Penetration Testing mailing list archives
WEP attacks based on IV Collisions
From: Jason Ostrom <jpo () pobox com>
Date: Wed, 28 Apr 2004 06:10:40 -0500
Hello, In trying to determine the degree of sophistication it takes to decipher a WEP key based on IV Collisions, I have a Pcap dump with kismet sniffer and steadily increasing IV Collisions. A couple of questions. First, correct me if I am wrong, but it seems like a non-trivial task to actually determine the WEP key if you have zero knowledge about the target network, i.e. IP addressing, AND can't readily inject 802.11b frames into the target network just because you have a usable keystream? Has anyone found differently? This paper [1] provides pretty good examples of the attacks. In the "Passive Attack to Decrypt Traffic", if you have a known keystream with one known plaintext, then it looks like you could determine the plaintext WEP key after you XOR the ciphertext and run the results back through RC4 - I don't understand why the paper says "Once it is possible to recover the entire plaintext for one of the messages, the plaintext for all other messages with the same IV follows directly, since all the pairwise XORs are known." But that's just my confusion - if you have the keystream (IV + Secret key run through RC4) and you have the original plaintext, then why can't you determine the secret key as well? Last, what types of traffic or methods are used to determine a plaintext? I've seen one method mentioned: inject an ARP packet to the AP encrypted with the known keystream. But this seems to be based on having information such as IP addressing on the target network, which isn't known in this case. [1] "Security of the WEP algorithm" http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html ------------------------------------------------------------------------------ Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html -------------------------------------------------------------------------------
Current thread:
- WEP attacks based on IV Collisions Jason Ostrom (Apr 30)
- Re: WEP attacks based on IV Collisions Joshua Wright (Apr 30)
- <Possible follow-ups>
- WEP attacks based on IV Collisions Jason Ostrom (Apr 30)