CEH.V6.-.Module.20.Hacking.Wireless.Networks

Reproduction is strictly prohibited wep attack wep

Info iconThis preview shows page 1. Sign up to view the full content.

View Full Document Right Arrow Icon
This is the end of the preview. Sign up to access the rest of the document.

Unformatted text preview: vial Disassociation and deauthentication frames: • A station receiving one of those frames must redo the authentication and association processes • With a single short frame, an attacker can delay the transmission transmission of data and require the station and real access point to redo these processes: • This takes several frames to perform EC-Council Entry Exit Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited WEP Attack WEP attack takes at least 10,000 packets to discover the key • A large amount of known data is the fastest way of determining as many key streams as possible Wep Weggie (part of BSD-Airtools) can be used to generate a large number of small packets: • The information may be as innocuous as the fields in the protocol header or the DNS name query • Monitoring is passive and therefore undetectable • Simple tools and instructions are readily available to recover recover the key EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Cracking WEP Passive attacks: • The presence of the attacker does not change traffic until traffic, until WEP has been cracked Active attacks: • Active attacks increase the risk of being detected, but are more capable • If an active attack is reasonable (i.e., the risk of detection is disregarded), the goal is to stimulate traffic: • Collects more pads and uses of weak IVs • Some attacks require only one pad EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Weak Keys (a.k.a. Weak IVs) Some IVs can reveal information about the secret key depending upon how how RC4 is used in WEP: • Mathematical details out of the scope of this material Attack • FMS (Fluhrer et al. 2001) cryptographic attack on WEP • Practicality demonstrated by Stubblefield et al. (2001) • Collection of the first encrypted octet of several million packets • Exploits: • WEPcrack (Rager 2001) • Airsnort (Bruestle et al. 2001) • Key can be recovered within a second (after collecting the data) EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Problems with WEP’s Key Stream and Reuse Secret key never changes, only the initialization vectors Initialization vectors are sent unencrypted If two messages with the same initialization vector are intercepted it is possible to obtain the plaintext Initialization vectors are commonly reused Initialization vectors can be used up in less than 1 hour Attackers can inject a known plaintext and re-capture the ciphertext It leaves WEP susceptible to replay attacks EC-Council Copyright © by EC-Council All Rights Reserved. Reproduction is Strictly Prohibited Automated WEP Crackers AiroPeek (Commercial) WEPCrack, AirSnort AirSnort NetStumbler KisMAC Kismet EC-Council • Easy-to-use, flexible, and sophisticated analyzer • Implementations of the FMA attack • This is a popular network discovery tool, with GPS support. It does not perform any cracking. A Mac OS equivalent is named "iStumbler" • This is a Mac OS X tool for network discovery and cracking WEP WEP with several different methods • Swiss-army knife Copyright...
View Full Document

Ask a homework question - tutors are online