Penetration Testing mailing list archives
Re: WEP attacks based on IV Collisions
From: Ivan Arce <ivan.arce () coresecurity com>
Date: Tue, 11 May 2004 02:49:16 -0300
Nick Petroni and Bill Arbaugh have outlined an active attack that would give you full access to a WEP encrypted wireless LAN without knowledge of the secret key. It relies on the lack of integrity checks for the wireless packets which lets an attacker inject arbitrary packets into the LAN without being detected. The attack does not require you to crack any WEP key and uses the fact that WEP wrongly uses CRC for integrity checks, this lets an attacker mount an inductive attack to gradually recover additional bits of a pseudorandom stream provided that N bytes are initially recovered with a known plaintext attack. They cite ARP and DHCP requests as effective for this inital recovery. BTW, you dont really need to *inject* packets for the inital recovery. Full description of the attack appeared on: "The Dangers of Mitigating Security Design Flaws: A Wireless Case Study" Nick L. Petroni Jr. and William Arbaugh IEEE Security & Privacy magazine vol1. num 1., January/February 2003 A powerpoint presentation is available at: http://www.cs.umd.edu/~waa/wepwep2-attack.html I am unaware of publicly available tools that implement the attack. This might be old news but I am quite surprised that it is not mentioned as popular and widely used as passive attacks focused on cracking keys. -ivan Joshua Wright wrote:
One IP address always exists on every IP network - 255.255.255.255. I've been successful at accelerating weak IV collection by injecting ICMP Echo requests to the broadcast address on some networks, I'm sure there are plenty of other opportunities without know the network number.Fun stuff. -Josh
-- --- To strive, to seek, to find, and not to yield. - Alfred, Lord Tennyson Ulysses,1842 Ivan Arce CTO CORE SECURITY TECHNOLOGIES 46 Farnsworth Street Boston, MA 02210 Ph: 617-399-6980 Fax: 617-399-6987 ivan.arce () coresecurity com www.coresecurity.com PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836 B25D 207B E78E 2AD1 F65A ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- Re: WEP attacks based on IV Collisions Aaron Drew (May 01)
- <Possible follow-ups>
- Re: WEP attacks based on IV Collisions Ivan Arce (May 11)