AdSense

Monday, October 17, 2016

WI-FI PT / 3 - ATTACKS AGAINST AUTHENTICATION AND ENCRYPTION / 3.5 - Korek Chopchop attack against WEP


3.5 - Korek Chopchop attack against WEP

- Unlike previous attack against WEP encryption, the goal of Korek chopchop attack is not to find the WEP key, but just decrypt an specific packet sent within the attacked network. Actually, Korek chopchop attack decrypts a WEP data packet without knowing the WEP key. As said before, its purpose is not intended to find the WEP key, but to reveal the plaintext. Once replay_dec-X.cap is achieved, Whireshark can be helpful to decrypt the choosen packet. Korek attack chopchop is based on polynomial math about Cyclic Redundancy Check (CRC).

- The initial setup for the lab is the same as previous practices. To launch the attack, aireplay-ng is used with -4 option (meaning chopchop attack):



- After reading some packets (55 in this case), aireplay-ng asks about the selected packet is ok to be decrypted. If answer is Yes, the attack starts immediately decrypting the packet and saving the result in replay_src-0918-224820.cap file:



The attack is finished:



- aireplay-ng indicates where captured packets are saved:




- replay_src--0918-224820.cap file and its derivatives has been created:



- Using Wireshark, the file replay_src--0918-224820.cap can be decrypted:



It can be verified that the packet is the same selected by aireplay-ng (8842 2C00 28C6 etc... ), being a frame control sent by the AP Motorola 00:25:F2:9B:91:23 with destination to the client "roch", whose wireless interface card is Netgear 28:C6:8E:63:15:6B:



- Also, the file replay_dec-0918-224925.cap can be decrypted, again with Wireshark's help:



- In this case, the packet is sent by 173.194.46.69 (Google) to the client "roch" (192.168.0.15), because of an https connection: