Vivek RamachandranMD Sohail Ahmad.ppt

WEP Attacks – exposure area Observation #1 Can we somehow have an isolated Client generate WEP encrypted data packets using the authorized network’s key? Observation #2 Caffé Latte – Attack timelines Every spoofed Association gives us encrypted data packets (either DHCP or ARP) Send a De-auth, process repeats, keep collecting the trace Timelines for cracking the WEP key for various network configurations assuming 500k packets is as follows: Can we speed it up? Problem Formulation A solution is complete Only if: Solve for all network configurations Key cracking should be done by the time a user finishes sipping a cup of coffee Caffé latte – Shared + DHCP Caffé latte – Shared + DHCP (2) We now have: 128 bytes of keystream Client IP is somewhere between – 55 Can we find the Client IP? Caffé latte – Shared + DHCP (3) Brute force the Client IP – 55is ~65,000 space ARP Request on wireless is 40 bytes (LLC + ARP +ICV) We have a 128 byte key stream from the previous step Caffé latte – Shared + DHCP (4) Once the Client IP is known Send a flood of ARP Requests Client will reply back with ARP Responses Start trace collection and run the PTW attack ? Caffé latte – Shared + DHCP (5) Once we have around 80,000 ARP Response packets: ? ? ? Caffé Latte for Shared Auth + DHCP - Analysis Client IP Discovery phase: 3-4 minutes(send 2 packets for each IP) ARP Request/Response Flood: 4-5 minutes(to get around 80,000 packets) Key cracking with Aircrack-ng: ~1 minute Can this technique be used for the other configurations as well? Caffé latte – Open + Static IP Using flaws in WEP – Message Modification and Message Replay First mention in “Intercepting Mobile Communication: The Insecurity of 802.11” – Nikita, Ian and David, UC Berkley It’s possible to flip bits in a WEP encrypted packet and adjust the ICV to make the packet valid This packet can now be replayed back into the air and will be accepted by WEP devices Using this technique we can convert a Gratuitou