Re: WEP attacks based on IV Collisions

[Aaron Drew <ripper () internode on net>]

> First, correct me if I am wrong, but it seems like a non-trivial task
> to actually determine the WEP key if you have zero knowledge about the
> target network, i.e. IP addressing, AND can't readily inject 802.11b
> frames into the target network just because you have a usable
> keystream?  Has anyone found differently?

Well in this case you essentially have:

        Random WEP bitstream XOR Random data

Good luck. Statistical methods might work if you have LOTS of data for each 
possible IV (of which there are 16 million). I don't know of anyone that has 
bothered to look into this seriously.

> follows directly, since all the pairwise XORs are known."  But that's just
> my confusion - if you have the
> keystream (IV + Secret key run through RC4) and you have the original
> plaintext, then why can't you determine the secret key as well?

The (40 or 104 bit) WEP key is merged with the IV (stored in plaintext int he 
packet) to give a 64 or 128bit number. This is used to seed a pseudo-random 
number generator built around RC4. All you get when you know the plaintext is 
a section of the pseudo-random number sequence. Going from that sequence back 
to the secret key is non-trivial. That said, the CRC at the end of the wep 
packet can be used to verify decryption (check out the wep_tools.tgz package) 
and/or to do an offline brute-force crack.

> Last, what types of traffic or methods are used to determine a
> plaintext?  I've seen one method mentioned:  inject an ARP packet to the
> AP encrypted with the known keystream.  But this seems to be based on
> having information such as IP addressing on the target network, which
> isn't known in this case.

I've used ping packets of known length to a known IP (WEP doesn't pad packets 
so its easy to determine your traffic). Its fairly trivial to pick out your 
traffic if you know a valid IP address on the network. 

For something off-the-wall that I have always wanted to try - There are 
various fields in IP/ethernet traffic that are always constant or can be 
calculated easily (Protocol IDs, length fields, etc). It should therefore be 
trivial to find the WEP PRN sequence for these parts of the packets - even if 
their content is unknown. It might be possible to use that information to 
launch an offline brute-force attack that is faster than using the CRC attack 
(less processing).


> [1] "Security of the WEP algorithm"
> http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html
>
>
>
>
> ---------------------------------------------------------------------------
> --- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545
> off any course! All of our class sizes are guaranteed to be 10 students or
> less to facilitate one-on-one interaction with one of our expert
> instructors. Attend a course taught by an expert instructor with years of
> in-the-field pen testing experience in our state of the art hacking lab.
> Master the skills of an Ethical Hacker to better assess the security of
> your organization. Visit us at:
> http://www.infosecinstitute.com/courses/ethical_hacking_training.html
> ---------------------------------------------------------------------------
> ----


------------------------------------------------------------------------------
Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off
any course! All of our class sizes are guaranteed to be 10 students or less
to facilitate one-on-one interaction with one of our expert instructors.
Attend a course taught by an expert instructor with years of in-the-field
pen testing experience in our state of the art hacking lab. Master the skills
of an Ethical Hacker to better assess the security of your organization.
Visit us at:
http://www.infosecinstitute.com/courses/ethical_hacking_training.html
-------------------------------------------------------------------------------