Re: Sniffing on WPA
From: Eduardo Espina (eduardomx_at_gmail.com)
Date: 11/07/05
- Previous message: Evans, Arian: "RE: Spi's products worth a try? Or any suggestions for developers' tool?"
- In reply to: Cedric Blancher: "Re: Sniffing on WPA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 7 Nov 2005 11:56:01 -0600 To: Cedric Blancher <blancher@cartel-securite.fr>
> > The point is, it would be ALMOST the same thing to have a universal
> > key for all the wireless clients (like in WEP) than the per-user
> > key used in WPA when it comes to confidentiality. Obviously, as long
> > as you can do ARP cache poisoning.
>
> I totally disagree. 802.11 is a physical/link layer protocol and WPA is
> there to secure it. You can use plenty of other protocols than IP over
> it, including ones that do not require ARP.
> My point is ARP cache poisoning being a specific upper layer protocol,
> it's out of layer 2 mecanisms to take care of it.
As I noted before, as long as you can do ARP cache poisoning, I'm not
talking about other protocols.
You just have to see what you get after a break-in. If you break WEP
you get sniffing capabilities, if you break WPA you get sniffing
capabilities (ARP cache poisoning required).
Yes, it's out of WPA's scope, I don't blame WPA for that, but the
problem it's still there. Then, all wireless users should be aware
that WPA with ARP-included protocols does not differ much from a
hotspot (talking about confidentiality) and that users shouldn't feel
so secure because they are on WPA.
> And by the way, this is not quite a news. A lot of people that gave
> talks about layer 2 attacks and ARP cache poisoning in particular
> mentionned the fact. Some of my talks that come in mind:
>
> http://sid.rstack.org/pres/0207_LSM02_ARP.pdf
> http://sid.rstack.org/pres/0305_ESIEA_LANAttacks.pdf
As I wrote, I don't remember a discussion on this topic here.
Yes, it's not "fresh news", but today it's a problem more than ever.
It would be interesting to see how new generation switch-based
networks handle this. (aruba, cisco-airespace, etc.)
In SOHO networks the impact is limited to users associated to the same
AP. Would centralized switched networks (aruba, cisco, etc) attack be
limited to the same AP?
Greets,
Eduardo.
-- Eduardo Espina Garcia <eespina@seguridad.unam.mx> Departamento de Seguridad en Computo - UNAM-CERT DGSCA, UNAM http://www.seguridad.unam.mx Tel.: 5622-8169 Fax: 5622-8043 GPG Key Fingerprint: "8E86 932F C364 03BE 39B8 3F9D D27E 438A 3C6A 750F" "No matter how hard you try to keep your secret, it's a universal law that sooner or later it will be discovered." ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
- Previous message: Evans, Arian: "RE: Spi's products worth a try? Or any suggestions for developers' tool?"
- In reply to: Cedric Blancher: "Re: Sniffing on WPA"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
