The Trouble with WEP - PowerPoint PPT Presentation

1 / 18
About This Presentation
Title:

The Trouble with WEP

Description:

... sniffing, WEP cracking, and analysis Works on 802 ... 802.11g Uses passive monitoring & packet injection Main tools ... Kismet Network detector, sniffer, ... – PowerPoint PPT presentation

Number of Views:108
Avg rating:3.0/5.0
Slides: 19
Provided by: JimO97
Category:

less

Transcript and Presenter's Notes

Title: The Trouble with WEP


1
The Trouble with WEP
  • Or, cracking WiFi networksfor fun profit (not
    really)
  • Jim Owens

2
Overview
  • Background and a little history
  • How WEP works
  • WEPs major weaknesses
  • A short course in wardriving
  • Using kismet to scout out the wireless landscape
  • Zeroing in with the aircrack-ng suite
  • airodump, to capture traffic
  • aireplay, to replay weakly encrypted packets
  • aircrack, to find the key using statistical
    methods

3
Background history
  • Wireless Equivalent Privacy
  • Adopted in 1999 as part of 802.11 standard
  • Later swallowed whole by 802.11b standard
  • Initially, used only 40-bit encryption keys, due
    to technology export restrictions
  • Later, expanded to 104-bit keys when export
    restrictions were eased
  • Used 6 times as often as WPA/WPA2 despite known
    fatal weakness (85 / 14 / 1)
  • Based on a 2006 survey in Seattle area

4
How WEP works
  1. Plain text gets CRC-32 checksum appended
  2. 24-bit initialization vector pre-pended to key as
    a seed for RC4 key scheduling algorithm
  3. RC4s pseudo-random generation algorithm outputs
    keystream
  4. Keystream XORed with plain text
  5. IV in plain text pre-pended to message
  6. On receipt, keystream regenerated and XORed with
    cipher text to produce plain text

5
WEPs major weaknesses
  • IV space too small (224)
  • On a busy network, IVs must repeat in lt 5 hours
  • 50 probability that IV repeats in 5,000 packets
  • RC4 algorithm produces weak IVs that can be
    correctly guessed 5 or 13 of the time
  • No key management typically just one key
  • IP traffic contains much known plaintext data
  • Open to injected traffic that is rebroadcast

6
Wardriving Kismet
  • Network detector, sniffer, IDS
  • Works on 802.11b, 802.11a, 802.11g networks
  • Uses passive monitoring, so hard to detect
  • Logs sniffed packets in formats compatible with
    Wireshark/Tcpdump, Airsnort
  • Channel surfs automatically
  • Optionally, supports GPS for network location

7
Kismet Install configure
  • Binary packages available for most systems
  • Requires WiFi adaptor that supports monitor mode
    as capture source
  • Logs traffic in popular formats
  • Specify source in /etc/kismet/kismet.conf, as
    driver,device,source_name
  • sourceipw2200,eth1,Stella
  • Wireshark, Airsnort, etc.

8
Stella, the WiFi attack animal!
9
Wardriving Recon phase
  • Use Kismet to survey WiFi landscape and to choose
    a target network
  • Record necessary data for Aircrack attack
  • Channel number?
  • SSID?
  • Access point MAC address?

10
Wardriving Kismet
11
Wardriving Attack phase
  • Aircrack-ng Software for network detection,
    sniffing, WEP cracking, and analysis
  • Works on 802.11b, 802.11a, 802.11g
  • Uses passive monitoring packet injection
  • Main tools
  • aircrack-ng Cracking
  • airdecap Packet decryption
  • airmon Monitor mode switching
  • aireplay Packet injection (Linux only)
  • airodump Exports traffic to .cap files

12
Wardriving Aircrack procedure
  • Bring up adapter on targets channel in monitor
    mode
  • ifconfig wlan0 up iwconfig wlan0 mode
    Monitor channel 9
  • Capture packets to file on channel, IVs only
    airodump wlan0 ./berlin_dump 9 1

13
Wardriving Airodump
14
Wardriving Aircrack procedure
  • Find weakly-encrypted packets to replay in
    interactive mode
  • aireplay -2 -b 00146C40BAA6 \
  • -x 512 wlan0
  • Finally, crack WEP key with captured IVs
    aircrack -n 64 berlin-dump.ivs

15
Wardriving Aireplay
16
Wardriving Aircrack
17
Summary
  • WEP has numerous serious flaws
  • WEP's flaws are thoroughly documented
  • WEP is readily exploitable in a short time, by
    unskilled attackers, using readily available
    tools
  • Strong protection is readily available
  • Bottom line
  • Don't use WEP, period!

18
Questions?
That's all, folks!!!
Write a Comment
User Comments (0)
About PowerShow.com