Presentation is loading. Please wait.

Presentation is loading. Please wait.

Vivek Ramachandran MD Sohail Ahmad www.airtightnetworks.net Caffé Latte with a Free Topping of Cracked WEP Retrieving WEP Keys From Road-Warriors.

Published byGracie Hum Modified over 9 years ago

Similar presentations

Presentation on theme: "Vivek Ramachandran MD Sohail Ahmad www.airtightnetworks.net Caffé Latte with a Free Topping of Cracked WEP Retrieving WEP Keys From Road-Warriors."— Presentation transcript:

1 Vivek Ramachandran MD Sohail Ahmad www.airtightnetworks.net Caffé Latte with a Free Topping of Cracked WEP Retrieving WEP Keys From Road-Warriors

2 © AirTight 2007 Cracks in WEP -- Historic Evolution 2001 - The insecurity of 802.11, Mobicom, July 2001 N. Borisov, I. Goldberg and D. Wagner. 2001 - Weaknesses in the key scheduling algorithm of RC4. S. Fluhrer, I. Mantin, A. Shamir. Aug 2001. 2002 - Using the Fluhrer, Mantin, and Shamir Attack to Break WEP A. Stubblefield, J. Ioannidis, A. Rubin. 2004 – KoreK, improves on the above technique and reduces the complexity of WEP cracking. We now require only around 500,000 packets to break the WEP key. 2005 – Adreas Klein introduces more correlations between the RC4 key stream and the key. 2007 – PTW extend Andreas technique to further simplify WEP Cracking. Now with just around 60,000 – 90,000 packets it is possible to break the WEP key. IEEE WG admitted that WEP cannot hold any water. Recommended users to upgrade to WPA, WPA2

3 © AirTight 2007 WEP Attacks – exposure area WEP Attacks Distance from Authorized Network (Miles) 1101001000On the Moon FMS, Korek PTW No Mutual Authentication Message Modification Message Injection Using known methods, exposure is limited to RF range of WEP enabled network Can your keys be cracked when roaming clients are miles away from the operational network?

4 © AirTight 2007 Observation #1 uCan we somehow have an isolated Client generate WEP encrypted data packets using the authorized network’s key? Default uWindows caches the WEP key of networks in its PNL uTo crack WEP all we need is encrypted data packets u80K for PTW attack u500K for KoreK attack uIt does not matter if these packets come from the AP or the Client

5 © AirTight 2007 Observation #2 Probe Request “Default” Probe Response Authentication Request Authentication Success Association Request Association Response Data Can you force a WEP client connect to a honey pot without having knowledge of the key?

6 © AirTight 2007 Caffé Latte – Attack timelines uEvery spoofed Association gives us encrypted data packets (either DHCP or ARP) uSend a De-auth, process repeats, keep collecting the trace uTimelines for cracking the WEP key for various network configurations assuming 500k packets is as follows: Network Configuration Approximate Cracking time Shared + DHCP3 days Shared + Static IP 1.5 days Open + DHCP6 days Open + Static IP2 days

7 © AirTight 2007 Can we speed it up? DAYS HOURS MINUTES

8 © AirTight 2007 Problem Formulation A solution is complete Only if: uSolve for all network configurations uKey cracking should be done by the time a user finishes sipping a cup of coffee Network Configuration Approximate Cracking time Shared + DHCP3 days Shared + Static IP 1.5 days Open + DHCP6 days Open + Static IP2 days

9 © AirTight 2007 Caffé latte – Shared + DHCP Challenge Enc. Challenge + 128 bytes Keystream Probe Request “Default” Probe Response Authentication Request Challenge Encrypted Challenge Authentication Success

10 © AirTight 2007 Caffé latte – Shared + DHCP (2) We now have: u128 bytes of keystream uClient IP is somewhere between 169.254.0.0 – 169.254.255.255 uCan we find the Client IP? 169.254.x.y Connection Established Assoc Request Assoc Response DHCP Gratuitous ARP

11 © AirTight 2007 Caffé latte – Shared + DHCP (3) 169.254.246.161 Connection Established Brute force the Client IP u169.254.0.0 – 169.254.255.255 is ~65,000 space uARP Request on wireless is 40 bytes (LLC + ARP +ICV) uWe have a 128 byte key stream from the previous step ARP Request for 169.254.0.1ARP Request for 169.254.0.2ARP Request for 169.254.0.3 ARP Request for 169.254.246.161 ARP Response from 169.254.246.161

12 © AirTight 2007

13 Caffé latte – Shared + DHCP (4) 169.254.246.161 Connection Established Once the Client IP is known uSend a flood of ARP Requests uClient will reply back with ARP Responses uStart trace collection and run the PTW attack ARP Request for 169.254.246.161 ARP Response from 169.254.246.161 ARP Request for 169.254.246.161 ARP Response from 169.254.246.161

14 © AirTight 2007

15 Caffé latte – Shared + DHCP (5) uOnce we have around 80,000 ARP Response packets:

16 © AirTight 2007 Caffé Latte for Shared Auth + DHCP - Analysis uClient IP Discovery phase: 3-4 minutes (send 2 packets for each IP) uARP Request/Response Flood: 4-5 minutes (to get around 80,000 packets) uKey cracking with Aircrack-ng: ~1 minute Can this technique be used for the other configurations as well? Network Configuration Approximate Cracking time Shared + DHCP~ 10 mins Shared + Static IP 1.5 days Open + DHCP6 days Open + Static IP2 days Is there a more general solution to the problem ? Lets look at the Open + Static IP case

17 © AirTight 2007 Caffé latte – Open + Static IP Probe Request “Default” Probe Response Authentication Request Authentication Success Assoc Request Assoc Response Gratuitous ARP from 5.5.5.5 5.5.5.5 Gratuitous ARP from 5.5.5.5 Lets say Client IP is 5.5.5.5 uAfter Association, the Client sends Gratuitous ARP for 5.5.5.5 uCan we use this ARP packet somehow?

18 © AirTight 2007 Using flaws in WEP – Message Modification and Message Replay uFirst mention in “Intercepting Mobile Communication: The Insecurity of 802.11” – Nikita, Ian and David, UC Berkley uIt’s possible to flip bits in a WEP encrypted packet and adjust the ICV to make the packet valid uThis packet can now be replayed back into the air and will be accepted by WEP devices uUsing this technique we can convert a Gratuitous ARP request into an ARP request destined for the Client coming from a different IP address

19 © AirTight 2007 Applying Bit Flipping to an Encrypted ARP packet MAC Header WEP Params LLC Header ARP Header WEP ICV Hardware Type Protocol Type Hardware Size Protocol Size OpcodeSender MAC Sender IP Target MAC Target IP AA 05 00 FF00 FF 00 +++ AA 5505 FA05 5.5.5.250

20 © AirTight 2007 Caffé latte – Open + Static IP (2) 5.5.5.5 Connection Established We send this bit flipped ARP packet to the Client uWe don’t really care what the bit flipped IP was uCollect the ARP responses and fire up Aircrack-ng ARP Request for 5.5.5.5 from 5.5.5.250 ARP Response from 5.5.5.5 to 5.5.5.250 ARP Request for 5.5.5.5 from 5.5.5.250 ARP Response from 5.5.5.5 to 5.5.5.250

21 © AirTight 2007

22 Caffé latte – Open + Static IP (3) uOnce we have around 60,000 ARP Response packets:

23 © AirTight 2007 Caffé Latte for Open + Static IP - Analysis uCapturing an ARP packet and bit flipping it: ~1 msec uARP Request/Response Flood: 4-5 minutes (to get around 80,000 packets) uKey cracking with Aircrack-ng: ~1 minute Bit Flipping works for all the cases Network Configuration Approximate Cracking time Shared + DHCP~ 6 minutes Shared + Static IP ~ 6 minutes Open + DHCP~ 6 minutes Open + Static IP~ 6 minutes

24 © AirTight 2007 Implications of Caffé Latte Risk is higher than previously perceived: uWEP keys can now be cracked remotely, putting your enterprise at risk uWEP Honey-pots are now possible Few hours before our talk we came to know that a tool WEPOff had taken a stab at attacking isolated clients using a different technique (fragmentation) and only for a limited set of network configurations (DHCP). Also due to the nature of the fragmentation attack, it has to send 9 times the number of packets. http://www.darknet.org.uk/2007/01/wep0ff-wireless-wep-key-cracker-tool/

25 © AirTight 2007 Advisory uYet another reason to upgrade to WPA/WPA2 uRoad warriors need to be careful even more now: uExercise caution when using public hotspots uUpgrade your wireless drivers regularly uSwitch off wireless when not in use u… Too many best practices to remember! Use a freely available wireless security agent on your laptop uIf you are using legacy WEP, do not build your enterprise defenses assuming the WEP key cannot be broken

26 Questions? Vivek.Ramachandran@airtightnetworks.net Md.Ahmad@airtightnetworks.net Airtight Networks www.AirTightNetworks.net Acknowledgements: Amit Vartak (amit.vartak@airtightnetworks.net)

Download ppt "Vivek Ramachandran MD Sohail Ahmad www.airtightnetworks.net Caffé Latte with a Free Topping of Cracked WEP Retrieving WEP Keys From Road-Warriors."

Similar presentations

Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering.

Wireless Security By Robert Peterson M.S. C.E. Cryptographic Protocols University of Florida College of Information Sciences & Engineering.
Your 802.11 Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.

Your Wireless Network has No Clothes CS 395T William A. Arbaugh, Narendar Shankar, Y.C. Justin Wan.
Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.

Hacking WLAN // BRUTE FORCE CRACKER // TCP/IP. WLAN HACK Wired Equivalent Privacy (WEP) encryption was designed to protect against casual snooping, but.
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.

Wireless Security Ryan Hayles Jonathan Hawes. Introduction  WEP –Protocol Basics –Vulnerability –Attacks –Video  WPA –Overview –Key Hierarchy –Encryption/Decryption.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.

Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.
Wireless Security David Wagner University of California, Berkeley.

Wireless Security David Wagner University of California, Berkeley.
Final Presentation Presented By: Gal Leibovich Liran Manor Supervisor: Hai Vortman.

Final Presentation Presented By: Gal Leibovich Liran Manor Supervisor: Hai Vortman.
Chalmers University of Technology Wireless security Breaking WEP and WPA.

Chalmers University of Technology Wireless security Breaking WEP and WPA.
WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.

WiFi Security. What is WiFi ? Originally, Wi-Fi was a marketing term. The Wi-Fi certified logo means that the product has passed interoperability tests.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID 001790660.

1 Enhancing Wireless Security with WPA CS-265 Project Section: 2 (11:30 – 12:20) Shefali Jariwala Student ID
Intercepting Mobiles Communications: The Insecurity of 802.11 Danny Bickson ACNS Course, IDC Spring 2007.

Intercepting Mobiles Communications: The Insecurity of Danny Bickson ACNS Course, IDC Spring 2007.
How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

How To Not Make a Secure Protocol WEP Dan Petro.
Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.

Wireless Network Security: WEP And Beyond Heidi Parsaye Jason DeVries Roxanne Ilse Heidi Parsaye - Jason DeVries - Roxanne Ilse.
Security in Wireless LAN 802.11 Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.

Security in Wireless LAN Layla Pezeshkmehr CS 265 Fall 2003-SJSU Dr.Mark Stamp.
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.
E-mail: kemal@cs.siu.edu Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE 802.11.

Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture 9: IEEE

Similar presentations

Ads by Google