BO CO TM HIU MN : AN NINH MNG

GIAO THC BO MT WEP

Thc hin: 0912529 Phan Thy Vn 0912174 ng Th Thu Huyn 0912597 Trnh Th Ngc Trang 0912515 Nguyn Trc Anh Tun 0912451 Nguyn Ngc Thnh

I TM TT NI DUNG TM HIU:
BO MT TRONG WIRELESS
Ti sao dng wireless.? Cc li ch ca vic xi h mt h thng wireless: 1. Khng b gii hn v kt ni vt l: Mng Wireless cung cp tt c cc tnh nng ca cng ngh mng LAN nh l Ethernet v Token Ring m khng b gii hn v kt ni vt l (gii hn v cable)=> bye bye cable. S thun li u tin ca mng Wireless l tnh linh ng. Mng WLAN to ra s thoi mi trong vic truyn ti d liu gia cc thit b c h tr m khng c s rng but v khong cch v khng gian nh mng c dy thng thng. Ngi dng mng Wireless c th kt ni vo mng trong khi di chuyn bt c ni no trong phm vi ph sng ca thit b tp trung (Access Point). 2. Tit kim chi ph: r rng vi s bin mt ca dy th chi ph c gim xung ng k 3. M rng, thu gim d dng: khi c mt h thng wireless th nu mun kt ni vo bn ch nm trong tm ph sng l c th bt c tn hiu v c th tr thnh mt phn ca h thng . 4. Lp t d dng Chnh v rt nhiu thun li nn cc thit b wireless ngy cng chim lnh th trng. i din tiu biu nht cho cc thit b khng dy l in thoi di ng. Th trng in thoi i ng tng ln khng ngng.

V cho n nm 2012 d on c s t n ngng 50 t . M s lng thit b wireless nhiu hn s ngi. Ngi dng hin nay khi chn mua thit b u quan tm n kh nng h tr kt ni khng dy ca n.Chnh v s pht trin khng ngn chn c o, vic tm hiu v cng ngh khng dy l iu rt nn lm. Ti sao cn bo mt trong wireless: Ngoi nhng nhc im nh : Phm vi: Mt mng chun 802.11g vi cc thit b chun ch c th hot ng tt trong phm vi vi chc mt. N ph hp trong 1 cn nh, nhngvi mt ta nh ln th khng p ng c nhu cu. p ng cn phi mua thm Repeater hay access point, dn n chi ph gia tng. tin cy: V s dng sng v tuyn truyn thng nn vic b nhiu, tn hiu b gim do tc ng ca cc thit b khc(l vi sng,.) l khng trnh khi. Lm gim ng k hiu qu hot ng ca mng. Tc : Tc ca mng khng dy (1- 125 Mbps) rt chm so vi mng s dng cp(100Mbps n hng Gbps).

Th vn bo mt trong mng wireless l vn c quan tm nht. Vy ti sao bo mt li l vn ? Vic chuyn v nhn d liu ca cc thit b Wireless Lan qua mi trng khng dy nh s dng sng in t. Do cho php ngi dng c cng kt ni v d dng di chuyn. D liu truyn trn mi trng khng dy c th b bt ly mt cch d dng. Chnh v khng c gii hn v khng gian nn tn cng c th xy ra bt c ni no: c th sn bay, hay cc vn phng k, hay bt c ni no c th s dng wireless. Do cn c bin php x l thch hp khi s dng wireless truyn cc d kiu quan trng. Bo mt trong Wireless Lan cung cp cho ngi s dng cc dch v sau: Tin cn : bo v d liu truyn trn knh truyn khi cc loi tn cng th ng nhm ly thng tin c gi, c thc hin thng qua phng php m ha. Kim sot truy cp : m bo ch nhng my c cho php mi c php truy cp vo. Xc thc : m bo gi tin c gi t cc my cho php, tc l n m bo pha trong phin truyn khng b gi mo. Ton vn : m ba tnh ton vn ca d liu, thng ip khng b thay i hay nhn bn. Tip theo chng ta tm hiu v mt giao thc c to nhm cung cp nhng tnh cho ngi dng: WEP

WEP:
Gii thiu v WEP: WEP(Wired Equivalent Privacy)ngha l bo mt tng ng mng c dy(WireLAN). Khi nim ny l mt phn trong chun IEEE 802.11. Theo nh ngha, WEP c thit k m bo tnh bo mt cho mng khng dy t mc nh mng

ni cp truyn thng. i vi mng LAN (nh ngha theo chun IEEE 802.3) bo mt d liu ng truyn i vi cc tn cng bn ngoi c m bo qua bin php gii hn vt l, hacker khng th truy sut trc tip n h thng ng truyn cp. Do chun 802.3 khng t ra vn m ha d liu chng li cc truy cp tri php. i vi chun 802.11, do c tnh ca mng khng dy l khng gii hn v mt vt l truy cp n ng truyn , bt c ai trong vng ph sng u c th truy cp d liu nu khng c bo v do vn m ha d liu c t ln hng u. M ha trong WEP: WEP dng phng php mt m chui s dng RC4. Cch m ha nh sau: Bc 1: WEP to ra 32 bits kim tra CRC (Cyclic Redundance Check) kim tra ton b thng ip. WEP gi y l gi tr kim tra ton din (integrity check bit), gi tr ny c ni vo phn u ca Plaintext . Bc 2: ly secret key ni vo phn u ca IV(initialization vector), sau kt qu ny c a n b to s gi ngu nhin RC4 to ra chui mt m (keystream). Keystream l chui nh phn c chiu di bng chiu di ca plaintext cng vi chiu di CRC. Bc 3: X-OR chui plaintext c CRC vi keystream thu c chui d liu m ha (ciphertext), sau thm IV( khng c m ha) vo phn cui ca ciphertext. Qu trnh m ha d liu hon thnh. RC4: RC4 l gii thut m ha i xng c thit k bi Ron Rivest (mt trong nhng ngi pht minh ra gii thut m ha bt i xng RSA) vo nm 1987. RC4 l mt thut ton m dng (Stream cipher), c cu trc n gin, c ng dng trong bo mt Web (SSL/TSL) v trong mng khng dy (WEP). Thut ton da vo hon v ngu nhin.Key han tan c lp vi plaintext .Chiu di key t 1 n 256 bytes (8 n 2048 bits) c s dng khi to bng trng thi

vector S,mi thnh phn l S[0],S[1],S[2],...Bng trng thi c s dng sinh hon v ngu nhin gi v dng key ngu nhin . m ha d liu,ta ly tng key sinh ra ngu nhin XOR vi tng bytes plaintext to ra byte ciphertext .Sau 256 bytes,key c lp li,Qa trnh tip tc,c 1 bytes plaintext c XOR cng 1 key sinh ra ngu nhin to thnh cirphertext,ln lt cho n ht plaintext,to thnh mt dng cirphertext truyn i. Cc bc trong m ha RC4: IV: Vector khi ng (IV: Initialization Vector) l mt s c thm vo kha nhm mc ch lm thay i chui m ha. IV s c ni vo trc khi chui kha c sinh ra. Lc ny kha dng m ha gm IV v kha c chia s bi cc my. Mt m chui dng vector khi ng. IV l chui s nh phn 24 bit. Mt trong nhng thiu st ca mt m RC4 l khng xc nh r cch tao ra IV. Trong chun 802.11 khuyn khch IV c thay i trn mi Frame gi. Bng cch thm vo IV v thay i IV sau mi Frame bng cch chn mt s ngu nhin t 1 n 16777215, nu cng mt Frame d liu c gi i hai ln, chui m ha u ra s khc nhau cho mi Frame. Trng hp IV lp li gi l IV collision. Bng cch theo di tt c cc gi tin truyn i th hacker c th pht hin khi no IV collision xy ra. T IV ging nhau, hacker c th phn tch tm c keystream da trn nguyn tc : X-OR hai ciphertext vi nhau th nhn c kt qu ging vi vic hai plaintext vi nhau. Khi to bng vector trng thi S. To bng vect key vi key chn. To hon v ca S Sinh key XOR m ha hoc gii m

IV l chui s nh phn 24 bit. Mt trong nhng thiu st ca mt m RC4 l khng xc nh r cch tao ra IV. Trong chun 802.11 khuyn khch IV c thay i trn mi Frame gi. Bng cch thm vo IV v thay i IV sau mi Frame bng cch chn mt s ngu nhin t 1 n 16777215, nu cng mt Frame d liu c gi i hai ln, chui m ha u ra s khc nhau cho mi Frame. Trng hp IV lp li gi l IV collision. Bng cch theo di tt c cc gi tin truyn i th hacker c th pht hin khi no IV collision xy ra. T IV ging nhau, hacker c th phn tch tm c keystream da trn nguyn tc : X-OR hai ciphertext vi nhau th nhn c kt qu ging vi vic hai plaintext vi nhau. ICV: Ngoi vic m ha, chun 802.11 cn nh ngha 32 bit m bo tnh nguyn vn ca frame. 32 bit ny cho php pha nhn bit frame nhn c l nguyn vn, khng b thay i. 32 bit ny gi l gi tr kim tra (ICV: Integrity Check Value) ICV c tnh trn tt c cc trng ca frame s dng CRC-32. Pha pht tnh gi tr ny v a kt qu vo trng ICV, trnh my th 3 c th thy ICV, ICV cng c m ha bng WEP. pha thu, frame c gii m, tnh ICV v so snh vi gi tr ICV trong frame nhn c, nu hai gi tr ny ging nhau th frame c coi nh l nguyn vn, ngc li, hai gi tr ny khng ging nhau th frame s b hy. Chng thc: Xc thc Open: Trong m hnh Open, vic xc thc khng c thc hin, Access Point cho php tt c cc yu cu kt ni. Kim sot truy cp da vo kha WEP c cu hnh sn trn my u cui v Access Point. My u cui v Access Point phi c cng kho WEP c th trao i thng tin cho nhau. Nu nh c my u cui v Access Point u khng dng WEP th mng Wireless LAN l khng c bo mt, bt c thit b no cng c th tham gia vo mng v d liu c truyn trong cc frame khng c m ho. Sau qu trnh xc thc Open, my u cui c th bt u truyn v nhn d liu. Nu my u cui

v Access Point c cu hnh khc kha WEP th my u cui khng th m ha hay gii m frame mt cch chnh xc v frame s b loi b c Access Point v my u cui. im yu trong xc thc Open: Xc thc Open khng cung cp phng php gip Access Point xc nh xem client c hp l khng. Thiu st ny l im yu bo mt khi m ho WEP khng c s dng. Ngay c khi c s dng WEP, xc thc Open khng gip xc nh ai ang s dng mng. Thit b hp l trong tay ngi s dng khng hp l cng nguy him ging nh khng c bo mt. Xc thc Shared key: Khc vi qu trnh xc thc Open, qu trnh xc thc Shared Key yu cu my u cui v Access Point c cu hnh kho WEP ging nhau. Qu trnh xc thc Shared key c m t nh sau: 1. Client gi yu cu xc thc Shared Key n Access Point. 2. Access Point tr li vi mt frame th thch di dng khng m ho. 3. Client nhn frame th thch, thc hin m ho frame ny v gi tr li cho Access Point. 4. Nu Access Point c th gii m frame m ho ca client chnh xc v nhn c frame nguyn thu th Access Point gi thng ip cho client thng bo xc thc thnh cng. C s ca xc thc Shared Key cng tng t nh ca xc thc Open vi kha WEP l phng thc iu khin truy cp. im yu trong xc thc Shared Key: Qu trnh xc thc Shared Key yu cu client s dng kho WEP m ho frame th thch t Access Point. Access Point xc thc client bng cch gii m gi m ho ca client xem gi gii m c ging gi th thch khng.

Qu trnh trao i gi th thch c thc hin qua knh truyn khng dy v to l hng cho cc kiu tn cng plaintext. L hng ny da trn qu trnh tnh ton khi m ha. Chui m ha c c bng cch X-OR chui d liu vi chui mt m. Nu chui d liu m ho c X-OR c X-OR vi chui d liu, ta s c chui mt m t kha c to bi kha WEP v IV.My tn cng lng nghe cc frame trn mng s bt c gi th thch cha m ho v gi m ho hi p. Bng cch X-OR hai thng tin ny, my tn cng c c chui mt m. T , chui mt m ny c th dng gii m cc gi c cng IV cng nh gi cc gi m ha hp l s dng chui mt m c c tn cng cc my khc trong mng. im yu ca WEP: Do WEP s dng RC4, mt thut ton s dng phng thc m ha theo dng, iu ny i hi mt c ch m bo l hai d liu ging nhau s khng cho kt qu ging nhau sau hai ln m ha khc nhau. Gi tr IV c s dng cng thm vo kha nhm to ra kha khc nhau sau mi ln m ha. Cch s dng IV l ngun gc ca a s cc vn trong WEP v gi tr IV c truyn i dng khng m ha v t trong header ca gi d liu. Ai bt c gi d liu trn mng cng c th thy c. Vi di 24 bit, gi tr cu IV dao ng trong khong 16 777 216 trng hp. Khi c collision. Hacker c th bt gi d liu v tm ra c kha WEP. L hng thuyt phc v nguy him nht l c th to c kha WEP bng cch thu thp mt s lng cc Frame nht nh trong mng. L hng ny l do cch m WEP to ra chui mt m. Chong trnh AirSnort khai thc l hng ny v chng minh kha WEP 40 hay 104 bit c th tm c khi phn tch 4 triu frame. Trong cc mng Wireless LAN c mt cao, kha WEP c th tm c sau khong 1 gi. Tuy nhin hin nay kh nng ph hoi mng dng WEP rt nhanh. Sau khi mt cha n mt pht chn d liu (gn 100 000 gi tin), c th ph WEP ch trong ba giy.

Thm vo nhng cch tn cng ny u mang tnh cht th ng: nhng k tn cng ch cn thu thp cc gi d liu trn ng truyn m khng cn lin lac vi Access Point. iu ny gy kh khn cho vic pht hin cc tn cng tm kha WEP. Mt im yu na ca WEP l trong qu trnh xc thc: mt chui d liu v chui m ha bit trc c th c dng tch chui mt m. Nh cp phn trc, chui m ha ny ch c tc dng gii m cc frame c m ha vi cng mt IV. Mt cch l tng, hacker c th thu thp tt c chui mt m to thnh c s d liu chui mt m c th gii m tt c chui d liu trong mng ng thi c th xm nhp vo mng. Tnh ton c thc hin cho thy cn khong 21 GB dung lng to ra c s d liu nh vy. Trong mng WLAN nu khng s dng xc thc Shared Key th hacker c th thu thp c mt s lng ln chui mt m trong thi gian ngn bng cch tn cng o bit. Mc d khng hn l mt im yu nhng WEP ch h tr kha tnh c chia s trc. Qu trnh xc thc trong 802.11 l xc thc thit b ch khng xc thc ngi s dng thit b, khi card wireless b mt th n tr thnh vn bo mt trong mng WLAN. Ngi qun tr mng phi tn rt nhiu cng sc v thi gian gn kha WEP li cho tt c thit b wireless trong mng. Vn gn kha c th chp nhn c nu nh mng nh nhng trong mng trung bnh v mng ln c s thit b wireless c th ln n hng nghn, cn phi c phng php phn phi kha hoc ngi qun tr mng phi qun l cht tt c cc thit b wireless trong mng. Cc cch tn cng WEP: Da vo nhng l hng trong m ha WEP v chun 802.11 m hacker c th tn cng ly kha WEP v d liu d dng. i su vo xem cc qu trnh t nghe ln, gy ri n tn cng su vo mng ca hacker. Tn cng plantext(plantext attack)

K nghe ln c th bt c c chu challenge cha m ha t AP v chui k t m ha tng ng t client. C c 2 gi tr ny sau k nghe ln c th thc hin php XOR c c chui kha hp l. Tip theo, chng c th xy dng chui kha ny gii m cc khung c kch thc trng vi chui kha vi iu kin l IV s dng sinh ra chui kha. Tn cng chn bit vo khung : Da vo yu im ca gi tr kim tra tnh ton vn ICV(Integrity Check Value). ICV da trn hm a thc CRC-32. CRC-32 khng phi l mt phng tin hiu qu kim tra tnh ton vn ca d liu. Nhng c im v ton hc ca CRC-32 cho php mt khung c th gi mo v gi tr ICV b sa i m ni dung ban u ca khung khng th bit. Mc d kch thc phn d liu c th thay i ty khung nhng thnh phn khc ca khung vn khng thay i v v tr bt vn nh c. Hacker c th tn dng iu ny v gi mo phn d liu sa i gi tin lp cao hn. Tin trnh tn cng chn bit vo khung din ra nh sau: Hacker bt mt khung t WLAN. Hacker thay i cc bit ngu nhin trong phn d liu ca khung. Hacker thay i ICV. Hacker truyn khung b sa i. Trm thu(client hay AP) nhn khung v tnh ton ICV da trn ni dung ca khung. Trm thu so snh ICV tnh c vi trng ICV ca khung. Trm thu chp nhn khung b sa i(so snh thnh cng). Trm thu chuyn khung ln thit b lp trn(Router hay PC). Bi v bit b thay i gi tin lp 3 nn vic kim tra ca lp 3 khng thnh cng. Chng giao thc IP ca trm thu s sinh mt li

x th on trc c. ng thi hacker lng nghe WLAN thu thp nhng thng ip li c m ha. T hacker c th suy ra c chui kha.

Aircrack:
Nm 2008 h thng bo mt WEP ca Wifi xung cp trm trng. Qua nhiu s tn cng cho thy: tht d dng ly c cc key ny v truy nhp vo mng Wi-Fi hay ly cp d liu ngi dng. Ralf-Philipp Weinmann - nh nghin cu bo mt - tc gi cng c aircrack-ptw c th crack WEP ch trong my pht lc a ra nhn nh."Cng ngh bo mt WEP b t lit hon ton - mt a tr con cng d dng lm c iu ny. WEP khng cn bo m c s an ton cho ngi dng Wi-Fi". ng Weinmann v cc ng nghip tit l aircrack trong u nm 2007, nhng trc c ba nhm nghin cu khc trong nm 2001, 2004 v 2005 cng ch ra cch xm nhp WEP. n ngy 1/10/2007 Bn Aircrack-ng 1.0 beta1 release u tin c pht hnh do Thomas d'Otreppe lm Developer. Cc byte ly c t qu trnh bt gi tin c xp theo tng hng. Do y l m ha WEP 128bit, tr i 24 bit lm vecto khi to IV, cn li 104 bit, nn ta s c 13 k t # 13 hng (104/8=13). Trn mi hng byte no c ch s votes cao lun c xp trc nm bn tri, v s gim dn qua bn phi. Ch s votes cng cao ng ngha vi vic byte cng "ng tin cy". V thng th ct u tin - l nhng byte c ch s vote cao nht mi hng s l key WEP cn tm. Nht l khi ct depth ghi l 0/1, tc ngay vng lp u tin vi byte u tin aircrack tm ra key. Thng l th thi, ch cng khng t khi byte u tin khng phi l key, cn lp vi ln tnh ton mi ra, lc ta s thy ct depth c gi tr > 0/1. Cch crack Key ca mng WiFi ch yu dng phng php brute-force ngha l chn key n lc no ng th thi.

WEP s d d b ph l v trong qu trnh xc nhn (authentication) key gi nguyn khng thay i nn bn c th tn cng actively bng cch chn key n lc no ng th thi hoc bn passively thu nhp nhng gi tin t cc client khc n access point ri lc ra key (kh nng lc key chc l so snh phn ging nhau ca packet m cc client pht khi gi yu cu xc nhn n AP). WAP/WAP2 kh ph l v key c m ho thm mt ln na bng chnh SSID (service set identifier) ca AP nn s trng hp tr nn qu ln v vy trn nguyn tc l khng th ph. WEP s dng kha c nh c chia s gia mt Access Point v nhiu ngi dng cng vi mt IV ngu nhin 24 bit, ph bin l 2 loi kha c di 40/64 bit v 104/128 bit. Do WEP s dng RC4, mt thut ton s dng phng thc m ha dng (stream cipher), nn cn mt c ch m bo hai d liu ging nhau s khng cho kt qu ging nhau sau khi c m ha hai ln khc nhau. y l mt yu t quan trng trong vn m ha d liu nhm hn ch kh nng suy on kha ca hacker. t mc ch trn, mt gi tr c tn Initialization Vector (IV) c s dng cng thm vi kha nhm to ra kha khc nhau mi ln m ha. IV l mt gi tr c chiu di 24 bit v c chun IEEE 802.11 ngh (khng bt buc) phi thay i theo tng gi d liu. V my gi to ra IV khng theo nh lut hay tiu chun, IV bt buc phi c gi n my nhn dng khng m ha. My nhn s s dng gi tr IV v kha gii m gi d liu. Cch s dng gi tr IV l ngun gc ca a s cc vn vi WEP. Do gi tr IV c truyn i dng khng m ha v t trong header ca gi d liu 802.11 nn bt c ai "bt c" d liu trn mng u c th thy c. Vi di 24 bit, gi tr ca IV dao ng trong khong 16.777.216 trng hp. Nhng chuyn gia bo mt ti i hc California-Berkeley pht hin ra l khi cng gi tr IV c s dng vi cng kha trn mt gi d liu m ha (khi nim ny c gi nm na l va chm IV), hacker c th bt gi d liu v tm

ra c kha WEP. Thm vo , ba nh phn tch m ha Fluhrer, Mantin v Shamir (FMS) pht hin thm nhng im yu ca thut ton to IV cho RC4. FMS vch ra mt phng php pht hin v s dng nhng IV li nhm tm ra kha WEP. Thm vo , mt trong nhng mi nguy him ln nht l nhng cch tn cng trn u mang tnh cht th ng. C ngha l ngi tn cng ch cn thu nhn cc gi d liu trn ng truyn m khng cn lin lc vi Access Point. iu ny khin kh nng pht hin cc tn cng tm kha WEP y kh khn v gn nh khng th pht hin c. Do Aircrack-ng ch nghe ngng v phn tch cc gi tin n AP, nn nu khng c ngi dng no lin lc vi AP th kh nng bt gi tin gn nh l khng th. y chnh l lc aireplay-ng xut hin. Chng trnh ny c s dng to ra dng d liu lu thng (traffic) bt thng qua vic s dng nhiu k thut nh x khung (frame injection) khc nhau. Chng ta s s dng kiu tn cng lp ARP Request Replay to gi d liu nh x (packet injection). Nu khng c packet injection c th s mt n nhiu ngy thu thp s lng IVs cn thit!

II CC TI LIU THAM KHO:

Phn tm hiu v WEP nhm s dng nhiu nht l ti liu:

Phn Aircrack: tham kho t:

Hai ti liu ny c nh km phn bi np. Phn demo: xem hng dn t: http://www.youtube.com/watch?v=pkXEa5TKlCo V nhiu hnh nh, nh ngha t Wikipedia v cc trang web khc.

III CC FILE KM THEO:

1. 2. 3. 4. 5. Slide thuyt trnh v WEP File bo co Phn mm m phng RC4 v source code Video demo cch crack wep trong windows Cc ti liu tham kho.

-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------HT