[22916] in bugtraq
Wireless Access Points and ARP Poisoning
daemon@ATHENA.MIT.EDU (aleph1@securityfocus.com)
Fri Oct 19 14:31:14 2001
Date: Fri, 19 Oct 2001 11:48:43 -0600
From: aleph1@securityfocus.com
To: secpapers@securityfocus.com
Cc: pen-test@securityfocus.com, bugtraq@securityfocus.com
Message-ID: <20011019114843.B16608@securityfocus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Wireless Access Points and ARP Poisoning:
Wireless vulnerabilities that expose the wired network
Bob Fleck <rfleck@cigital.com>, Jordan Dimov <jdimov@cigital.com>
Address resolution protocol (ARP) cache poisoning is a MAC layer attack that
can only be carried out when an attacker is connected to the same local
network as the target machines, limiting its effectiveness only to networks
connected with switches, hubs, and bridges; not routers. Most 802.11b access
points acts as transparent MAC layer bridges, which allow ARP packets to
pass back and forth between the wired and wireless networks. This
implementation choice for access points allows ARP cache poisoning attacks
to be executed against systems that are located behind the access point. In
unsafe deployments, wireless attackers can compromise traffic between
machines on the wired network behind the wireless network, and also
compromise traffic between other wireless machine including roaming clients
in other cells. Of particular note is the vulnerability of home combination
devices that offer a wireless access point, a switch, and a DSL/cable modem
router in one package. These popular consumer devices allow a wireless
attacker to compromise traffic between computes connected to the built-in
switch.
http://www.cigitallabs.com/resources/papers/download/arppoison.pdf
--
Elias Levy
SecurityFocus
http://www.securityfocus.com/
Si vis pacem, para bellum
