From: [EMAIL PROTECTED] > On 2006/06/06 10:40, Gaby vanhegan wrote: > > Isn't there a pre-shared key used as an IV of some sort in > WEP (and > > therefore WPA)? Yes, the traffic will be coming to you, > but it's on > > a wireless network, so you can sniff if passively if you want, you > > don't need an IP address for that. > > WEP can be sniffed passively, but from what I understand with > WPA there are different keys per client (I don't have anything > running WPA here to check).
My understanding is that the key shared by the WLAN nodes in WPA-PSK is used to generate session keys, which are then cycled on a frequent basis (by TKIP, if configured on WPA1) or another method that escapes me on WPA2 (802.11i). You arp spoof and you can have traffic directed to you, but it's encrypted using a symmetric session key which you don't have. You can try to break the key, but by the time you brute force it, the key has already been cycled and a new key is being used to encrypt new frames. Unlike WEP, a shared passphrase on the AP and each client doesn't mean common keying material used by everyone because of the key rotation. The biggest weakness pointed out thusfar in WPA to my knowledge has been in response to weak passphrases used for PSKs and dictionary attacks against them. I would challenge that by intercepting WPA-protected traffic you can obtain cleartext so simply. DS
