On 2006/06/06 09:12, Spruell, Darren-Perot wrote: > > WEP can be sniffed passively, but from what I understand with > > WPA there are different keys per client (I don't have anything > > running WPA here to check). > > My understanding is that the key shared by the WLAN nodes in WPA-PSK is used > to generate session keys, which are then cycled on a frequent basis (by > TKIP, if configured on WPA1) or another method that escapes me on WPA2 > (802.11i). You arp spoof and you can have traffic directed to you, but it's > encrypted using a symmetric session key which you don't have.
AP receives ethernet frames, decrypts, looks at the destination MAC and decides whether to bridge to wired, or transmit to another wireless node. If they're going to another wireless node, the frames are re-encrypted with a key suitable for the receiving node and retransmitted. (N.B. client-to-client comms on BSS are all repeated by the AP). > I would challenge that by intercepting WPA-protected traffic > you can obtain cleartext so simply. This is no WPA crack. A wireless LAN is still susceptible to normal attacks which can be mounted from one node on a LAN to another. In the situation described, the attacker has already been given the WPA key, so they are on the LAN.
