3.1 - Attack against WEP encryption
3.1.1 - WEP encryption
- Wired Equivalent Privacy (WEP) is a security algorithm introduced by the University of California Berkeley, accepted as part of the IEEE 802.11 standards for wireless networks. Because of the great number of flaws inherent to WEP, it is nowadays considered obsolote. However, due to the fact that almost all Wi-Fi routers offer WEP as an option, and because there are a lot of available wireless networks using WEP, it is neccesary and interesting to study this standard. From the criptographic point of view, WEP uses the stream cipher RC4 for confidentiality, and CRC-32 checksum for integrity. There are two main versions of WEP, although working in a similar manner. All of them use a so called initialization vector (IV), what is a fixed size input generated randomly, that is eventually XOR operated with the keystream.
- WEP-40 uses a 40 bits key which is concatenated with a 24 bits IV to form the 64 bits RC4 key. The 40 bits key is formed by a string of 10 hexadecimal characters (4 bits for 1 char).
- WEP-104 uses a 104 bit key which is concatenated with a 24 bits IV to form the 128 bits RC4 key. The 104 bits key is formed by a string of 26 hexadecimal characters (4 bits for 1 char).
There are also two main authentication systems for WEP: Open and Shared Key.
- Open System authentication: the client does not need to provide any credentials to authenticate with the AP; actually, no authentication occurs, and WEP keys are used just for encrypting data frames.
- Shared Key authentication: a four step challenge-response handshake is used:
a) the client sends a request message to the AP.
b) the AP replies with a clear text challenge.
c) the client encrypts the text challenge with the WEP key, sending back to the AP.
d) the AP decrypts the response, if matches the AP sends back a positive reply.
- After the authentication, the WEP key is used to encrypt the data with RC4. Although it may seem that Shared Key method is safer than Open System, because the last one lacks of authentication, the truth is just the contrary. Due to the fact that challenge frames can be captured during the handshake in Shared Key, the keystream could be obtained.
- RC4 is a stream cipher, so same key must not be used twice. The initialization vector, transmitted unencrypted, tries to prevent any repetition. But a lenght of 24 bits is not enough to ensure this, so it could happen that two identical IVs were generated if busy traffic. A passive attack would consist on simulating replay packets and sniffing the responses for subsequent analysis. For the WEP-104 just 40.000 packets would be enough to obtain the WEP key with a 50% of probability, and around 85.000 data packets would ensure the 95% of probability of success. Using ARP packets reinjection, around 40.000 packets can be captured in less than 1 minute. So, cracking WEP is just a matter or time, just using software tools like aircrack-ng.
3.1.2 - Attack against WEP encryption
- First of all, the AP is set to use WEP encryption of 128 bits whith Shared Key Authentication.
- Introducing the passphrase AbCdEf12345$ a Network Key is generated: 1792424e9b00a0d2a4a8bc180a
- From the client "roch"s side, properties of the network are arranged:
- Then, "roch" is connected to the network:
- This process of connection for the client "roch" has been captured by the attacker "kali" with airodump-ng. The option - - write means that captures are stored at the .cap file called "archivoWEP":
- At previous screenshot it can be noticed that the number of data packets is very small, #Data = 61. For WEP cracking a larger number of packets is needed, so the network is forced to create more data packets.
- The tool aireplay-ng captures packets from the wireless network and reinjects them back simulating ARP responses. In this way a lot of traffic is generated for the network. Aireplay-ng identifies ARP packets by looking at their size. ARP protocol uses a fixed header that can be easily identified. It is essential that the victim client is already authenticated and associated to the AP.
- Option -3 means ARP replay, -b is for the BSSID, and -h for the victim's,"roch", whose MAC address is being spoofed:
- Due to the replay attack, the number of captured packets by airdump-ng is dramatically increased, from #Data = 61 to now #Data = 44376:
- In the meanwhile, "archivoWEP-01.cap" and some other derived files are storing the created packets by aireplay-ng:
- At this point of the attack, aircrack-ng is ready to be launched, using packets stored at "archivoWEP-01.cap":
- Due to the great amount of stored packets, it takes just an instant to find the key:
- Using the airdacp-ng command, captured packets at "archivoWEP-01.cap" can be decrypted:
3.1.3 - Connecting to the AP
- Once the attacker "kali" has been able to crack the WEP key, it is time for it to connect to the network. At the present moment of the practice "kali" is in "Not-Associated" mode:
- Using the iwconfig command, the SSID and the key, the attacker "kali" can connect to the network:
- The success of the connection is verified:
- Also, airodump-ng captures the fact that now there are 2 clients connected to the AP: the legitimate one ("roch"), and the attacker one ("kali"):
- In the same way, the AP detects both connected clients:
- Because DHCP is enabled by default, the AP assigns a dynamic IP to "kali":
- Now, the attack is a complete success because "kali" is authenticated and associated to the network, pinging any of the internal hosts, for instance the default gateway:
- Also, "kali" has got connection to the Internet, being able to ping Google's public DNS server: