Re: V/Scan for Wireless LANs

From: Ivan Arce (ivan.arce_at_corest.com)
Date: 07/19/03

Next message: Bartholomew, Brian J: "RE: V/Scan for Wireless LANs"

Previous message: El C0chin0: "Looking for Telnet like war dialer"
In reply to: R. DuFresne: "RE: V/Scan for Wireless LANs"
Next in thread: Chris Harrington: "Re: V/Scan for Wireless LANs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 18 Jul 2003 20:09:56 -0300
To: pen-test@securityfocus.com

In the first issue (Jan-feb 2003) of the IEEE Security & Privacy magazine
http://csdl.computer.org/comp/mags/sp/2003/01/j1toc.htm

Nick Petroni and Will Arbaugh provide a quite detailed description of
an active attack against WEP that provides full network access to the
wireless LAN (both encryption and decryption) without knowledge of
the secret key within a few hours. The attack takes advantage of the
use of CRC-32 for packet integrity checks and the availability of
known or easily predictable plainterxt in common network protocols like
DHCP and ICMP.

"The Dangers of Mitigating Security Design Flaws: A Wireless Case Study"
Nick L. Petroni Jr. and William A. Arbaugh
IEEE Security & Privacy magazine, Jan-Feb 2003, pp 28-36

I dont know of any publicly available implementation of this attack but
it is certainly a good starting point for those willing to code it :)

-ivan

---
Perscriptio in manibus tabellariorum est
Noli me vocare, ego te vocabo
Ivan Arce
CTO
CORE SECURITY TECHNOLOGIES
46 Farnsworth Street
Boston, MA 02210
Ph: 617-399-6980
Fax: 617-399-6987
ivan.arce@coresecurity.com
www.coresecurity.com
PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
R. DuFresne wrote:
> It's been done.  But, I think someone erred earlier in the ammount of
> traffic one needs to capture to accomplish this.  I recall it being
> someplace between only 5 and 6 megs of traffic, perhaps 10 if one wished
> to make sure, but, I will enjoy any corrections to  my recollections.
> 
> Thanks,
> 
> Ron DuFresne
> 
> On Fri, 18 Jul 2003, Calderone, Denis wrote:
> 
> 
>>A side question for the group on this topic,
>>
>>Has anybody successfully used WEPcrack or Airsnort to crack a 128bit key?  I've never tried.
>>
>>thanks
>>
>>Denis Calderone
>>
---------------------------------------------------------------------------
----------------------------------------------------------------------------

Next message: Bartholomew, Brian J: "RE: V/Scan for Wireless LANs"

Previous message: El C0chin0: "Looking for Telnet like war dialer"
In reply to: R. DuFresne: "RE: V/Scan for Wireless LANs"
Next in thread: Chris Harrington: "Re: V/Scan for Wireless LANs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]