From: Aaron Drew (ripper@internode.on.net)
Date: Fri May 21 2004 - 12:37:49 EDT
I would love to be enlightend but
I fail to see how this is 'full access' given that it only provides the PRN
sequence of a single IV/Key pair. Since AP's use different IV's for each
packet transmitted, how is it possible to use their PRN discovery technique
to gain access to packets encrypted with all other IV's?
-----Original Message-----
From: R. DuFresne [mailto:dufresne@sysinfo.com]
Sent: Thursday, May 20, 2004 1:55 PM
To: securityfocus@arkam.it
Cc: pen-test@securityfocus.com
Subject: Re: Wireless wep crackin on windows
From: Ivan Arce <ivan.arce@coresecurity.com>
Subject: Re: WEP attacks based on IV Collisions
Organization: CORE SECURITY TECHNOLOGIES
Date: Tue, 11 May 2004 02:49:16 -0300
To: pen-test@securityfocus.com
Nick Petroni and Bill Arbaugh have outlined an active attack that
would give you full access to a WEP encrypted wireless LAN
without knowledge of the secret key.
It relies on the lack of integrity checks for the wireless packets
which lets an attacker inject arbitrary packets into the LAN
without being detected.
The attack does not require you to crack any WEP key and uses
the fact that WEP wrongly uses CRC for integrity checks, this lets
an attacker mount an inductive attack to gradually recover additional
bits of a pseudorandom stream provided that N bytes are initially
recovered
with a known plaintext attack. They cite ARP and DHCP requests as
effective
for this inital recovery. BTW, you dont really need to *inject* packets
for the inital recovery.
Full description of the attack appeared on:
"The Dangers of Mitigating Security Design Flaws: A Wireless Case Study"
Nick L. Petroni Jr. and William Arbaugh
IEEE Security & Privacy magazine vol1. num 1., January/February 2003
A powerpoint presentation is available at:
http://www.cs.umd.edu/~waa/wepwep2-attack.html
I am unaware of publicly available tools that implement the attack.
This might be old news but I am quite surprised that it is not mentioned
as
popular and widely used as passive attacks focused on cracking keys.
-ivan
On Thu, 20 May 2004 securityfocus@arkam.it wrote:
> Hi all,
>
> one of my clients want to see how secure is his wireless network, so had
> asked me to try to enter his wlan.
> I've never done wireless pentesting before, so I'm here to ask ^_______^
>
> I'm basically using a windows machine, and i've already used netstumbler
> with my centrino wireless card to enumerate wlan networks, and with a gps
> receiver I can locate them on a map. I know there are many tools on linux
> for wep cracking, just like airsnort and others, but since I have little
> experience with linux OS, and I've to do this work in a few days, I'm
> searching for a wep cracker that can run on windows xp. Is there any one?
> Google did not help me ^_______^
>
> Thanks in advance,
>
> --
>
> Luca Dell'Oca
> CISSP Certified
> OPSA certified Analyst
> BS7799 Lead Auditor
> Arkam snc
> Via al Lago 68
> 21026 Gavirate (VA)
>
-- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too!
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:54 EDT