[nycbug-talk] wpa cracked

Isaac Levy ike at lesmuug.org
Thu Nov 13 21:40:23 EST 2008

On Nov 13, 2008, at 8:47 PM, Ray Lai wrote:
>>>>>>> http://isc.sans.org/diary.html?storyid=5315
>>>>>> Yeah. .  and don't use TKIP
>>>>> Or just use IPsec! =)
>>>>> -Ray-

ike asked,

>>>> For encrypted transport, sure- but what about for auth to the AP?

ray and dingo said something to the effect of:

> I think he meant authpf.

OK- very cool alternative to the ipsec setup, easier for sysadmins  
(people who use ssh a great deal anyhow), so this is good to know-  
but- it doesn't help with office or other deployments (where wireless  
users may not ever use ssh).  I guess IPSEC behind the AP, (and  
deploying certs/passwords/etc

Thanks dingo and ray- learned a new tool here :)

However, the crux of my question was answered by Miles, and I can add  
one thing:

On Nov 9, 2008, at 2:27 AM, Miles Nordin wrote:

> it's radio.  encryption won't help with DoS.

WiFi blocking wallpaper (ah-ha!):

> There is no such thing
> as admission control.  Anyone can broadcast garbage on the band
> period.  The only choice you can make is, what will you forward and
> what will you ignore?
>    il> Plenty of vendor-supplied 'user friendly' softwares on windows
>    il> machines try to auto-connect to AP's, based on signal strength
> [...]
>    il> cafes and apartment buildings, and viola- hosed- with perhaps
>    il> zero malicious or trespass intent.
> I've seen some AP's that seem like they don't have the CPU power or
> NAT table size to handle normal bittorrent, so I don't doubt that you
> might have seen a problem with too many associations.

In-f'ing-deed I have!

> but the answer
> is to get an AP that's not a piece of shit and doesn't crash.  auth
> isn't needed for that.

For this problem, true- bust most AP's available simply don't cut it.

The only benefit of WPA, or WEP even- is perhaps a side-effect?:  Upon  
'bad' auth for association to the AP, most AP's seem to simply quit  
paying attention to the wireless client which is trying to connect-  
for a period of time (in seconds).  With that, WPA can basically  
tarpit clients which are trying to auto connect repeatedly.  It's all  
pretty ghetto with most AP gear, but as opposed to having open AP's  
(even with IPSEC or other behind them), it functionally stops AP  
association overload.  A real WiFi DDOS is a whole other matter, but  
I've dealt with this situation around town too many times to not say  
it's fairly common...


More information about the talk mailing list