lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Mon, 1 Jan 2007 14:29:38 -0800
From: coderman <coderman@...il.com>
To: "/dev/null" <exceed@...il.si>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Authenticated users can sniff WPA traffic?

On 12/31/06, /dev/null <exceed@...il.si> wrote:
> ...
> recently I came across this link:
> http://seclists.org/pen-test/2005/Nov/0073.html
>
> Basicaly, it states that authenticated users, in combination with ARP
> poisoning, can sniff WPA traffic. Can anybody confirm this is possible? If
> that's true, is there any way to prevent this?

of course it's true.  don't let ARP poisoning occur on your network.
most good wifi security tools / systems will check for this among the
other usual masquerading (rogue AP's, injection with invalid
timestamps, etc).

note that a mandatory part of this attack is having auth credentials
for WPA-PSK or WPA-Enterprise (EAP/TLS,etc) so you can talk on the
network to mount this ARP poisoning attack.


> I would really appreciate any info/link/paper regarding topic.

any good IP routing text would be useful, particularly the interplay
between ethernet (and other L2 protocols) and IP via ARP/RARP.

as one last side note, if you've got the WPA-PSK secret via dictionary
attack you can combine this with disassociate injection to force all
clients to re-authenticate while you are listening so you can recover
the client keys (TKIP or CCMP) used for communication and get better
results since you no longer need the ARP hack which will be slower and
more brittle (you must remain in the loop) comparatively.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ