[Discuss] comcast wifi question

[blu at nedharvey.com (Edward Ned Harvey (blu))]

> From: discuss-bounces+blu=nedharvey.com at blu.org [mailto:discuss-
> bounces+blu=nedharvey.com at blu.org] On Behalf Of Edward Ned Harvey
> (blu)
> 
> Additionally, if you get on the network and want to attack another client on
> the same wifi connection, there's an awful lot of broadcast traffic exposure
> which is not protected by the session keys, and you can target packets to
> their specific IP address, will also not be protected by their session keys.  The
> only thing that's protected by their session keys are their non-broadcast
> traffic to *other* endpoints.
> 
> Based on what you wrote above, even that seems pretty easy to break.

It turns out, wireshark has 802.11 decryption built-in.  You go to Edit/Preferences, Protocols, IEEE 802.11, and enter SSID and Password.  You have to make sure that you start sniffing before another client associates to the SSID, so it can capture the session keys (all 4 packets are required).  As long as you don't miss them, wireshark sniffs the wifi just like a wired hub or anything else.  

So that's a conclusive result.  As long as you have the password of a WPA2 connection, then yes, you can sniff all the traffic on that network.

If you don't have the password to some network, the key is derived using pbkdf2 with 4096 iterations.  This means a single cpu core can guess around 36 guesses per second.  You should be able to go several hundred or several thousand times faster with a GPU or FPGA.