing on WPA

From: Eduardo Espina (eduardomx_at_gmail.com)
Date: 11/06/05

  • Next message: Juan Carlos Reyes Muñoz: "RE: Cisco Secret 5 and John Password Cracker" 
    Date: Sun, 6 Nov 2005 14:01:44 -0600
To: pen-test@securityfocus.com

    I'm not pointing that it is a WPA flaw, i agree with you.
    But there is a popular belief that clients using WPA
    can't be sniffed at all.

    WEP was criticized as being weak in confidentiality:
    you get the key and you can sniff all the clients within range.

    With this problem in mind (among others) WPA uses unique key for
    every user, so no one can sniff another client within range,
    well, with ARP cache poisoning you simply avoid this security
    feature.

    And this problem is worst in WPA-PSK, we know of
    dictionary-based attacks; if the attacker successfully cracks
    the passphrase, it doesn't just get an IP on the network but access
    to all the network traffic, just like WEP. (i'm not talking
    about statistics attacks, replay attacks, etc., WPA does well
    in that arena.)

    The point is, it would be ALMOST the same thing to have a universal
    key for all the wireless clients (like in WEP) than the per-user
    key used in WPA when it comes to confidentiality. Obviously, as long
    as you can do ARP cache poisoning.

    Greets,
    Eduardo. 

    --
Eduardo Espina Garcia <eespina@seguridad.unam.mx>
Departamento de Seguridad en Computo - UNAM-CERT DGSCA, UNAM
http://www.seguridad.unam.mx  Tel.: 5622-8169  Fax: 5622-8043
GPG Key Fingerprint: "8E86 932F C364 03BE 39B8  3F9D D27E 438A 3C6A 750F"
"No matter how hard you try to keep your secret, it's a universal
law that sooner or later it will be discovered."
On 11/6/05, Cedric Blancher <blancher@cartel-securite.fr> wrote:
> Le samedi 05 novembre 2005 à 12:47 -0600, Eduardo Espina a écrit :
> > In consecuence i can do MITM for HTTP, sniffing on all wireless clients,
> and
> > all attacks you can imagine that works on ethernet networks.
>
> So you've been granted access to the WPA network, right ? So why stating
> WPA has anything to do with it ? You can do exactly the same thing on
> any kind of ethernet-like network, should it be wired (copper, fibre) or
> wireless (WEP, WPA, WPA2).
>
> > We all know that WPA is good (better than WEP, at least), and this kind
> of
> > attack is limited to local users, but it's a cool way to show people that
> no
> > system is 100%, not even the WPA.
>
> WPA point is to protect the layer 2 communication link between client
> and AP. Period.
> Goal is to reach a comparable level of security as the one given be an
> ethernet cable between your station and a hub/switch. Such an ethernet
> network is vulnerable to ARP cache poisoning. So why a WPA network would
> not be as well ?
> Remember to what WEP means ? Wired Equivalent Privacy... That's the only
> goal of WiFi security. No more.
>
>
> Thus, client isolation is another problem. On wired network, you can
> deploy PVLAN stuff. On wireless network, you can activate station
> isolation, feature available on Linksys products as an example.
>
>
> --
> http://sid.rstack.org/
> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
> >> Hi! I'm your friendly neighbourhood signature virus.
> >> Copy me to your signature file and help me spread!
>
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
  • Next message: Juan Carlos Reyes Muñoz: "RE: Cisco Secret 5 and John Password Cracker"

    Relevant Pages

    • Sniffing on WPA
      ... I was doing a pen-test on a wireless network with WPA i found that ARP ... Up to 75% of cyber attacks are launched on shopping carts, forms, ...
      (Pen-Test)
    • Re: Sniffing on WPA
      ... > all attacks you can imagine that works on ethernet networks. ... So you've been granted access to the WPA network, ... Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. ...
      (Pen-Test)
    • Re: Access Points optimal schützen
      ... IAS aufgesetzt und Internet läuft über RAS. ... Richtlinie gesetzt, dass sich halt nur bestimmte Leute authentifizieen ... Die wireless Clients müssen sich sicher mit dem AP ... Dazu benutzt Du entweder WPA mit einem sehr guten, ...
      (microsoft.public.de.german.windows.server.networking)
    • RE: 802.1x/ WPA
      ... WPA Authentication ... the rekeying of unicast encryption keys is optional. ... and the wireless access point. ... Supporting a Mixture of WPA and WEP Wireless Clients ...
      (microsoft.public.windows.server.sbs)
    • Re: Sniffing on WPA
      ... > I'm not pointing that it is a WPA flaw, ... > But there is a popular belief that clients using WPA ... with ARP cache poisoning you simply avoid this security ... Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. ...
      (Pen-Test)