Penetration Testing mailing list archives
Re: WEP attacks based on IV Collisions
From: "Andrew A. Vladimirov" <mlists () arhont com>
Date: Thu, 10 Jun 2004 01:18:01 +0100
leonardo wrote:
* Thursday 03 June 2004, alle 13:43, pen-test () nym hush com scrive:This is only true if Shared Key Authentication is in use. Vendors saw this as moronic years ago. I'm not sure how many AP's (if any) use Shared Key Authentication as the default, but every AP I've seen has had Open System Authentication as an option (which essentially just skips that step).that's good, but Is it the same for clients? if we're still talking about plain 802.11 with WEP then you can always deauthenticate a client and behave like an AP, asking the client to authenticate with Shared Key. Then you just have to send as a challenge text the bytes you want that client to crypt for you. ciao, leonardo.
Now this sounds like a good idea. Your rogue AP will send a nonce, receive the ciphertext and then the authentication will fail since you don't know the actual WEP key. However, you will get your ciphertext/plaintext pair and can get a piece of the keystream for a given IV by XORing. Then you feed it to WEPWedgie :) A more boring option would be feeding it to the Wnet's reinj. The main technical problem here would be forcing the client to associate with your rogue AP and not the legitimate one. Thus, you'll have to DoS the legitimate AP when you can, for example by overfilling it's authentication buffer using Void11. Cheers, Andrew -- Dr. Andrew A. Vladimirov CISSP #34081, CWNA, CCNP/CCDP, TIA Linux+ CSO Arhont Ltd - Information Security. Web: http://www.arhont.com http://www.wi-foo.com Tel: +44 (0)870 44 31337 Fax: +44 (0)117 969 0141 GPG: Key ID - 0x1D312310 GPG: Server - gpg.arhont.com
Current thread:
- RE: WEP attacks based on IV Collisions Jeremy Junginger (Jun 02)
- Re: WEP attacks based on IV Collisions leonardo (Jun 02)
- <Possible follow-ups>
- RE: WEP attacks based on IV Collisions pen-test (Jun 04)
- RE: WEP attacks based on IV Collisions pen-test (Jun 04)
- Re: WEP attacks based on IV Collisions leonardo (Jun 07)
- Re: WEP attacks based on IV Collisions Andrew A. Vladimirov (Jun 11)
- Re: WEP attacks based on IV Collisions leonardo (Jun 07)