2

ARP request replay attacks are based on the practice that wireless access points repeat ARP packets injected into the network, and since these ARP packets are encrypted, they also carry the IV with it.

Can someone explain:

  • Why do wireless access points encrypt ARP packets in the first place?
  • Why are wireless access points programmed to repeat ARP packets injected into the network?
Lincoln Cheng
  • 123
  • 4
  • All traffic sent over a wireless network configured for WEP or WPA will get encrypted. If you didn't encrypt ARP packets, they would be vulnerable to attack by someone without the wireless key. This means any attacker could perform a MITM, enumerate devices on the network, perform selective arp poisioning, etc. – Daisetsu Oct 19 '18 at 06:32

1 Answers1

4

Why do wireless access points encrypt ARP packets in the first place?

The data payload of all [non-802.11 management] frames from the client to the AP (and vice versa) are encrypted when encryption is use. ARP is simply another frame that is handled exactly as every other frame.

The AP will not accept unencrypted frames from a client once encryption has been established. If it did, this would open the door for a wide number of attacks that were spoofed to imitate a valid client.

Why are wireless access points programmed to repeat ARP packets injected into the network?

Because ARP is broadcast (generally speaking - there are directed ARPs, but those are limited case and not used in this case) throughout the L2 domain so that the device with the L3 address will receive it and respond.

If the AP did not do so, this would break ARP functionality for every device on the L2 domain. Clients connected to the device wouldn't even be able to find their own default gateway's MAC address via ARP.

YLearn
  • 3,967
  • 1
  • 17
  • 34
  • Are ARP packets also encrypted before authentication? If they were, how would a client even attempt to establish a connection if it could not find the MAC address of the default gateway? I understand part 2 of the answer, but for part 1, why couldn't ARP packets be unencrypted while all other packets continue to be encrypted after a connection? After all ARP serves a different purpose doesn't it? Is it because it is difficult for the AP to decode L2 packets to determine it's type? – Lincoln Cheng Oct 21 '18 at 06:24
  • There is no ARP before authentication. There can't be any sort of data traffic before authentication because the client isn't connected to the network at that time. Authentication is taken care of entirely between the AP and client at L2, IP is not needed or involved in any way. As for your second part of your comment, they couldn't because the AP won't accept unencrypted frames from the client after encryption is established. It doesn't matter what the data portion contains, whether that is a HTTP request or an ARP request. The AP simply doesn't care what is in the data portion of the frame. – YLearn Oct 21 '18 at 19:21