WPA vs. WEP when sniffing with a known key
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: WPA vs. WEP when sniffing with a known key

  1. #1
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897

    WPA vs. WEP when sniffing with a known key

    I just wanted to make sure Iíve got this straight. Iíve been doing some tests and Iím not sure everything is set right so tell me if my results are wrong.

    No WPE or WPA all clients can sniff each other on the WAP.

    With WEP only others that are using the WEP key can sniff each other.

    With WPA no one sniffs can sniff each other, even if they are connecting to the same WAP and use the same PSK.

  2. #2
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Correct, because of the dynamic key exchange. I take it you have TKIP set on your WPA clients?
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  3. #3
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    As I understand it, yes.

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,884
    Good. This is what powers the key exchange. I'm not sure of the default but its something insane like once every 15 seconds new keys are negotiated.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    Now if only I could get my old hermes card to work with WPA.

  6. #6
    Senior Member
    Join Date
    Dec 2004
    Posts
    320
    I believe that TKIP generates a new key for every packet. I have been reading up on this lately. Althought that does seem a little insane... Also, I believe that each packet is given a 48-bit 'serial number' (for lack of a better work) each 'serial number' is part of both the IV and key.
    Each time a new client connects, a new base key (Pairwise Transient Key or PTK) is generated, and the 'serial number' generation is different(this also depends on the client's MAC address). Wouldn't this essentially be a 48-bit one time pad for each packet ? (please correct me if I do not understand this all the way)

    this is how I understand it, anyways, so no. WPA cannot sniff each other due to the 'serial number' and the base key that is generated for each new client.
    The fool doth think he is wise, but the wiseman knows himself to be a fool - Good Ole Bill Shakespeare

  7. #7
    Senior Member
    Join Date
    Sep 2001
    Posts
    1,027
    Humm, interesting;
    On my linksys wrt55g, I have the option with WPA of either TKIP or AES.
    Now does the inability to cross-sniff only come from TKIP and the per association keying or does it also prevent it with AES?


    Ammo
    Credit travels up, blame travels down -- The Boss

  8. #8
    Having never really played with WPA, I am still a bit fuzzy on it's specifics. Obviously, it prevents a single machine from just going promiscuous... The network is still vulnerable to a more active sniffing attack, such as ARP poisoning, correct?

  9. #9
    Senior Member
    Join Date
    Dec 2004
    Posts
    320
    First off, let me correct some of myself. Any Wi-Fi card in promiscous mode can sniff radio waves (as long as said card supports the protocol). It is just a matter of decrypting the packets. As with TKIP, the MIC (message integrity check) is encrypted within the packet as opposed to appended to (as with WEP's Integrity Check value, or ICV). This, in combination with TKIP using a new key every packet, means that essentially, no. ARP poisoning is much, much harder to do. The only things that aren't encrypted are source IP and Destination IP (for most packets) including ARP replies. TKIP has protection against replay attacks, meaning each packet has a new key, so you can't use the key that the packet 1 second ago used (even if you could decrypt it in time)
    The only things that aren't encrypted are source IP and Destination IP (for most packets).

    AES has group key changing policy. Meaning that the key changes every so often for ( not sure if it's everyone in the group or a 1 by 1 basis. I'm assuming it is a 1 by 1 basis, need to read more RFCs on EAP and RADIUS and what not )

    Still reading on it though... interesting stuff.
    The fool doth think he is wise, but the wiseman knows himself to be a fool - Good Ole Bill Shakespeare

  10. #10
    King Tutorial-ankhamun
    Join Date
    Jul 2004
    Posts
    897
    I pretty sure promiscous mode does not look at the radio waves, you need RFMon for that. With promiscous you only get what's goin to anf from your WAP, with RFMon (Monitor mode) you see all the traffic to all the WAPs in the area. Correct me it I'm wrong.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •