|
|
This section covers two attacks in detail: an attack known as the inductive chosen plaintext attack, discovered by Bill Arbaugh, and Sorbo's fragmentation attack. These tools use similar techniques to crack WEP in inventive ways. Both of them make heavy use of the fact that there is no replay protection in WEP. They also take advantage of the flawed shared key authentication outlined in the previous section. In order to understand these attacks, it's important to know how the RC4 stream cipher is used in WEP.
RC4 encryption works by generating a stream of random bytes. The random bytes generated are then XOR'd with the plaintext packet, and the result is called ciphertext. Before the random bytes are generated, RC4 must be initialized with a secret key. If two users both use the same secret key, they will generate the same random bytes. The user who receives the message can XOR the random bytes out of the encrypted message and re-create the original.
The problem with WEP is that it is possible to gather the random bytes RC4 generates without knowing the secret key. The most glaring example of this is the shared key authentication exchange. The attacker gets to see more than 128 bytes of plaintext and then gets to see it encrypted. By XORing these together, the attacker knows the output bytes generated by RC4 for the IV used.
Let's consider what this gives the attacker before turning it into a more advanced attack. The attacker can read the first 128 bytes of every packet that happens to be encrypted with the IV used in the authentication step. There are 2 24 possible IVs in WEP, however, so the odds of this being useful are pretty slim. More interestingly, the attacker can inject encrypted traffic using that IV. All he has to do is keep the packet smaller than the number of random bytes he already knows.
|
Popularity: |
1 |
|
Simplicity: |
2 |
|
Impact: |
6 |
|
Risk Rating: |
3 |
At the heart of the inductive chosen plaintext attack is a very simple observation. If an attacker knows X bytes of the RC4 keystream generated by the secret WEP key, she can get X + 1 bytes by guessing. Consider that an attacker watches a shared key authentication exchange and, therefore, knows 128 bytes of RC4 output for the given IV.
If she wants to send a packet that is 129 bytes long, all she has to do is guess the next byte of the keystream. There are only 256 possibilities, so it won't take long to find the correct one. Once an attacker has 129 bytes, she can use the same technique to get 130. Eventually, the attacker can recover as many bytes as she wants for a given IV.
A likely number to attempt to recover is 1500. Most 802.11 packets aren't larger than this because they will be put onto Ethernet-based networks where the MTU is 1500. Once an attacker knows 1500 bytes of keystream for a specific IV, she can read all of the data in any packet transmitted with this IV.
Of course, all of this applies to only one IV. There are 2 24 IVs available under WEP. If someone had a 1 out of 16 million chance of reading your traffic, you might not be too concerned. The real trick is in the next phase of attack.
Once an attacker has reached the 1500 byte mark, she can send broadcast ping packets using the IV she attacked. At this point, all the stations on the same subnet will respond with 1500 byte ping replies. Every reply will immediately give the attacker 1500 bytes of output for a randomly chosen IV. The attacker can use this to create an IV keystream dictionary, with exponential speed at this point. Given a few hours and around 24 gigs of space to store the keystream IV pairs, the attacker can read and write packets of any size on the network.
There are two unique aspects to this attack. One is that the attacker never recovers the WEP key. Instead, she builds a dictionary of IV keystream pairs. Every time she wants to read or write a packet, she must look up the keystream associated with an IV. An immediate consequence of this is that the size of the secret key used doesn't affect the efficiency of the attack.
In 2005 Sorbo (Andrea Bittau) released a paper describing an attack he called the fragmentation attack. In the paper, he described several optimizations (one related to fragmentation) that can be used to turn the inductive chosen plaintext attack into something much more practical. The attack allows for recovery of the WEP key using the statistical attacks mentioned previously but much more quickly. The basis for this attack is several optimizations related to creating traffic on the local network.
The creator of the fragmentation attack realized a number of things. One is that even without shared authentication, the first 8 bytes of RC4 output can be recovered from any data packet because the SNAP header of all 802.11 packets is 8 bytes and is well known. Using this, you can launch an attack similar to the inductive chosen plaintext attack described in the previous section, only you start out with a smaller number of bytes. By doing this, you can start injecting packets into an encrypted network even if it doesn't use shared authentication.
Once you can inject encrypted packets, you can do significantly better than just replaying ARP packets (which is what aireplay does). Instead, you can inject broadcast ping requests into the local subnet. Broadcast pings generate significantly more traffic than ARP packets alone.
The next optimization is where the attack gets its name. Sorbo realized that you can use 802.11's support for link layer fragmentation to inject packets that are larger than the size of the keystream you have recovered. This helps make up for starting out with only 8 bytes (instead of the 128 or so that a shared key authentication would give you). Instead of recovering 1500 bytes of keystream to encrypt a packet, you send a number of smaller fragments, each using the same IV. For example, to send a 1000-byte packet, you could send it in two 500-byte fragments, using the same IV and keystream on both. The biggest speedup Sorbo implemented was not fragmentation, however; it was using a host already on the Internet to help you create traffic.
The basic idea is that once you can inject packets, you send one destined for a machine you control on the Internet. That machine is then configured to start sending packets back to you. Doing this allows you to create local traffic much easier, as the traffic originates on the wired side of the AP and is summarily encrypted by the AP.
The net result of all these optimizations is that you can create traffic on the local network much more efficiently than previously possible. This can speed up statistical attacks against WEP tremendously. Sorbo demoed this attack at toorcon 2005 and broke a 40-bit WEP key in about five minutes.
WEPWedgie was actually the first tool that let you inject packets into an encrypted network without knowing the key. It worked by using the poorly designed shared authentication exchange. WEPWedgie was also was the first program to inject broadcast pings and take advantage of a host on the Internet to create traffic. ChopChop is an experimental feature in aircrack.
ChopChop works by systematically modifying an encrypted packet one byte at a time and replaying it to the AP. By monitoring if the AP accepts the modified packet, ChopChop can slowly decrypt any packet protected by WEP, regardless of key or key size. One good idea is to decrypt an ARP packet using this technique. This will reveal useful information about the local network layout.
Currently, there is no publicly available implementation of the inductive chosen plaintext attack. Most people would rather skip this one anyway and move right on to the hybrid statistical attack described by Sorbo.
Sorbo has released the code he demoed at Toorcon. While the attack certainly does work, it is very hardware and software dependent. In particular, it expects to be run on a FreeBSD box. It is also pretty picky about the hardware it uses to inject traffic. If you intend to get this attack running, you are going to have to get your hands dirty. If a cleaned-up version of this (perhaps using LORCON to inject packets) is ever created, it could bring statistical WEP cracking to new levels of speed.
The best technique to defeat these attacks is to use WPA or 802.11i. WPA employs many countermeasures that render all of these attacks impossible. If you can't use WPA for some reason, dynamically generated WEP keys will help against the statistical attacks. They will also discourage an attacker from building a IV keystream dictionary, since it will (hopefully) take longer to build than the life of the key.
|
|