Wireless - WEP CRACK CLASSICS Disclaimer And 'encouraged the reproduction, modification, duplication, copying, distributi on of these contents

for personal and collective. Unauthorized use of material i s a violation of applicable laws on intellectual property. You agree not to comp ly with all the information on trademarks and copyright material contained on th e downloaded or copied. The use of copy and reproduction in any other media and 'desirable. Good reading. Our machines are also yours. Our ideas are yours. Our desire for knowledge are yours. Our dreams are yours. Our intelligence and 'even yours. Information wants to be free. Intro The following lines are the translation (slightly revised) of Chapter 17 ("Wirel ess Security") of the book "Security Warrior by Cyrus and Anton Chuvakin Peikari O'Reilly, (first edition in January 2004). This is a fast but non-trivial illus tration of the classical approach that is now taken to crack the WEP attack FMS (which takes its name from the initials of the three mathematicians, Fluhrer, Ma ntin and Shamir, authors of the now famous " Weaknesses in the Key Scheduling Al gorithm of RC4 "). We report on the project website WEPCrack: http://wepcrack.sourceforge.net/ PDF original Fluhrer, Mantin and Shamir: http://www.drizzle.com/ ~ aboba/IEEE/rc4_ks aproc.pdf's website Wi-Fi Alliance: http://www.wi-fi.org/OpenSection/index.asp T he reference website for the community 'wireless Rome http://www.romawireless.ne t/ our website: By http://www.auroemarco.org FRNK Rome, April 2005 Wireless Security The certification of wireless Ethernets and 'classified and controlled by the IE EE 802.11 standard. 802.11 is divided in turn into additional certifications, su ch as 802.11a, and 802.11g 80211b. Each standard defines a different method for providing access to wireless networks. Despite the rapid expansion of 802 .11 g standard more 'spread globally and' still 802 .11 b. An 802.11b device works by sending a signal via the DSSS (direct sequence spread spectrum) on the 2.4-GHz f requencies. Problems with WEP Wireless transmissions are inherently insecure, because (for example) allow anyo ne to access data on your home network wirelss, even from a car tens of meters a way from your home. As many know, the IEEE 802.11 standard includes a basic secu rity protocol known as WEP (Wired Equivalent Protocol). It is a protocol that de fines a set of instructions and rules by which wireless data can be transmitted via radio with a minimum of security. WEP is the de facto standard for the produ ction of hardware and software 802.11. To make the data secure, WEP uses the RC4 algorithm to encrypt packets, as soon as they emerge from the access point or a wireless network card. RC4 and 'a secure algorithm, and will be' so for many ye ars to come. In the case of WEP, and 'the specific implementation of the RC4 alg orithm, not the algorithm itself, to represent the problem. In a fairly busy net work (eg a company), and 'can capture enough data to crack WEP encryption in a t ime ranging from 2 to 6 hours. Break the encryption of a home network usually re quires more 'time, since the flow of data and' very small compared to a corporat e network. In any case, 'recommended to use the same WEP, not only because it' s a minimum form of security, but also because 'serves as a gentle warning that i t is a private network, shared with the community'. Some products (like Windows XP) are mapped automatically, and by default, with the signal more 'strong dispn ibile nearby. Cracking WEP WEP defines the methods by which wireless data should be made safe. Unfortunatel y, it can 'be easily cracked. Although the proposed standards (such as Wi-Fi Pro

tected Access, also known as WPA) improve significantly the security flaws found in WEP, the reality 'is that WPA has compatibility problems' down with most har dware 802.11 b. It follows that WEP is still the most prevalent and encryption s cheme 'widespread (and broken). WEP uses the RC4 algorithm to encrypt the data. RC4 and 'one of encryption methods most' popular, and it 'used in several applic ations, including SSL (Secure Sockets Layer), which is 'built into almost all' operation s related to electronic commerce. RC4 uses a number of issue that creates a uniq ue key (called packet key) for each packet of data encrypted. Do this by combini ng various features of a shared password,€a status value and a value known as t he initialization vector (IV) to obfuscate the data. This part dell'RC4 and 'als o known as key scheduling algorithm (KSA). The resulting array is used to seed a pseudo-random generation algorithm (PRGA), which in turn produces a flow of dat a put in XOR with the message (plaintext) to produce the ciphertext that travels on radio waves. The data transmitted consists of something more 'than the origi nal message, it also contains a value known as checksums. The checksum and 'a un ique value computed from the data contained in the package, is used to maintain the integrity' of the data during transmission. When the package is received and decrypted, the checksum is recalculated and compared with the original checksum . If the two checksums match, the packet is accepted, if not match, the packet i s discarded. The scheme not only protects the normal data corruption, but also w arns the user attempts to intrude upon communication. Once the data is decrypted , the IV is prepended to the data, along with a bit that marks the packet as enc rypted. All this is transmitted into the atmosphere, from where it is captured a nd decoded by the intended recipient. The process of decryption and 'the exact o pposite of the encryption process. First, the IV is removed from the package, an d related with the shared password. This value is used to recreate the KSA, whic h is in turn used to recreate the key-stream. The flow and the encrypted data pa cket are then placed in XOR, and the resultant and 'the plaintext. Eventually, t he CRC is removed from the plaintext and compared with the recalculated CRC: At this point, the packet is accepted or rejected. Most experts consider strong RC4 algorithm. In any case, due to some mistakes in the implementation dell'IV, cra ck the WEP and 'simple. Data Analysis When data is transferred over the air, can be easily caught using programs freel y available on the Internet. This type of monitoring was already 'been anticipat ed, and this' why the security of WEP and' was added to the 802.11 standard. Usi ng WEP, all data can be dimmed to become non-understandable. Although WEP can no t 'in any way prevent the interception of data, can' but 'to protect the interpr etation once captured. In any case there are flaws in the implementation dell'RC 4. If and 'can determine which data is sent before being encrypted, the cipherte xt and captured a known plaintext XOR can be put in to produce the keystream gen erated by the PRGA. The reason for this and 'that WEP produces ciphertext by com bining only two variables and acting on XOR. Equation 1 represents the final fun ction of the RC4 algorithm, which encrypts data: ciphertext = plaintext XOR keys tream How can 'see, the only value that mask the plaintext and' the keystream. If we reverse the process, we will see that the only value that form the keystre am and 'clear text, as described by equation 2: = Keystrem ciphertext XOR plaint ext is' simple remove the keystream from the encrypted data, if we have both the ciphertext to the original plaintext. The ciphertext and 'easy to catch, all yo u need is' a wireless sniffer, and we can collect gigabytes of encrypted data fr om any wireless network. Wireless Siniffing The quality 'of a sniffer and' directly proportional to information that can 'gi ve the user. For example, many people consider the best sniffer dsniff available - not because 'dsniff to capture the data better than Ethereal, and instead' to

ps the list of preferences of many professionals, but because 'dsniff incorporat es extra features, such as a password sniffer integrated, the ability 'to do ARP spoofing, and more. These little extras make it focused on certain activities'. On the other hand, some troubleshooting need sniffer hardware \ software extrem ely expensive. These devices can collect gigabytes of data and never miss even a package. The introduction of wireless networks has led to the creation of a new niche sniffer. Because of technical prescriptions natural and unique techniques of WLANs, quality 'and features' of a wireless sniffers are linked to how well they can' be integrated into an existing wireless network. Some sniffers merely capturing packets on the WLAN to which they are associated, while others can cap ture data from all active networks nearby. For an 802.11b network can be used 14 channels. As a result,€and 'possible to have more' than 4 different WLAN and s eparated in the same area (if any network uses more 'channels). To collect data from all wireless networks, the wireless device is running on the sniffer must o perate in 'passive. This mode 'allows you to capture all data in transit, but th e device will be able to' connect to any wireless network. In other words, will do 'anything but jump continuously between the different channels. To make thing s even more 'complicated, sniffing a wireless network mode' passive requires spe cial drivers, or at least a patch to drivers who already 'in use. When a network card is produced, is assigned a unique identifier known as the Media Access Con trol (MAC Address). Since it is assumed that this is a unique address, and 'key to transmit data over a network. There are several protocols that rely on MAC ad dress to work. It 'important to understand the meaning of the MAC address, becau se' indirect impact on data that can 'access the sniffer. When a network card op erates normally scans each packet traversing the network to see if the packets d estined for its MAC Address. If so, the data is passed to the next level of prot ocol stack, and finally comes to the program that was intended. If the package i s not 'addressed to the MAC address of network card, for practical reasons is si mply ignored. As a sniffer operates just above the hardware level of the stack o f network protocols, only receives data for the computer that is running. In oth er words, the sniffer sees only the local data. If this level of access can 'be helpful in some situations, the restricted access rooms makes almost all the efforts of any trou bleshooting. It 'at this point that sets the mode' promiscuous. When a network c ard is put into mode 'promiscuous accepts all data flowing on the cable to which and' connected, completely ignoring the MAC Address. There are many examples of wireless sniffer, an excellent example and 'Kismet (http://www.kismetwireless.n et). For PocketPC, you can 'also use Airscanner Mobile Sniffer (http://www.airsc anner.com). Airscanner can: - packet sniffing mode wireless' promiscuous - decod e UDP, TCP, Ethernet, DNS and NetBIOS - to conduct network analysis on an entire WLAN segment - customize filters catch (source IP, destination IP, UDP, TCP por t or MAC Address) - see the statistics on captured packets in real time - save t he results of a session is sniffing - libcap export data format (eg Ethereal) fo r further analysis Remove the keystream Now that we got a wireless sniffer to capture the encrypted data from a WLAN, we can extract a keystream, where we have both the ciphertext to the plaintext. Ho w do we know the original value? The most 'common way to predetermine a valid pl aintext and' convince someone to send or receive a message preached. For example , a chat session or sending an email could provide all the plaintext we need. Ho wever, this method can 'be difficult or extraneous data are mixed with predictab le data. For example, TCP \ IP and other IP headers contain information that cou ld distract us. Checksums, proprietary data added by the mail server, and much m ore data could obscure the predictable. So if you want to go ahead with this met hod, and 'send a message that increases the possibility' of obtaining data predi ctable. Could be done by simply sending an email full of empty spaces (for examp le), or a long string composed of the same (eg "AAAAAAAAAAAAAAAA"). Another meth od used to predetermine the plaintext and 'look for known headers. The TCP \ IP

headers contain IP are required to ensure proper delivery. If we can predetermin e the IP address of the access point or wireless client and guess the rest of th e data basing on user behavior that network, we can deduce the plaintext. Almost all packages include SNAP header as the first byte. Assuming that 'can determin e the plaintext of a message and use it to glean the keystream, what can we do w ith this information? The answer should be clear. It must be stressed that a key stream, or even a pair of keystream, itself 'are practically useless. And' when combining the knowledge gained in this type of attack by other means of wireless hacking the power of knowledge to a keystream becomes manifest. Collision IV WEP uses a value called the initialization vector, better known as IV. The RC4 a lgorithm uses this value to encrypt each packet with its key, adding or concaten ating the shared secret with the IV to create a new private key packet for each packet of information sent over the WLAN. However, if the sender uses an IV to e ncrypt the packet, the receiver must also know this bit of information to decryp t the data. Because of the way in which the WEP and 'was implemented this requir ement and' transformed from weakness to strength apparent reality. WEP uses an I V of 3 bytes for each packet sent over WLAN. When data is sent, the IV is prepen ded to the encrypted packet. This ensures the necessary information to the recip ient to decrypt the data. If we look more 'closely the statistical nature of thi s process, we shall soon see a potential problem. A byte is 8 bits. Thus, the to tal size and dell'IV 'of 24 bits (8 bits x 3 bytes). If we calculate all possibl e IV, we will have a list of 2 ^ 24 possible keys. This number 'derived from the fact that one bit can' be set to 0 or 1 (2), and there 's a total number of 24 bits. It might seem a huge number (16,777,216), but it is a small number if the associated communication. The reason lies in the probability 'of repetitions. Th e IV and 'a random number. When most people relate the word "incidental" to a nu mber like 16,777,216, the first thing that comes into their mind and 'that we mu st' wait for the transfer of 16 million packets before a repetition occurs. This is' completely false. In fact, based on probability ', we can reasonably expect to start seeing repeats (also known as collision) after about 5000 packets tran smitted, if not less. Whereas on average a wireless device transmits packets of 1,500 bytes, we expect a collision to occur already 'during a transfer a file fr om 7-10 MB (5000 x 1500 bytes = 7000000 packets btyes, or 7 MB). The keystream i s produced by various properties' password and dell'IV. In case of collision, th e IV and 'known as a value of three characters "1:2:3". Although we do not know the password and 'irrelevant, because' never changes. We can now deduct keystrea ms generated by the corresponding IV values. This flaw is not 'in itself the mai n problem of WEP, because the small size dell'IV. If the IV was much more 'big, the time required for a refund that would be much greater, and would create a sc enario much more' difficult to send data over the network predictable. Whereas a package and 'generally large 1500 bytes and IV only 3 bytes, we would have many more' feature '. However, in the name of speed 'and to maximize the flow of dat a, the protocol designers have reduced the size dell'IV. Practical WEP Cracking Now that we have seen the theory, we examine the practical steps to attack WEP. The resource most 'important signal for cracking encrypted with WEP and' time. M ore 'long-capture data, more' we get closer to a collision that will reveal 'a k ey bytes. Based on empirical data, there 'a possibility' of 5% that happen. On average, we need to get about 5 million frames to be able to crack a signal encrypted with WEP. In addition to wireless sniffers, we will need a set of Perl scripts availa ble on http://sourceforge.net/projects/wepcrack called (rightly) WEPCrack. Once collected the necessary tools, we must 'perform the following steps: 1) capture the signal encrypted with WEP using our favorite wireless sniffer (about 5 milli on frames) 2) command line, run the script prism-getIV.pl in this way: prism-get IV.pl capturefile_name capturefile_name and where 'filename capture of step 1. W

hen you find a weak IV, the program creates a file IVfile.log 3) WEPcrack.pl run , looking inside the IVs recorded IVfile.log and try to guess a WEP key. The out put of WEPcrack.pl and 'decimal. We will need a conversion tool decimal-to-Hex 4 ) Consider the version of the Hex key and ... we did!