Full Disclosure mailing list archives
Re: Authenticated users can sniff WPA traffic?
From: coderman <coderman () gmail com>
Date: Mon, 1 Jan 2007 14:29:38 -0800
On 12/31/06, /dev/null <exceed () email si> wrote:
... recently I came across this link: http://seclists.org/pen-test/2005/Nov/0073.html Basicaly, it states that authenticated users, in combination with ARP poisoning, can sniff WPA traffic. Can anybody confirm this is possible? If that's true, is there any way to prevent this?
of course it's true. don't let ARP poisoning occur on your network. most good wifi security tools / systems will check for this among the other usual masquerading (rogue AP's, injection with invalid timestamps, etc). note that a mandatory part of this attack is having auth credentials for WPA-PSK or WPA-Enterprise (EAP/TLS,etc) so you can talk on the network to mount this ARP poisoning attack.
I would really appreciate any info/link/paper regarding topic.
any good IP routing text would be useful, particularly the interplay between ethernet (and other L2 protocols) and IP via ARP/RARP. as one last side note, if you've got the WPA-PSK secret via dictionary attack you can combine this with disassociate injection to force all clients to re-authenticate while you are listening so you can recover the client keys (TKIP or CCMP) used for communication and get better results since you no longer need the ARP hack which will be slower and more brittle (you must remain in the loop) comparatively. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Authenticated users can sniff WPA traffic? coderman (Jan 01)