The WLAN Security Megaprimer from

WLAN Security Megaprimer Part 17: Caffe Latte Attack Demo

In this video, we will look at a demo of the infamous Caffe Latte attack. The basic idea is to utilize WEP's message modification vulnerability to our advantage. We will allow the client to associate with our fake access point. Once the client is connected, it will send out DHCP requests which will eventually timeout. Then the client will send our Gratuitous ARP packets for the auto-configuration IP address.

The Caffe Latte attack captures these Gratuitous ARP packets and modifies them using the Message Modification flaw to convert them into ARP request packets for the same host! Then we resend it back into the wireless network. The Client receives them and feels that someone is requesting for its MAC address using ARP and hence replies back. The attacker's fake access point generates a few thousand of these spurious ARP requests per minute and receives responses from the Client. It is important to note that the attacker is able to do this without any knowledge of the WEP key. Once the attacker collects enough packets, he runs it though Aircrack-NG to get his prize :)

Here is a nifty lil video on Caffe Latte created by my friend Zero_Chaos a while back:

Video Player should be visible here. If not, install / upgrade flash

Have any Questions? or would like to add a point?

Visit the video page on SecurityTube to post your questions and comments :