Penetration Testing mailing list archives
Re: WEP attacks based on IV Collisions
From: Joshua Wright <jwright () hasborg com>
Date: Fri, 30 Apr 2004 13:31:00 -0400
Jason, Jason Ostrom wrote:
First, correct me if I am wrong, but it seems like a non-trivial task to actually determine the WEP key if you have zero knowledge about the target network, i.e. IP addressing, AND can't readily inject 802.11b frames into the target network just because you have a usable keystream? Has anyone found differently?
It is non-trivial in that there are not any public tools to do this in an automated fashion. ;)
This paper [1] provides pretty good examples of the attacks. In the "Passive Attack to Decrypt Traffic", if you have a known keystream with one known plaintext, then it looks like you could determine the plaintext WEP key after you XOR the ciphertext and run the resultsback through RC4 -
This is correct, and one of the <i>other</i> fundamental flaws in the implementation of WEP. I don't need the pre-shared key (or the dynamic key for that matter) to transmit traffic onto the network, I only need PRGA. I can calculate PRGA by XOR'ing Cipher text with Plain text. This is trivial in the WEP authentication process (see WEPWedgie/Anton Rager for code that implements this attack), but can also be reproduced by guessing the contents of plain-text based on predictable packet sizes. The Nachi 92-byte ICMP Echo request packets are a good example of this. If I see packets that match the size of Nachi packets, I can XOR the encrypted packet contents with the known-plaintext Nachi contents, and try to use the resulting PRGA to inject traffic.
I don't understand why the paper says "Once it is possible to recover the entire plaintext for one of the messages, the plaintext for all other messages with the same IV follows directly, since all the pairwise XORs are known." But that's just my confusion - if you have the keystream (IV + Secret key run through RC4) and you have the original plaintext, then why can't you determine the secret key as well?
You can't determine the secret key as a feature of RC4. You can't get the secret key, but you can get the PRGA, which is just as effective for decrypting traffic that uses the same IV, or for injecting packets.
Last, what types of traffic or methods are used to determine a plaintext? I've seen one method mentioned: inject an ARP packet tothe AP encrypted with the known keystream. But this seems to be based on having information such as IP addressing on the target network, which isn't known in this case.
One IP address always exists on every IP network - 255.255.255.255. I've been successful at accelerating weak IV collection by injecting ICMP Echo requests to the broadcast address on some networks, I'm sure there are plenty of other opportunities without know the network number.
Fun stuff. -Josh -- -Joshua Wright jwright () hasborg com http://home.jwu.edu/jwright/ pgpkey: http://home.jwu.edu/jwright/pgpkey.htm fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73 ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- WEP attacks based on IV Collisions Jason Ostrom (Apr 30)
- Re: WEP attacks based on IV Collisions Joshua Wright (Apr 30)
- <Possible follow-ups>
- WEP attacks based on IV Collisions Jason Ostrom (Apr 30)