Le jeudi 16 février 2006 à 20:40 -0600, Larry Finger a écrit :
> I don't understand how injecting packets will help crack the wireless.
> If your AP uses encryption, as your inquiry suggests, anything sent
> that is not using that encryption scheme will be rejected. The most
> you will get is a NAK sent in the clear.
Then I think you misfigured the most interesting part of WEP cracking
technics, and WiFi security as a more general matter... Just continuing
below.
> If you are using WEP, it can be cracked - there is no question. All it
> takes is to capture enough packets from a valid connection by just
> listening. It makes little difference if it is 64-, or 128-bit
> encryption.
"All it take" can often take days depending on network usage. So the
idea is to boost traffic generation by precisely injection traffic. And
you can do it, despite the WEP encrypting because WEP just sucks. Here
are some known working tricks:
. 802.11 payload starts with LLC/SNAP header which can be easily guessed
for ARP and IP traffic. This basicly gives you 8 bytes of RC4 output
you can use to cipher arbitrary data. So, yes, you can only send 4
bytes because CRC32, but thanks to 802.11 fragmentation, you can split
up to 64 bytes data payload into multiple smaller packets and thus
inject ARP traffic. As AP will defragment the frame and sent it as a
whole, you'll get longer RC4 output (36 bytes) you can now use to
fragment a longer payload into 32 bytes fragments. Just do it again
until you get 1504 bytes of RC4 output to be able ton inject anything
you want. So you can start achieving discovery, attack and stuff.
. WEP authentication has a known cleartext vulnerability, as challenge
is once sent cleartext then ciphered. This means you can grab around
140 bytes of RC4 output for a given IV and can use it back to
first authenticate yourself and then cipher any arbitrary frame using
that very IV. This allows one to inject ARP traffic, basic network
discovery stuff, HTTP requests, etc. Answers are not very difficult to
spot as they're destined to your MAC address. You can as well use
fragmentation as described before to push it furthermore.
. WEP is vulnerable to arbitrary frame modification because both XOR and
CRC32 a linear. That means that applying an arbitrary modification to
a ciphered frame can lead to another frame that will be consistent
from a 802.11 point of vue. This vulnerability is used by chopchop to
decrypt a frame. The idea is to rip off a payload bytes, make a guess
on the byte value, compensate the frame and sent it back. As AP is
(well it should) checking the frame before bounce it to the network,
you can check if your guess is OK just observing network. So all you
have to do is make guesses until you reach the right value. You get
one byte. Then you do it again ripping off 2 bytes, etc. Chopchop can
just decrypt an ARP request in 5 seconds.
. WEP uses RC4 which does not affect the payload length. Considering MAC
addresses are sent plaintext, it is very easy to spot ARP traffic. So
if you can see an ARP request and an answer to this very ARP request,
than you can try to inject the request again and again to stimulate
traffic. That's what aireplay basicly does, allowing one to crack a
WEP key within a short timeframe, say between 10mn (if you're lucky)
and 45mn.
You can just have a look at my recent SecureCon talk on that very
subject (attacking WiFi with traffic injection) for more details:
http://sid.rstack.org/pres/0602_Securecon_WirelessInjection.pdf
BTW, I still agree on your WPA statement. Traffic injection is not
likeky to work on WPA/WPA2 environments because they include
anti-replay/anti-injection countermeasures based on extended IV usage as
a sequence counter.
But it's not limitated to ciphered networks. Open networks are all the
more prone to traffic injection in mostly (imho) two ways.
. The first one has been demonstrated live at Defcon 2004 by airpwn
guys. The idea is to sniff network and inject spoofed answers to
legitimate requests. That way, they were injected pictures
replacements into requested webpages. It's fun, but when you think of
JPEG, PNG or WMF exploits, you can achieve really nasty things this
way, not speaking of injection malicious JavaScript, activeX and so
on.
. The second one is just pushing that concept further to establish a
full IP communication link using traffic injection. That's what my
Wifitap[1] PoC does. Sniffing traffic and injection requests/answers,
one can just communicate with any wireless station, just spoofing
BSSID or IBSSID. This way you can, among other things, bypass any AP
security feature (MAC filtering, station isolation) or just
communicate around without being associated or without AP or WIDS
reach.
This par on open networks is fun, but in the end not very difficult, and
all that was known in the Ethernet world, but tends to get forgotten
because people don't use hubs anymore.
So, in the end, yes, traffic injection can be achieved on WEP networks
and it helps a lot cracking them.
[1] http://sid.rstack.org/index.php/Wifitap_EN
--
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> Hi! I'm your friendly neighbourhood signature virus.
>> Copy me to your signature file and help me spread!
_______________________________________________
Bcm43xx-dev mailing list
[email protected]
http://lists.berlios.de/mailman/listinfo/bcm43xx-dev
