Home page logo

pen-test logo Penetration Testing mailing list archives

Sniffing on WPA
From: Eduardo Espina <eduardomx () gmail com>
Date: Sun, 6 Nov 2005 14:01:44 -0600

I'm not pointing that it is a WPA flaw, i agree with you.
But there is a popular belief that clients using WPA
can't be sniffed at all.

WEP was criticized as being weak in confidentiality:
you get the key and you can sniff all the clients within range.

With this problem in mind (among others) WPA uses unique key for
every user, so no one can sniff another client within range,
well, with ARP cache poisoning you simply avoid this security

And this problem is worst in WPA-PSK, we know of
dictionary-based attacks; if the attacker successfully cracks
the passphrase, it doesn't just get an IP on the network but access
to all the network traffic, just like WEP. (i'm not talking
about statistics attacks, replay attacks, etc., WPA does well
in that arena.)

The point is, it would be ALMOST the same thing to have a universal
key for all the wireless clients (like in WEP) than the per-user
key used in WPA when it comes to confidentiality. Obviously, as long
as you can do ARP cache poisoning.


Eduardo Espina Garcia <eespina () seguridad unam mx>
Departamento de Seguridad en Computo - UNAM-CERT DGSCA, UNAM
http://www.seguridad.unam.mx  Tel.: 5622-8169  Fax: 5622-8043
GPG Key Fingerprint: "8E86 932F C364 03BE 39B8  3F9D D27E 438A 3C6A 750F"
"No matter how hard you try to keep your secret, it's a universal
law that sooner or later it will be discovered."

On 11/6/05, Cedric Blancher <blancher () cartel-securite fr> wrote:
Le samedi 05 novembre 2005 à 12:47 -0600, Eduardo Espina a écrit :
In consecuence i can do MITM for HTTP, sniffing on all wireless clients,
all attacks you can imagine that works on ethernet networks.

So you've been granted access to the WPA network, right ? So why stating
WPA has anything to do with it ? You can do exactly the same thing on
any kind of ethernet-like network, should it be wired (copper, fibre) or
wireless (WEP, WPA, WPA2).

We all know that WPA is good (better than WEP, at least), and this kind
attack is limited to local users, but it's a cool way to show people that
system is 100%, not even the WPA.

WPA point is to protect the layer 2 communication link between client
and AP. Period.
Goal is to reach a comparable level of security as the one given be an
ethernet cable between your station and a hub/switch. Such an ethernet
network is vulnerable to ARP cache poisoning. So why a WPA network would
not be as well ?
Remember to what WEP means ? Wired Equivalent Privacy... That's the only
goal of WiFi security. No more.

Thus, client isolation is another problem. On wired network, you can
deploy PVLAN stuff. On wireless network, you can activate station
isolation, feature available on Linksys products as an example.

PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
Hi! I'm your friendly neighbourhood signature virus.
Copy me to your signature file and help me spread!

Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]