Monday, October 17, 2016

WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.2 - Bypassing WEP Shared Key Authentication

3.2 - Bypassing WEP Shared Key Authentication

- Unlike previous practice's attack, the goal of this attack is to bypass WEP authentication directly, without obtaining the Shared Key, but being able for the attacker to connect directly to the AP even with a fake MAC address.

- This is a more efficient attack against WEP encryption because the steps and processing involved are less that at the previous practice.

- In this case, let's set the AP with WEP (64 bits) encryption:

- From the attacker "kali"s command shell, the legitimate client "roch"s connection is detected:

- Either from a deauthentication or a reconnection of the legitimate client "roch", packets between the AP and "roch "are captured and stored at sharedkeyWEP file:

The file sharedkeyWEP and its derivatives are created, but the one that has got interest for the practice is sharedkeyWEP-01-00-25-F2-9B-91-23.xor:

- Now, the aireplay-ng command is used in a quite different way than before:

a) first, the injected packet contains the keystream used for WEP to authenticate "roch" with the AP.

b) second, "kali" uses a fake MAC address like AA:AA:AA:AA:AA:AA to cover any track of the attack.

Now, it can be verified that "kali" has joined sucessfully the network "spaniard":

Even receiving an IP through DHCP:

"kali" is now part of the network "spaniard", being able to ping the default gateway

Also, "kali" has got access to the Internet using the AP external interface, pinging Google's public DNS:

Airodump-ng detects both clients, the legitimate "roch" and the attacker "kali", connected to the "spaniard" network:

- Also, the AP detects both clients connected, what is funny because "kali" shows the obviously fake MAC address AA:AA:AA:AA:AA:AA.

Of course, in a real attack, "kali" would have choosen a less suspicious MAC than AA:AA:AA:AA:AA:AA

As a conclusion of this practice, the attacker "kali" has been able to connect a network directly, bypassing WEP Shared Key authentication, without needing to perform the steps of obtaining the encryption key, and faking its own MAC address for covering the attack.