1 / 18

The Trouble with WEP

Or, cracking WiFi networks for fun & profit (not really) Jim Owens. The Trouble with WEP. Overview. Background and a little history How WEP works WEP’s major weaknesses A short course in wardriving Using kismet to scout out the wireless landscape Zeroing in with the aircrack-ng suite

Download Presentation

The Trouble with WEP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Or, cracking WiFi networksfor fun & profit (not really) Jim Owens The Trouble with WEP

  2. Overview Background and a little history How WEP works WEP’s major weaknesses A short course in wardriving Using kismet to scout out the wireless landscape Zeroing in with the aircrack-ng suite airodump, to capture traffic aireplay, to replay weakly encrypted packets aircrack, to find the key using statistical methods

  3. Background & history… Wireless Equivalent Privacy Adopted in 1999 as part of 802.11 standard Later swallowed whole by 802.11b standard Initially, used only 40-bit encryption keys, due to technology export restrictions Later, expanded to 104-bit keys when export restrictions were eased Used 6 times as often as WPA/WPA2 despite known fatal weakness* (85% / 14% / 1%) *Based on a 2006 survey in Seattle area

  4. How WEP works Plain text gets CRC-32 checksum appended 24-bit initialization vector pre-pended to key as a seed for RC4 key scheduling algorithm RC4’s pseudo-random generation algorithm outputs keystream Keystream XORed with plain text IV in plain text pre-pended to message On receipt, keystream regenerated and XORed with cipher text to produce plain text

  5. WEP’s major weaknesses IV space too small (224) On a busy network, IVs must repeat in <= 5 hours 50% probability that IV repeats in 5,000 packets RC4 algorithm produces “weak” IVs that can be correctly guessed 5% or 13% of the time No key management; typically just one key IP traffic contains much known plaintext data Open to injected traffic that is rebroadcast

  6. Wardriving: Kismet Network detector, sniffer, IDS Works on 802.11b, 802.11a, 802.11g networks Uses passive monitoring, so hard to detect Logs sniffed packets in formats compatible with Wireshark/Tcpdump, Airsnort Channel surfs automatically Optionally, supports GPS for network location

  7. Kismet: Install & configure Binary packages available for most systems Requires WiFi adaptor that supports monitor mode as “capture source” Logs traffic in popular formats* Specify source in /etc/kismet/kismet.conf, as driver,device,source_name source=ipw2200,eth1,Stella *Wireshark, Airsnort, etc.

  8. Stella, the WiFi attack animal!

  9. Wardriving: Recon phase Use Kismet to survey WiFi landscape and to choose a target network Record necessary data for Aircrack attack: Channel number? SSID? Access point MAC address?

  10. Wardriving: Kismet

  11. Wardriving: Attack phase Aircrack-ng: Software for network detection, sniffing, WEP cracking, and analysis Works on 802.11b, 802.11a, 802.11g Uses passive monitoring & packet injection Main tools aircrack-ng: Cracking airdecap: Packet decryption airmon: Monitor mode switching aireplay: Packet injection (Linux only) airodump: Exports traffic to .cap files

  12. Wardriving: Aircrack procedure Bring up adapter on target’s channel in monitor mode: # ifconfig wlan0 up# iwconfig wlan0 mode Monitor channel 9 Capture packets to file on channel, IVs only# airodump wlan0 ./berlin_dump 9 1

  13. Wardriving: Airodump

  14. Wardriving: Aircrack procedure Find weakly-encrypted packets to replay in interactive mode # aireplay -2 -b 00:14:6C:40:BA:A6 \ -x 512 wlan0 Finally, crack WEP key with captured IVs# aircrack -n 64 berlin-dump.ivs

  15. Wardriving: Aireplay

  16. Wardriving: Aircrack

  17. Summary WEP has numerous serious flaws WEP's flaws are thoroughly documented WEP is readily exploitable in a short time, by unskilled attackers, using readily available tools Strong protection is readily available Bottom line: Don't use WEP, period!

  18. Questions? That's all, folks!!!

More Related