Re: WEP attacks based on IV Collisions

[Joshua Wright <jwright () hasborg com>]

Jason,

Jason Ostrom wrote:
> First, correct me if I am wrong, but it seems like a non-trivial task
>  to actually determine the WEP key if you have zero knowledge about
> the target network, i.e. IP addressing, AND can't readily inject
> 802.11b frames into the target network just because you have a usable
>  keystream?  Has anyone found differently?

It is non-trivial in that there are not any public tools to do this in
an automated fashion. ;)

> This paper [1] provides pretty good examples of the attacks.  In the
> "Passive Attack to Decrypt Traffic", if you have a known keystream
> with one known plaintext, then it looks like you could determine the
> plaintext WEP key after you XOR the ciphertext and run the results
> back through RC4 - 

This is correct, and one of the <i>other</i> fundamental flaws in the 
implementation of WEP.  I don't need the pre-shared key (or the dynamic 
key for that matter) to transmit traffic onto the network, I only need 
PRGA.  I can calculate PRGA by XOR'ing Cipher text with Plain text. 
This is trivial in the WEP authentication process (see WEPWedgie/Anton 
Rager for code that implements this attack), but can also be reproduced 
by guessing the contents of plain-text based on predictable packet 
sizes.  The Nachi 92-byte ICMP Echo request packets are a good example 
of this.  If I see packets that match the size of Nachi packets, I can 
XOR the encrypted packet contents with the known-plaintext Nachi 
contents, and try to use the resulting PRGA to inject traffic.

> I don't understand why the paper says "Once it is
> possible to recover the entire plaintext for one of the messages, the
> plaintext for all other messages with the same IV follows directly,
> since all the pairwise XORs are known."  But that's just my confusion
> - if you have the keystream (IV + Secret key run through RC4) and you
> have the original plaintext, then why can't you determine the secret
> key as well?

You can't determine the secret key as a feature of RC4.  You can't get 
the secret key, but you can get the PRGA, which is just as effective for 
decrypting traffic that uses the same IV, or for injecting packets.

> Last, what types of traffic or methods are used to determine a 
> plaintext?  I've seen one method mentioned:  inject an ARP packet to
> the AP encrypted with the known keystream.  But this seems to be
> based on having information such as IP addressing on the target
> network, which isn't known in this case.

One IP address always exists on every IP network - 255.255.255.255. 
I've been successful at accelerating weak IV collection by injecting 
ICMP Echo requests to the broadcast address on some networks, I'm sure 
there are plenty of other opportunities without know the network number.

Fun stuff.

-Josh
--
-Joshua Wright
jwright () hasborg com
http://home.jwu.edu/jwright/

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73

------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------