Breaking 40-bit WEP in less than 30 seconds?
Being the inquisitive mind and person I am, the first question that came to my mind after my last post (applying very basic maths) was: Does this mean "Breaking 40 bit WEP in less than 30 seconds"? I had to research it!
Perhaps you are wondering why to worry about 40-bit WEP at all, but unfortunately, I'm still used to see 40-bit WEP networks deployed in legacy corporate infrastructures and SOHO environments. In the previous post I pointed to the vendors, but we cannot forget about the Telecom and Internet Service Providers. Believe it or not, they are still today (again, in 2007!) providing the xDSL/wireless end-user equipment configured with WEP by default (40 or 104 bits). Please, switch to WPA/WPA2-PSK! All the xDSL/wireless devices they provide support it, most end-user wireless cards can be at least upgraded to WPA, and, yes, users (although non-technical) know how to type a very long passphrase once (or even twice ;))!
So, let's go for the practical numbers. I advise you, you must take them with a grain of salt, because, as all WEP-based attacks, they are influenced by statistics and mathematical models, and in this case, error correction methods. I used the same setup as in my previous post, this time using a 40-bit WEP key.
After running a few tests, I was able to obtain the 40-bit WEP key several times with around 15,000 frames (between 12,000-20,000 seems to always work), and even as few as 9761 frames!
However, when I started to run aircrack-ptw with 40-bit keys, the crack process took around 20-25 seconds for each try (instead of the 3 seconds for 104-bit keys). As the authors detail in the paper , "Initially we assume that a 104 bit WEP key was used.". So I went through the source code and I found why. aircrack-ptw does not have an option to set the key length (as the "-n" option in aircrack-ng), so it first tries 104-bit keys, and if it does not succeed, it tries 40-bit keys. You can modify this behaviour by going to the end of the aircrack-ptw.c file and swap the following two lines:
Finally, let's finish writing about WEP pointing out some issues to consider:
Perhaps you are wondering why to worry about 40-bit WEP at all, but unfortunately, I'm still used to see 40-bit WEP networks deployed in legacy corporate infrastructures and SOHO environments. In the previous post I pointed to the vendors, but we cannot forget about the Telecom and Internet Service Providers. Believe it or not, they are still today (again, in 2007!) providing the xDSL/wireless end-user equipment configured with WEP by default (40 or 104 bits). Please, switch to WPA/WPA2-PSK! All the xDSL/wireless devices they provide support it, most end-user wireless cards can be at least upgraded to WPA, and, yes, users (although non-technical) know how to type a very long passphrase once (or even twice ;))!
So, let's go for the practical numbers. I advise you, you must take them with a grain of salt, because, as all WEP-based attacks, they are influenced by statistics and mathematical models, and in this case, error correction methods. I used the same setup as in my previous post, this time using a 40-bit WEP key.
After running a few tests, I was able to obtain the 40-bit WEP key several times with around 15,000 frames (between 12,000-20,000 seems to always work), and even as few as 9761 frames!
stats for bssid 00:18:39:86:F2:5A keyindex=0 packets=9761Can you break a 40-bit WEP key in less than 30 seconds? Yes, in 17 seconds!
Found key with len 05: CA FE CA FE CA
However, when I started to run aircrack-ptw with 40-bit keys, the crack process took around 20-25 seconds for each try (instead of the 3 seconds for 104-bit keys). As the authors detail in the paper , "Initially we assume that a 104 bit WEP key was used.". So I went through the source code and I found why. aircrack-ptw does not have an option to set the key length (as the "-n" option in aircrack-ng), so it first tries 104-bit keys, and if it does not succeed, it tries 40-bit keys. You can modify this behaviour by going to the end of the aircrack-ptw.c file and swap the following two lines:
if(PTW_computeKey(networktable[k].state, key, 13, KEYLIMIT) == 1) {Try the 5-byte key (40) "if" statement first, and then the 13-byte key (104) statement. This is all about speed and a few seconds! ;) You can even create three versions of the tool (40, 104 or 104&40 (default)), or even modify the tool code to expect a "-n" option (exercise for the reader). Every time you run the tool with the right key length, if enough frames were collected to derive the WEP key (40 or 104), the key is immediately displayed, in less than 3 seconds.
printKey(key, 13);
}
if(PTW_computeKey(networktable[k].state, key, 5, KEYLIMIT/10) == 1) {
printKey(key, 5);
}
Finally, let's finish writing about WEP pointing out some issues to consider:
- This new WEP auditing method is ideal for devices with limited power, such as PDAs. The CPU cycles required and the memory fingerprint (aprox. 3 Mbytes) are affordable for almost all devices. In order to capture 40,000 frames you only need a PCAP file of about 6Mbytes in size.
- As all the other WEP cracking methods based on speeding up the process by injecting traffic, you can easily detect the duplicate IV's for the replayed ARP frame. You have deployed a wireless IDS, haven't you?
- The current tool implementation requires ARP frames (but it can be modified to support other frames, such as IP packets, somehow increasing its stealthiness). The attacker could even be patient and wait to collect all 40,000 ARP frames without injecting a single packet.
- The speed of my setup can be increased by using two different cards, one for capturing traffic and another for injecting it (as the authors did), instead of a single card for both functions.
- If you're using 104-bit Dynamic WEP you need to renew your keys every 30 seconds (or less)... Forget about WEP and any WEP derivative; deploy WPA/WPA2!!
Labels: Wireless
2 Comments:
Hi, if you want some more speedup on 40 bit keys, you may replace the KEYLIMIT/10 by KEYLIMIT or so.
The numbers provided in the post are based on using KEYLIMIT for 40-bit keys, as Erik wisely suggested.
Post a Comment
<< Home