Penetration Testing mailing list archives
RE: WEP attacks based on IV Collisions
From: "Jeremy Junginger" <jj () act com>
Date: Wed, 2 Jun 2004 08:09:17 -0700
Good Morning! I hope this thread isn't dead yet...I could use a little help digesting this whole inductive WEP attack thing...allow me to regurgitate the WEP encryption process just to make sure I'm understanding that part correctly: 1) The original packet consists of [802.11 header] + [host (L3) data] 2) CRC-32 is computed for [host (L3) data] and is appended as the [ICV (4 bytes)] 3) The [host data] + [ICV] are fed into the RC4 stream cipher, using the [(IV 3 bytes) + (Secret 5/13 bytes)] as the key. 4) The original [802.11 header] + [IV] + [Ciphertext] output from step 3 constitutes the new WEP encrypted packet. Assuming that is basically correct, the mechanics of how one recovers the key stream from intercepted WEP traffic are giving me some trouble. The root of the problem for me is recognizing encrypted packets as known packet types (ARP, DHCP DISCOVER/REQUEST, etc). The article makes it seem trivial to recover the an initial pseudorandom string: "Generally, the attacker can accomplish this (stream recovery) using network protocol structure and external information such as media access control address and message size to guess the plaintext." (Sounds like ARP to me, and that makes sense. We all know what an ARP broadcast should look like) and "Perhaps the simplest example is network traffic for dynamic host configuration protocol session...particularly DISCOVER and REQUEST, are easy to identify even when encrypted and have highly predictable fields including all of the IP header and most of the UDP header." (No brainer here, DHCP is predictable) The theory makes sense. We all know what a DHCP DISCOVER and REQUEST look like (LLC, IP Header, UDP Header), and that the known fields can be used as known plaintext to mount an attack on the RC4 stream cipher, but is that what we're doing to get the key stream? If that is the case, it appears that we can get our n bytes of key stream just by having a single packet, right? Just convert both the plaintext and ciphertext to binary, and figure out what you need to XOR the plaintext with to get the ciphertext, one bit at a time to recover the key sequence of n bytes, right? But before I can even think about the key, I need to figure out how to identify these encrypted DHCP? Anyone know? Okay, let's say I figure out how to identify these packets, and that I've recovered hmmm...let's say 11 bytes of the key stream (from 8 bytes from LLC and SNAP plus 3 bytes from IP header). From here, I should be able to inject a 7 byte (n-4) message into the network, using the part of the key stream I know, right? Okay, if that's right, let's move on to the next section, extending the key stream. Here goes...(expecting a lot of red ink in the replies) 1) Generate an 8 byte (n-3) message that generates a predictable response (8 byte ICMP packet? What shall we use here?) 2) Compute the ICV for the new message (just CRC32 the message), and append the first 3 bytes (Now we have an 11 byte message) 3) Combine the 11 byte message from step 2 with the known key stream 4) Transmit a 12 byte message, using the 11 bytes from step 2 and a guess at the final byte. Repeat until response is received. 5) XOR the 12th byte with the last byte of the correct ICV computed in step 2. That's the next key stream byte. As you can see, I'm a little confused about some of this stuff. If you guys can shed any light on it, that would be very helpful. If you are feeling really generous, perhaps we can work through an example of a WEP encrypted DHCP DISCOVER or REQUEST packet as an example, in order to recover some key stream bits. Anyone care to whip up an encrypted DHCP packet for the list so we can work through an example? Thanks for your time and patience, and I look forward to your response(s). -Jeremy -----Original Message----- From: Ivan Arce [mailto:ivan.arce () coresecurity com] Sent: Monday, May 10, 2004 10:49 PM To: pen-test () securityfocus com Subject: Re: WEP attacks based on IV Collisions Nick Petroni and Bill Arbaugh have outlined an active attack that would give you full access to a WEP encrypted wireless LAN without knowledge of the secret key. It relies on the lack of integrity checks for the wireless packets which lets an attacker inject arbitrary packets into the LAN without being detected. The attack does not require you to crack any WEP key and uses the fact that WEP wrongly uses CRC for integrity checks, this lets an attacker mount an inductive attack to gradually recover additional bits of a pseudorandom stream provided that N bytes are initially recovered with a known plaintext attack. They cite ARP and DHCP requests as effective for this inital recovery. BTW, you dont really need to *inject* packets for the inital recovery. Full description of the attack appeared on: "The Dangers of Mitigating Security Design Flaws: A Wireless Case Study" Nick L. Petroni Jr. and William Arbaugh IEEE Security & Privacy magazine vol1. num 1., January/February 2003 A powerpoint presentation is available at: http://www.cs.umd.edu/~waa/wepwep2-attack.html I am unaware of publicly available tools that implement the attack. This might be old news but I am quite surprised that it is not mentioned as popular and widely used as passive attacks focused on cracking keys. -ivan Joshua Wright wrote:
One IP address always exists on every IP network - 255.255.255.255. I've been successful at accelerating weak IV collection by injecting ICMP Echo requests to the broadcast address on some networks, I'm sure there are plenty of other opportunities without know the network number. Fun stuff. -Josh
-- --- To strive, to seek, to find, and not to yield. - Alfred, Lord Tennyson Ulysses,1842 Ivan Arce CTO CORE SECURITY TECHNOLOGIES 46 Farnsworth Street Boston, MA 02210 Ph: 617-399-6980 Fax: 617-399-6987 ivan.arce () coresecurity com www.coresecurity.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A ----------------------------------------------------------------------------- - Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------- --
Current thread:
- RE: WEP attacks based on IV Collisions Jeremy Junginger (Jun 02)
- Re: WEP attacks based on IV Collisions leonardo (Jun 02)
- <Possible follow-ups>
- RE: WEP attacks based on IV Collisions pen-test (Jun 04)
- RE: WEP attacks based on IV Collisions pen-test (Jun 04)
- Re: WEP attacks based on IV Collisions leonardo (Jun 07)
- Re: WEP attacks based on IV Collisions Andrew A. Vladimirov (Jun 11)
- Re: WEP attacks based on IV Collisions leonardo (Jun 07)