6

Correct me if I'm wrong but isn't it possible to sniff WiFi traffic in the air? If so, what exactly is the point of ARP poisoning? In this scenario, the attacker would already be authenticated on the WPA2-PSK network and can therefore decrypt traffic.

Hello
  • 163
  • 5

2 Answers2

6

You are assuming that once you are authenticated to the Access Point that you can automatically see all WiFi traffic from all nodes in the clear.

In WPA, each node is given their unique key with which to communicate with the Access Point.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Ah, I see. I'm assuming that ARP poisoning deceives the targeted machine into encrypting the to-be-intercepted traffic for the attacker, and that is why ARP poisoning works while sniffing in the air does not? – Hello Sep 16 '15 at 18:14
  • Correct. To sniff, you need to be "in the middle" and be in charge of the encryption back and forth. – schroeder Sep 16 '15 at 18:20
  • Well, you can also sniff if really weak crypto (WEP) is being used, even if you don't have the key initially (takes only a short time to obtain it). WEP is kind of a disaster that way. Don't use it. – CBHacking Sep 16 '15 at 19:23
2

Schroeder is right about the encryption it's uniq for every client but that doesnt mean you can't decrypt it. The problem with wireless is that the content is "in the air" so everybody can capture it. So when somebody connects to an AP and you capture the four-way-handshake including the sesseion specific information and you have the PSK also you can decrypt the traffic of this client.

You can for example do this unsing airdecap-ng from the aircrack suit.

If you have only connected clients you can deauth the one you want to sniff so the client has to reconnect and you can capture the four-way-handshake.

davidb
  • 4,285
  • 3
  • 19
  • 31