Re: WEP attacks based on IV Collisions

From: Joshua Wright (jwright_at_hasborg.com)
Date: 04/30/04

  • Next message: Bénoni MARTIN: "RE: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket"
    Date: Fri, 30 Apr 2004 13:31:00 -0400
    To: Jason Ostrom <jpo@pobox.com>
    
    

    Jason,

    Jason Ostrom wrote:
    > First, correct me if I am wrong, but it seems like a non-trivial task
    > to actually determine the WEP key if you have zero knowledge about
    > the target network, i.e. IP addressing, AND can't readily inject
    > 802.11b frames into the target network just because you have a usable
    > keystream? Has anyone found differently?

    It is non-trivial in that there are not any public tools to do this in
    an automated fashion. ;)

    > This paper [1] provides pretty good examples of the attacks. In the
    > "Passive Attack to Decrypt Traffic", if you have a known keystream
    > with one known plaintext, then it looks like you could determine the
    > plaintext WEP key after you XOR the ciphertext and run the results
    > back through RC4 -

    This is correct, and one of the <i>other</i> fundamental flaws in the
    implementation of WEP. I don't need the pre-shared key (or the dynamic
    key for that matter) to transmit traffic onto the network, I only need
    PRGA. I can calculate PRGA by XOR'ing Cipher text with Plain text.
    This is trivial in the WEP authentication process (see WEPWedgie/Anton
    Rager for code that implements this attack), but can also be reproduced
    by guessing the contents of plain-text based on predictable packet
    sizes. The Nachi 92-byte ICMP Echo request packets are a good example
    of this. If I see packets that match the size of Nachi packets, I can
    XOR the encrypted packet contents with the known-plaintext Nachi
    contents, and try to use the resulting PRGA to inject traffic.

    > I don't understand why the paper says "Once it is
    > possible to recover the entire plaintext for one of the messages, the
    > plaintext for all other messages with the same IV follows directly,
    > since all the pairwise XORs are known." But that's just my confusion
    > - if you have the keystream (IV + Secret key run through RC4) and you
    > have the original plaintext, then why can't you determine the secret
    > key as well?

    You can't determine the secret key as a feature of RC4. You can't get
    the secret key, but you can get the PRGA, which is just as effective for
    decrypting traffic that uses the same IV, or for injecting packets.

    > Last, what types of traffic or methods are used to determine a
    > plaintext? I've seen one method mentioned: inject an ARP packet to
    > the AP encrypted with the known keystream. But this seems to be
    > based on having information such as IP addressing on the target
    > network, which isn't known in this case.

    One IP address always exists on every IP network - 255.255.255.255.
    I've been successful at accelerating weak IV collection by injecting
    ICMP Echo requests to the broadcast address on some networks, I'm sure
    there are plenty of other opportunities without know the network number.

    Fun stuff.

    -Josh

    -- 
    -Joshua Wright
    jwright@hasborg.com
    http://home.jwu.edu/jwright/
    pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
    fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73
    ------------------------------------------------------------------------------
    Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
    any course! All of our class sizes are guaranteed to be 10 students or less
    to facilitate one-on-one interaction with one of our expert instructors.
    Attend a course taught by an expert instructor with years of in-the-field
    pen testing experience in our state of the art hacking lab. Master the skills
    of an Ethical Hacker to better assess the security of your organization.
    Visit us at:
    http://www.infosecinstitute.com/courses/ethical_hacking_training.html
    -------------------------------------------------------------------------------
    

  • Next message: Bénoni MARTIN: "RE: Questions: nmap, nessus unreliability, setting up a packet capture box, using Impacket"