Re: Cracking WEP and WPA keys

From: Matthias.Vallentin (vallentin@net.in.tum.de)
Date: Fri Dec 16 2005 - 12:54:42 EST

• Next message: suntzu123@gmail.com: "SQL Injection - SQL query comments"
• Previous message: DMORROW5@satx.rr.com: "Re: network printers"
• In reply to: Demetrio Carrión: "Re: Cracking WEP and WPA keys"
• Next in thread: Robert Baldi: "Re: Cracking WEP and WPA keys"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

On Fri, 2005-12-16 at 09:50 -0200, Demetrio Carrión wrote:
> The key is not sent to the AP in the clear. The WEP authentication is
> a challenge-response protocol.

Actually, two authentication mechanisms are provided by WEP. You
described the shared-key authentication wich almost extinct today. Open
System authentication on the other hand is widely used, but the term
'authentication' is very far streched since the AP grants everyone
access who asks.

To reveal the keystream, one can xor ciphertext with the plaintext (both
have been observed) and reinject packets with that new keystream. you
already said that though ;). WEPWedgie [1] implements this attack quite
well, but since most APs out there don't use shared authentication,
other means must be found to obtain a valid keystream.

An approach for open-system authentication networks is the so called
'Fragmentation Attack' which is based on layer 2 fragmentation of WEP
frames. Since the first 8 encrypted bytes are predictable (LLC/SNAP),
already 8 bytes of the keystream are known. The ICV needs 4 bytes, so 4
bytes can be send in a fragment. the fragment field is 2^16 bytes which
leads to 4 * 2^16 = 64 bytes data! assume you have 28 bytes header
infomation (LLC/SNAP + IP) you have 36 bytes to go... A. Bittau also
provides a proof-of-concept tool called wesside [3] implemnting this
attack.

Regards,

Matthias Vallentin

[1] http://sourceforge.net/projects/wepwedgie/
[2] http://www.toorcon.org/2005/slides/abittau/slides.pdf
[3]
http://www.toorcon.org/2005/slides/abittau/abittau-fragattackinpractice.tgz

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

• Next message: suntzu123@gmail.com: "SQL Injection - SQL query comments"
• Previous message: DMORROW5@satx.rr.com: "Re: network printers"
• In reply to: Demetrio Carrión: "Re: Cracking WEP and WPA keys"
• Next in thread: Robert Baldi: "Re: Cracking WEP and WPA keys"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:16 EDT