3

I just finished a project in which I coded a man in the middle attack on an unsecure network. I've tried to see how feasible it would be to extend this a secured network. Some internet searching has left me a bit puzzled. I have a few questions:

What exactly do wireless encryptions hide? I assume it is everything after the destination and source MACs. Is this true?

If the password of a network is known, how trivial/difficult is the implementation of an ARP poisoning attack?

If the password of a network is known, how trivial/difficult is it to do anything malicious? It seems like the data would be encrypted using other unknown and constantly changing elements such as initialization vectors. If ARP poisoning is feasible, is there a confidentiality concern?

Thanks ahead of time guys.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
Chad
  • 133
  • 4

2 Answers2

4

WEP provides essentially no security whatsoever; it is at most a speed-bump. Man-in-the-middle attacks are totally possible.

WPA does not provide security against an authorized user who knows the password. In that situation, man-in-the-middle attacks are possible.

As far as the constantly changing elements go, it is no harder for an attacker to deal with them than for a legitimate user of the network to deal with them -- which is to say, not very hard at all. In other words, this is not a barrier to a serious attacker.

D.W.
  • 98,420
  • 30
  • 267
  • 572
2
  1. Wireless encryption happens within the 802.11 layer, which is at the 'physical' layer. You are mostly correct when you say encryption is "everything after the destination and source MACs"; I say mostly because there are various other 802.11 things that need to be unencrypted for the communication to work - as an obvious example, the bit that tells whether the payload is encrypted or not. See http://technet.microsoft.com/en-us/library/cc757419%28WS.10%29.aspx for some reasonably useful diagrams of how 802.11 packets are laid out.
  2. Because ARP poisoning happens outside the encryption layer, implementation of ARP poisoning is the same difficulty with and without encryption. However, your ability to leverage ARP poisoning to perform a MITM attack is impacted by the encryption. It's easy to pretend you're the AP if there's no encryption, but if there's encryption and you don't know the password, then you can't effectively pretend to be the AP, even though you can ARP poison to get the packets sent your way.
  3. I'm not competent to tell you what sort of protocol decryption can be done by an attacker with the password, but I don't believe it's that trivial, or else the wireless at Starbucks where the password is taped to the wall would be no more secure than an unsecured wireless. Of course, beware of answers based on what a reasonable person concludes would make sense!
gowenfawr
  • 71,975
  • 17
  • 161
  • 198
  • "_the wireless at Starbucks where the password is taped to the wall would be no more secure than an unsecured wireless_" and what makes you believe it is more secure than an unsecured Wifi? – curiousguy Nov 16 '11 at 04:33
  • "_if there's encryption and you don't know the password, then you can't effectively pretend to be the AP, even though you can ARP poison to get the packets sent your way._" How? – curiousguy Nov 16 '11 at 22:00
  • Two wireless clients using the same password to negotiate secure wireless connections cannot, just by dint of knowing that same password, decrypt the other's communications. The password isn't the key. This makes it more secure than unsecured Wifi, which is the equivalent of using a hub the attacker is plugged into. For the second question, not sure what "How?" applies to in that sentence. – gowenfawr Nov 17 '11 at 21:14
  • "_if there's encryption and you don't know the password, (...) you can ARP poison to get the packets sent your way._" How? – curiousguy Nov 18 '11 at 09:09
  • ARP poisoning happens outside the encryption layer, so you can trick a host into sending packets your way even if they don't belong to you. That's kind of the definition of ARP poisoning. If they're encrypted you can't read them, or effectively converse, but you can always sidetrack packets. – gowenfawr Nov 19 '11 at 14:50
  • The wireless at Starbucks where the password is taped to the wall IS no more secure than an unsecured wireless. With credentials you can decrypt/encrypt anything you want and that is super trivial. – chao-mu Jul 12 '12 at 20:31