Académique Documents
Professionnel Documents
Culture Documents
networks
MARCIN TUNIA
Agenda
1. Wireless standards
2. Hidden network and MAC filtering protection
bypassing
3. Encryption independent attacks
4. Attacks on WEP
5. Attacks on WPA/WPA2
6. Legal issues
7. Summary
Attacks on WEP
Using keystream
Correctly encrypted packet forging
Fake authentication
Key cracking
FMS
KoreK
PTW
Interactive packet replay
ARP request
Caffe Latte
Caffe Latte
FMS attack
Probability of key cracking ~ number of
intercepted packets
Statistical attack
Attack on RC4 cipher
Takes advantage of weak IVs
Attacker can crack next byte of the key with ~50%
probability
Repeats calculataions for many IVs
Reveals seccessively more bytes of the key
Verifies if password is valid by calculating CRC32
FMS attack
1st round:
Byte
0 (A)
1 (B)
15 (P)
...
254
255
points
23
55
...
33
2nd round:
Byte
0 (A)
1 (B)
2 (C)
3 (D)
254
255
points
44
15
3rd round:
Byte
0 (A)
1 (B)
18 (S)
254
255
points
21
17
51
4th round:
Byte
18 (S)
254
255
points
57
11
Attack
FMS
KoreK
PTW
Packets count
4 000 000
6 000 000
500 000
2 000 000
40 000 (50%)
85 000 (95%)
Encryption
(0.0.0.0)
WEP (830478 IVs)
No data - WEP or
WPA
Capture packets
# airodump-ng -c 9 -w packets wlan0
Attacks on WPA/WPA2
WPA - TKIP
4-Way handshake
aircrack-ng package
airbase-ng
aircrack-ng
airdecap-ng
airdecloak-ng
airdriver-ng
airdrop-ng
aireplay-ng
airgraph-ng
airmon-ng
airodump-ng
airolib-ng
airserv-ng
airtun-ng
besside-ng
easside-ng
packetforge-ng
tkiptun-ng
wesside-ng
Summary
WEP is deprecated standard
Can be cracked within couple of minutes