From: Eduardo Espina (eduardomx@gmail.com)
Date: Sun Nov 06 2005 - 00:41:20 EST
The point is, after you do ARP Cache Poisoning, what you get is *plain
text traffic* from all other wireless clients, no WPA encrypted
packets at all.
The AP just decrypt all the traffic from the *poisoned client* then
encrypt the traffic within your own encrypted channel (I mean, the
evil guy WPA channel) with your own key so you can sniff it. Remember,
you have a valid account on the network.
In other words, the AP does the dirty work of decryption and blindly
pass the traffic to the evil guy. Again, you need a valid account on
the network and of course a valid IP, so the AP can forward all the
traffic to you.
As you can see, it doesn't matter that every client has a different
TKIP key for encryption you can sniff every user associated to the AP.
At this point WPA looks like WEP, because if you have the WPA-PSK key
you can sniff all users.
But it isn't limited to WPA-PSK, this attack works even with 802.1x
authentication. I did this on EAP-TLS and got *plain text traffic*
from all the poisoned users.
I hope this clarify my point.
Greets,
Eduardo.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
i dont understand. if you dont have to break the encrypted channel,
whats the point of sniffing packets if they are encrypted?
Andy
- ------------
from now on, everyday is September 10th in America... - Dan Verton
On Sat, 05 Nov 2005 10:47:08 -0800 Eduardo Espina
<eduardomx@gmail.com> wrote:
>Hi,
>
>I don't know if this has been already discussed here (but i don't
>recall it).
>I was doing a pen-test on a wireless network with WPA (TKIP) i
>found that ARP
>Cache Poisoning works as well as on ethernet networks.
>
>In consecuence i can do MITM for HTTP, sniffing on all wireless
>clients, and
>all attacks you can imagine that works on ethernet networks.
>
>Unless you're infrastructure provides a way of isolate every
>wireless client
>on your network they could be in risk. (in some architectures
>isolation may
>not be desirable because of resources sharing, windows domains,
>etc.)
>
>In the case you can't isolate clients you should let the users
>know that WPA
>can't assure confidentiality as most people think. You don't need
>to break the
>encrypted channel, just sit there and fool every client with ARP
>cache poisoning
>and sniff'em all.
>
>We all know that WPA is good (better than WEP, at least), and this
>kind of
>attack is limited to local users, but it's a cool way to show
>people that no
>system is 100%, not even the WPA. Of course you need a valid
>account on the
>network, but, is that a problem?
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:08 EDT