3.3
- Caffe-Latte attack against WEP
- The
Caffe-Latte attack takes advantage of the WEP's Message
Modification's flaw. The most interesting characteristic of
Caffe-Latte attack is that no AP is needed to perform it. Actually,
the attacker takes the information used to crack the WEP key from
packets sent by the victim trying to authenticate with the AP,
although it is not present. The attacker "kali" will
monitor the air finding clients sending probing messages. Then, a
fake AP is set using Airbase-ng. When the client connects to
the fake AP authentication messages are sent, and after association
the DHCP request phase starts. Just at this point, the Caffe-Latte
attack is launched by the attacker.
- To
perform this attack, let's set the legitimate AP with SSID=prueba,
and WEP with Shared Key Authentication:
- The
WEP key generated by the AP is A8925DC44A5432DE814CE109F9:
- The victim "roch" is connected to the wireless network, so that it can have cached and stored the WEP key:
- This
attack is based on the fact that clients, just after being started,
are usually configured to send probe messages for SSIDs that they
have previoulsy connected. For instance, Windows clients cache and
store WEP keys of previous connected networks. This option is known
as Preferred Network List (PNL), consisting of a list of pre used
networks. A very similar configuration is enabled for Linux. For
instance, Debian pre used networks are stored under Network
Connections option.
- Every
time a client connects to the same AP, the Windows wireless manager
automatically uses that stored key. This is done with the purpose of
helping users, not being necessary to introduce the key every time
the computer is turned on.
- However,
from the security perspective, it can be considered a flaw. It can be
checked at next screenshot, option "Connect automatically when
this network is in range" is ticked:
- As
said before, the WEP key is cached and stored by Windows clients:
- Because this attack does not require the client to be close to the legitimate AP, it means that the WEP key can be cracked just using the client isolated. To verify it the AP is going to be unplug during the whole practice, simulating that the AP is far away to the client.
- Now,
given this scenario, let's start the attack form "kali".
Using airbase-ng tool, a fake AP is created with the same
SSID=prueba and an arbitrary MAC address like AA:AA:AA:AA:AA:AA. Of
course, in a real attack, a less suspicious MAC address would be
used:
- It
is important to notice the options used with the command airbase-ng:
-
L = Caffe-Latte attack
-
W 1 = WEP encryption
- Then,
the client "roch" is started within an scenario where there
is no legitimate AP turned on (remember that it has been unpluged).
Wireshark detects the victim "roch" (Netgear wireless card
interface with MAC 28:C6:8E:63:15:6B) desperately sending Broadcast
messages looking for the legitimate "prueba" AP, which is
actually unplug:
- The
victim "roch" will not find the legitimate "prueba"
AP, but the fake "prueba" AP created by the attacker
"kali'.
- Because
there is no mutual authentication between client and AP, just the
client authenticating with the AP, it won't be any problem for the
assocciation process to success. In other words, the fake AP (the
attacker) has got the role to decide or approve that the assocciation
of the client cand be achieved. It is quite interesting that WEP
allows any fake AP to perform an assocciation process without knowing
the used key.
- Once
the client is connected to the fake AP, it will send out DHCP
requests which will eventually timeout because the fake AP is not a
DHCP server. Then, not receiving any dynamic IP, the client will
start the so called Automatic Private IP Addressing (APIPA), which
assigns to itself an IP like 169.254.x.x. After this auto
configuration process, the client will send Gratuitous ARP broadcast
packets with the purpose of announcing itself to the rest of the
network.
- The
attacker "kali"captures these Gratuitous ARP packets and
modifies them using the Message Modification WEP flaw, converting
them into ARP request packets for the client. The Message
Modification WEP flaw allows to flip bits in a WEP encrypted packet,
adjusting the ICV to make the packet valid.
- Then,
the fake AP resends a few thousand of these spurious ARP request
packets back into the wireless network. The client receives them and
believes that someone is asking for its MAC address using ARP,
replying back.
- When
the victim "roch" replies, the packets include the WEP key,
and they are captured by the attacker "kali". Once the
attacker collects enough packets, aircrack-ng will be able to
crack the WEP key.
- It
is important to note that the attacker is able to run the attack
without any knowledge of the WEP key.
- After
2 minutes since the attacker "kali" has created the fake
AP, the victim "roch" is associated, and just immediately
the Caffe-Latte attack is launched (see the last line) at 10:52:51:
- With the purpose of collecting packets sent between the victim "roch" and the fake AP, airodump-ng writes to the file CaffeLatteWEP:
- The
CaffeLatteWEP-01 file and its derivatives are created:
- After
some minutes of gathering a large number of exchanged packets,
aircrack-ng is used to obtain the WEP key
A8925DC44A5432DE814CE109F9:
- Again,
it is important to remember the most remarkable feature ot this
attack, which differences it from other WEP attacks, and which gives
its new great value: no legitimate AP has been used to perform the
whole attack, no legitimate AP has been present in the viccinity.
Just the isolated client, maybe roaming thousands of miles away from
the attacked network, looking for a wireless connection sending to
the air in clear text a copy of the cached and stored WEP key. So,
unlike to other attacks against WEP encryption, the attacker does not
need to be in the viccinity of any AP, which converts Caffe-Latte
attack into a very powerful attack.
- No
need to say, to prevent this attack, the solution would consist of
removing all networks from the Preferred Network List (PNL) whenever
the client is roaming. However, almost nobody does it, due to the
fact of the inconvenience created every time the user wants to join a
network, because he would need to introduce the WEP key manually,
usually a very long hexadecimal key difficult to remember.
