On 2006/06/05 18:47, Darrin Chandler wrote: > On Tue, Jun 06, 2006 at 01:31:38AM +0100, Stuart Henderson wrote: > > If it's some hotspot-like setup, you don't need to circumvent > > anything since you already have access to the network. > > You'd be sniffing encrypted traffic at that point, right?
Not if you poison ARP, since the traffic will be directed to your MAC address and the AP will send it encrypted with your key. It's just an ethernet-type network, remember. (You can do the same thing with bridged VPNs, too). It's not as straightforward as just running `tcpdump' but it's not hugely difficult, and uses well-known tools. If you've been keeping an eye on what Reyk's been doing you might have noticed his description of scalable networks (http://www.openbsd.org/papers/bsdcan06-wlan/slide_12.html) with each client in its own /30 - this is not only useful for dynamic routing, it also ensures no free IP address for the ARP tricks involved.
