Collecting the Frames
for Cracking WEP
The goal of an attacker is to discover the WEP shared-secret
key. Often, the shared key can be discovered by guesswork based on a
certain amount of social engineering regarding the administrator who configures
the wireless LAN and all its users. Some client software stores the WEP
keys in the operating system registry or initialization scripts. In the
following, we assume that the attacker was unsuccessful in obtaining the key in
this manner. The attacker then employs systematic procedures in cracking
the WEP. For this purpose, a large number (millions) of frames need to be
collected because of the way WEP works.
The wireless device generates on the fly an Initialization Vector (IV)
of 24-bits. Adding these bits to the shared-secret key of either 40 or
104 bits, we often speak of 64-, or 128-bit encryption. WEP generates a
pseudo-random key stream from the shared secret key and the IV. The CRC-32
checksum of the plain text, known as the Integrity Check (IC) field, is
appended to the data to be sent. It is then exclusive-ORed with the
pseudo-random key stream to produce the cipher text. The IV is
appended in the clear to the cipher text and transmitted. The receiver extracts
the IV, uses the secret key to re-generate the random key stream, and
exclusive-ORs the received cipher text to yield the original plaintext.
Certain cards are so simplistic that they start their IV as 0 and
increment it by 1 for each frame, resetting in between for some
events. Even the better cards generate weak IVs from which the first
few bytes of the shared key can be computed after statistical
analyses. Some implementations generate fewer mathematically weak
vectors than others do.
The attacker sniffs a large number of frames from a single
BSS. These frames all use the same key. The mathematics behind the
systematic computation of the secret shared key from a collection of cipher
text extracted from these frames is described elsewhere in this volume.
What is needed however is a collection of frames that were encrypted using
“mathematically-weak” IVs. The number of encrypted frames that were
mathematically weak is a small percentage of all frames. In a collection
of a million frames, there may only be a hundred mathematically weak
frames. It is conceivable that the collection may take a few hours to
several days depending on how busy the WLAN is.
Given a sufficient number of mathematically weak frames, the
systematic computation that exposes the bytes of the secret key is
intensive. However, an attacker can employ powerful computers. On
an average PC, this may take a few seconds to hours. The storage of the
large numbers of frames is in the several hundred-mega bytes to a few giga
bytes range.
Detecting the presence of a wireless sniffer, who remains
radio-silent, through network security measures is virtually impossible.
Once the attacker begins probing (i.e., by injecting packets), the presence and
the coordinates of the wireless device can be detected.
There are well-known attack techniques known as spoofing in both
wired and wireless networks. The attacker constructs frames by filling
selected fields that contain addresses or identifiers with legitimate looking
but non-existent values, or with values that belong to others. The
attacker would have collected these legitimate values through sniffing.
The attacker generally desires to be hidden. But the probing
activity injects frames that are observable by system administrators. The
attacker fills the Sender MAC Address field of the injected frames with a
spoofed value so that his equipment is not identified.
Typical APs control access by permitting only those stations with
known MAC addresses. Either the attacker has to compromise a computer
system that has a station, or he spoofs with legitimate MAC addresses in frames
that he manufactures. MAC addresses are assigned at the time of
manufacture, but setting the MAC address of a wireless card or AP to an
arbitrary chosen value is a simple matter of invoking an appropriate software
tool that engages in a dialog with the user and accepts values. Such
tools are routinely included when a station or AP is purchased. The
attacker, however, changes the MAC address programmatically, sends several
frames with that address, and repeats this with another MAC address. In a
period of a second, this can happen several thousand times.
When an AP is not filtering MAC addresses, there is no need for
the attacker to use legitimate MAC addresses. However, in certain
attacks, the attacker needs to have a large number of MAC addresses than he
could collect by sniffing. Random MAC addresses are generated.
However, not every random sequence of six bytes is a MAC address. The
IEEE assigns globally the first three bytes, and the manufacturer chooses the
last three bytes. The officially assigned numbers are publicly
available. The attacker generates a random MAC address by selecting an
IEEE-assigned three bytes appended with an additional three random bytes.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.