As mentioned in the title, I’ve questions regarding an ARP Poisoning on a WPA Personal and WPA Enterprise.
I’m gonna do an example (please let me know if I’m wrong):
I need to send the ARP reply to the Victim (C), updating the record of the gateway (A) with the MAC of my machine (B).
Then I need to send the ARP reply to the Router (host A), updating the record of the victim (C) with the MAC of my machine (B).
After that I would simply allow ip forwarding on machine.
So, we should have:
C->B->A
A->B->C
Because, if that is correct, I believe that in WPA Personal, in order to the decrypt the traffic that you have received from the client (victim) you would need to generate the PTK used by the victim (which in this case I believe is possible, because you could generate the PMK having the PSK. Then sniff ANonce, SNonce, AP_MAC, CLIENT_MAC and generate the PTK).
Again, if what I’ve said is correct, how would be possible to decrypt the traffic of the WPA Enterprise that has multiple passwords, making therefore not possible to generate the PMK?
Continue reading ARP Poisoning: WPA Personal and Enterprise→