From: Eduardo Espina (eduardomx@gmail.com)
Date: Sun Nov 06 2005 - 15:01:44 EST
I'm not pointing that it is a WPA flaw, i agree with you.
But there is a popular belief that clients using WPA
can't be sniffed at all.
WEP was criticized as being weak in confidentiality:
you get the key and you can sniff all the clients within range.
With this problem in mind (among others) WPA uses unique key for
every user, so no one can sniff another client within range,
well, with ARP cache poisoning you simply avoid this security
feature.
And this problem is worst in WPA-PSK, we know of
dictionary-based attacks; if the attacker successfully cracks
the passphrase, it doesn't just get an IP on the network but access
to all the network traffic, just like WEP. (i'm not talking
about statistics attacks, replay attacks, etc., WPA does well
in that arena.)
The point is, it would be ALMOST the same thing to have a universal
key for all the wireless clients (like in WEP) than the per-user
key used in WPA when it comes to confidentiality. Obviously, as long
as you can do ARP cache poisoning.
Greets,
Eduardo.
-- Eduardo Espina Garcia <eespina@seguridad.unam.mx> Departamento de Seguridad en Computo - UNAM-CERT DGSCA, UNAM http://www.seguridad.unam.mx Tel.: 5622-8169 Fax: 5622-8043 GPG Key Fingerprint: "8E86 932F C364 03BE 39B8 3F9D D27E 438A 3C6A 750F" "No matter how hard you try to keep your secret, it's a universal law that sooner or later it will be discovered." On 11/6/05, Cedric Blancher <blancher@cartel-securite.fr> wrote: > Le samedi 05 novembre 2005 à 12:47 -0600, Eduardo Espina a écrit : > > In consecuence i can do MITM for HTTP, sniffing on all wireless clients, > and > > all attacks you can imagine that works on ethernet networks. > > So you've been granted access to the WPA network, right ? So why stating > WPA has anything to do with it ? You can do exactly the same thing on > any kind of ethernet-like network, should it be wired (copper, fibre) or > wireless (WEP, WPA, WPA2). > > > We all know that WPA is good (better than WEP, at least), and this kind > of > > attack is limited to local users, but it's a cool way to show people that > no > > system is 100%, not even the WPA. > > WPA point is to protect the layer 2 communication link between client > and AP. Period. > Goal is to reach a comparable level of security as the one given be an > ethernet cable between your station and a hub/switch. Such an ethernet > network is vulnerable to ARP cache poisoning. So why a WPA network would > not be as well ? > Remember to what WEP means ? Wired Equivalent Privacy... That's the only > goal of WiFi security. No more. > > > Thus, client isolation is another problem. On wired network, you can > deploy PVLAN stuff. On wireless network, you can activate station > isolation, feature available on Linksys products as an example. > > > -- > http://sid.rstack.org/ > PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE > >> Hi! I'm your friendly neighbourhood signature virus. > >> Copy me to your signature file and help me spread! > ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:08 EDT