From: Cedric Blancher (blancher@cartel-securite.fr)
Date: Mon Nov 07 2005 - 03:22:05 EST
Le dimanche 06 novembre 2005 à 14:01 -0600, Eduardo Espina a écrit :
> I'm not pointing that it is a WPA flaw, i agree with you.
> But there is a popular belief that clients using WPA
> can't be sniffed at all.
As it is a popular belief that you can't sniff traffic on a switched
network...
> With this problem in mind (among others) WPA uses unique key for
> every user, so no one can sniff another client within range,
> well, with ARP cache poisoning you simply avoid this security
> feature.
Yes, but it's out of WPA field.
> And this problem is worst in WPA-PSK
WPA-PSK PTK calculation is definitly weak.
> The point is, it would be ALMOST the same thing to have a universal
> key for all the wireless clients (like in WEP) than the per-user
> key used in WPA when it comes to confidentiality. Obviously, as long
> as you can do ARP cache poisoning.
I totally disagree. 802.11 is a physical/link layer protocol and WPA is
there to secure it. You can use plenty of other protocols than IP over
it, including ones that do not require ARP.
My point is ARP cache poisoning being a specific upper layer protocol,
it's out of layer 2 mecanisms to take care of it.
> But it isn't limited to WPA-PSK, this attack works even with 802.1x
> authentication. I did this on EAP-TLS and got *plain text traffic*
> from all the poisoned users.
And it works as well for 802.11i or anything using any form of
authentication and ciphering you can think of. To extend the point, it
also works with OpenVPN in ethernet bridge mode... OpenVPN fault ?
And by the way, this is not quite a news. A lot of people that gave
talks about layer 2 attacks and ARP cache poisoning in particular
mentionned the fact. Some of my talks that come in mind:
http://sid.rstack.org/pres/0207_LSM02_ARP.pdf
http://sid.rstack.org/pres/0305_ESIEA_LANAttacks.pdf
-- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread! ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:08 EDT