Description: Welcome to Part 17 of the WLAN Security Megaprimer! Please start this series by watching Part 1 http://www.securitytube.net/video/1756, if you have not done so already.
In this video, we will look at a demo of the infamous Caffe Latte attack. The basic idea is to utilize WEP's message modification vulnerability to our advantage. We will allow the client to associate with our fake access point. Once the client is connected, it will send out DHCP requests which will eventually timeout. Then the client will send our Gratuitous ARP packets for the auto-configuration IP address.
The Caffe Latte attack captures these Gratuitous ARP packets and modifies them using the Message Modification flaw to convert them into ARP request packets for the same host! Then we resend it back into the wireless network. The Client receives them and feels that someone is requesting for its MAC address using ARP and hence replies back. The attacker's fake access point generates a few thousand of these spurious ARP requests per minute and receives responses from the Client. It is important to note that the attacker is able to do this without any knowledge of the WEP key. Once the attacker collects enough packets, he runs it though Aircrack-NG to get his prize :)
Here is a nifty lil video on Caffe Latte created by my friend Zero_Chaos a while back: http://www.securitytube.net/video/122