Re: Tricky question...

From: Alan Schwartz (alansz@tala.mede.uic.edu)
Date: 09/30/02 

From: alansz@tala.mede.uic.edu (Alan Schwartz)
Date: Mon, 30 Sep 2002 04:10:11 +0000 (UTC)

Gabriel <en_hemlig_person@hotmail.com> writes:
>The setup is as follows: Three access points (AP1, AP2 and AP3) are
>connected to a switch and to each of the access points one laptop is
>associated (Lap1, Lap2 and Lap3). Each of the three laptops uses a
>different WEP key (WEP1, WEP2 and WEP3) when they associate to their
>access point.
>
>Question: Is it possible for Lap1 (in this case the attacker and
>associated to AP1 using WEP1) to perform a Man-in-the-Middle attack
>using ARP cache poisoning (with e.g. Ettercap) against Lap2 and Lap3
>(i.e. sniffing the communication between Lap2 and Lap3)? Assuming
>that Lap2 is associated to AP2 using WEP2 and Lap3 is associated to
>AP3 using WEP3???
>
>I am thinking that WEP only encrypts the data that travels trough the
>air between a laptop and the AP, which would mean that it travels in
>clear text between the AP and the switch?? If this is the case Lap1
>should be successful in carrying out a MITM attack against Lap2 and
>Lap3 since it "intercepts" the data trough the switch. Am I right or
>am I wrong?
>
>If I am right this scenario would be possible: AP1 is NOT using WEP,
>which (basically) means than anyone can associate with it, but AP2 and
>AP3 are using WEP. Now Lap1 (the attacker) can perform a MITM attack
>against Lap2 (associated to AP2 using WEP2) and Lap3 (associated to
>Lap3 using WEP3) without any problems whatsoever since it didn't have
>to crack a WEP key…

I think this depends on whether your switch would allow this
attack to work, and the wireless aspect is fairly immaterial.

Note that cracking a WEP key, of course, is not so very hard either.
Anyone using an 802.11b network really should use ipsec, ssh tunnels
or some other vpn.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
         Alan Schwartz | Disclaimer: I represent no one
        <alansz@uic.edu> |
Asst. Prof. of Clinical Decision Making| Life is what happens to you while
University of Illinois at Chicago | you're busy making other plans
Department of Medical Education | - J. Lennon
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

Relevant Pages

  • Tricky question...
    ... connected to a switch and to each of the access points one laptop is ... associated to AP1 using WEP1) to perform a Man-in-the-Middle attack ... I am thinking that WEP only encrypts the data that travels trough the ... clear text between the AP and the switch?? ...
    (comp.security.misc)
  • Re: Tricky question...
    ... >clear text between the AP and the switch?? ... If this is the case Lap1 ... >If I am right this scenario would be possible: AP1 is NOT using WEP, ... Now Lap1 can perform a MITM attack ...
    (comp.security.misc)
  • Re: thoughts on kernel security issues
    ... I'm pretty sure that you only get a 3 second delay on the specific ... as a test, switch to vc/0 and enter 'root', then press enter. ... Switch to vc/1, and enter 'root', then press enter. ... Automating an attack on about 10 different ssh connections shouldn't be ...
    (Linux-Kernel)
  • Re: MiM Simultaneous close attack
    ... Subject: MiM Simultaneous close attack ... Flood your switch with MAC announcements ... Sniff the initial ARP broadcast and reply (hassle for all packets) ... >> switched network is not security. ...
    (Vuln-Dev)
  • Re: Roguelike development diary
    ... Second, you have to have something better to switch to, including the ... a creature that didn't know about your resistance showing ... It might be worth the switch, but that's a player judgement call. ... It picks the highest damage of the attack, ...
    (rec.games.roguelike.development)