3.1
- Attack against WEP encryption
3.1.1
- WEP encryption
- Wired
Equivalent Privacy (WEP) is a security algorithm introduced by the
University of California Berkeley, accepted as part of the IEEE
802.11 standards for wireless networks. Because of the great number
of flaws inherent to WEP, it is nowadays considered obsolote.
However, due to the fact that almost all Wi-Fi routers offer WEP as
an option, and because there are a lot of available wireless networks
using WEP, it is neccesary and interesting to study this standard.
From the criptographic point of view, WEP uses the stream cipher RC4
for confidentiality, and CRC-32 checksum for integrity. There are two
main versions of WEP, although working in a similar manner. All of
them use a so called initialization vector (IV), what is a fixed
size input generated randomly, that is eventually XOR operated with
the keystream.
-
WEP-40 uses a 40 bits key which is concatenated with a 24 bits IV to
form the 64 bits RC4 key. The 40 bits key is formed by a string of 10
hexadecimal characters (4 bits for 1 char).
-
WEP-104 uses a 104 bit key which is concatenated with a 24 bits IV to
form the 128 bits RC4 key. The 104 bits key is formed by a string of
26 hexadecimal characters (4 bits for 1 char).
There
are also two main authentication systems for WEP: Open and Shared
Key.
-
Open System authentication: the client does not need to provide any
credentials to authenticate with the AP; actually, no authentication
occurs, and WEP keys are used just for encrypting data frames.
-
Shared Key authentication: a four step challenge-response handshake
is used:
a)
the client sends a request message to the AP.
b)
the AP replies with a clear text challenge.
c)
the client encrypts the text challenge with the WEP key, sending back
to the AP.
d)
the AP decrypts the response, if matches the AP sends back a positive
reply.
- After
the authentication, the WEP key is used to encrypt the data with RC4.
Although it may seem that Shared Key method is safer than Open
System, because the last one lacks of authentication, the truth is
just the contrary. Due to the fact that challenge frames can be
captured during the handshake in Shared Key, the keystream could be
obtained.
- RC4
is a stream cipher, so same key must not be used twice. The
initialization vector, transmitted unencrypted, tries to prevent any
repetition. But a lenght of 24 bits is not enough to ensure this, so
it could happen that two identical IVs were generated if busy
traffic. A passive attack would consist on simulating replay packets
and sniffing the responses for subsequent analysis. For the WEP-104
just 40.000 packets would be enough to obtain the WEP key with a 50%
of probability, and around 85.000 data packets would ensure the 95%
of probability of success. Using ARP packets reinjection, around
40.000 packets can be captured in less than 1 minute. So, cracking
WEP is just a matter or time, just using software tools like
aircrack-ng.
3.1.2
- Attack against WEP encryption
- First
of all, the AP is set to use WEP encryption of 128 bits whith Shared
Key Authentication.
- Introducing
the passphrase AbCdEf12345$ a Network Key is generated:
1792424e9b00a0d2a4a8bc180a
- From
the client "roch"s side, properties of the network are
arranged:
- Then,
"roch" is connected to the network:
- This
process of connection for the client "roch" has been
captured by the attacker "kali" with airodump-ng.
The option - - write means that captures are stored at the
.cap file called "archivoWEP":
- At
previous screenshot it can be noticed that the number of data packets
is very small, #Data = 61. For WEP cracking a larger number of
packets is needed, so the network is forced to create more data
packets.
- The
tool aireplay-ng captures packets from the wireless network
and reinjects them back simulating ARP responses. In this way a lot
of traffic is generated for the network. Aireplay-ng
identifies ARP packets by looking at their size. ARP protocol uses a
fixed header that can be easily identified. It is essential that the
victim client is already authenticated and associated to the AP.
- Option
-3 means ARP replay, -b is for the BSSID, and -h for the
victim's,"roch", whose MAC address is being spoofed:
- Due
to the replay attack, the number of captured packets by airdump-ng
is dramatically increased, from #Data = 61 to now #Data = 44376:
- In
the meanwhile, "archivoWEP-01.cap" and some other derived
files are storing the created packets by aireplay-ng:
- At
this point of the attack, aircrack-ng is ready to be launched,
using packets stored at "archivoWEP-01.cap":
- Due
to the great amount of stored packets, it takes just an instant to
find the key:
- Using
the airdacp-ng command, captured packets at
"archivoWEP-01.cap" can be decrypted:
3.1.3
- Connecting to the AP
- Once
the attacker "kali" has been able to crack the WEP key, it
is time for it to connect to the network. At the present moment of
the practice "kali" is in "Not-Associated" mode:
- Using
the iwconfig command, the SSID and the key, the attacker
"kali" can connect to the network:
- The
success of the connection is verified:
- Also,
airodump-ng captures the fact that now there are 2 clients
connected to the AP: the legitimate one ("roch"), and the
attacker one ("kali"):
- In
the same way, the AP detects both connected clients:
- Because
DHCP is enabled by default, the AP assigns a dynamic IP to "kali":
- Now,
the attack is a complete success because "kali" is
authenticated and associated to the network, pinging any of the
internal hosts, for instance the default gateway:
- Also,
"kali" has got connection to the Internet, being able to
ping Google's public DNS server: