__ __ __ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |_____ THE | | | | | | CREW '''' '''' '''''''''' [ 802.11b and WEP problems ] by: h4z4rd [-----------------------------------------------] {001}. [==Intro==] {010}. [==Wep==] {011}. [==Attacks against WEP==] {100}. [==Final word==] ================= {001} [==Intro==] ================= Wireless networks are today very popular among company's, because they simplify connecting. Employers, clients and other people who need to connect to that netword don't need phisical access to cables what makes very easy to connect and so useful. Todays most popular wireless network protocol is 802.11b. Wireless network consists of Access Points and client's WLAN cards. 802.11b protocol equipment first became avilable in 1999 an quickly gained popularity. 802.11b operates in the 2.4000GHz to 2.4835GHz frequency range and can operate at up to 11megabits per second, althought it can also reduce speed to 5.5Mbps, 2Mbps or 1Mbps. Speed reducing hapends while increasing our distance from AP (Access Point). The reliable coverage range depends on several factors: physical area and characteristics, antenna power, interfearing devices. Theoretical ranges are from 29 meters (for 11Mbps) in closed office area, to 485 meters (for 1Mbps) in a open area. But with carefully organised and placed antennas (with amplyfiers optionally) range can be numerously times grater. Often in networks exists interfearing devices. Very big number of 2.4GHz mobile phones, microwave ovens, and other 2.4GHz operating devices are interfearing with 802.11b because they work on 2.4GHz too, so if you notice something is decreasing signal you should check for such devices in your company. Wireless networks vulnerable to the listed attacks offer attackers ability to passivly obtain confidential network data and leave no trace, could be used for attacking other networks, could be used for free internet access... When setting WLAN we have to configure the channel and service set identifier (SSID). The channel is a number between 1-13 in Europe (1-11 in US) and designates the frequency on which the network will operate. Channel Frequency(GHz) 1 2.412 2 2.417 3 2.422 4 2.427 5 2.432 6 2.437 7 2.442 8 2.447 9 2.452 10 2.457 11 2.462 12 2.467 13 2.472 The SSID is an alphanumeric string that differentiates networks operating on the same channel. It is essentially a configurable name that identifies an individual network. =============== {010} [==Wep==] =============== Because in wireless networks data is flying and waiting someone to pick it up, that's why there is need for some kind of protection. Wired Equivalent Privacy (WEP) algorithm is used to protect wireless comunication and data from sniffing. A secondary function of WEP is to prevent unauthorized access to a wireless network, but this function is not an explicit goal in the 802.11b standard but is frequently considered to be a feature. WEP relies on a secret key that is shared between a client (computer with WLAN card) and base station (access point). The secret key is used to encrypt packets before they are transmited, and an integrity check is used to ensure that packets are not modified in transport. This standard does not discuss how that key will be shared between clients. While most installations use a single key that is shared between all clients nad APs, but there are more sophisticated key managment techniques that are being used to help to defend from listed attacks. Usually networks use one or only few keys among access points and change keys infrequently, because most vendor implementations of WEP require that keys be changed manually. Wep uses RC4 encryption algorithm, whitch is known as stream cipher. A stream cipher expands a fixed-length key into an infinite pseudo-random key stream for purpose of encrypting text. In WEP, plain text data is exclusive or'd (XOR) with the key stream to produce cipher text. Exclusive or (XOR) is a Boolean operator that compares two numbers and determines if they are the same or different. If the numbers are the same, a value "0" is returned; if they are different the value "1" is returned. *Example of XORing letter a with letter d (in binary): ========================= 1100001 -- the letter a 1100100 -- the letter d ------- -- XORing 0000101 -- XOR'd value ========================= INITIALIZATION VECTOR --------------------- The key stream produced by the WEP algorithm depends upon both the secret key and initialization vector (IV). The IV is used to ensure that subsequent data packets are encrypted with different key streams, despite using the same secret key. IV is a 24-bit field that is unencrypted within the header of the data packet. *Example of the headet of data packet: V = Initialization Vector K = Secret Key CRC = Cycical redundancy check (discussed below in the text) *---------------------*-------* | Plaintext Message | CRC | *---------------------*-------* | Keystream = RC4(V,K) | XOR *-----------------------------* *-----*-----------------------------* | V | Ciphertext | *-----*-----------------------------* According to the Berkley report, the use of a 24-bit IV is inadequate because the same IV, and therefore the same key stream, must be reused within a relatively short period of time. A 24-bit field can contain 2^24 or 16,777,216 possible values. In a network running at 11Mbps constantly transmitting 1,500 byte packets, an IV would be repeated about every 5 hours by the following calculation: 11Mbps + (1,500 bytes per packet x 8 bits per byte) = 916.67 packets transmitted each second 16,777,216 IVs % 916.67 packets per second = 18,302.41745 seconds to use all IVs 18,302.41745 seconds x 60 seconds per minute x 60 minutes per hour = 5.0840048 hours to use all IVs This time could be reduced under various circumstances. In mentioned scenario we assume only one device on the network is transmitting data and incrementing IVs by "1" for each packet transmitted. Each additional device using the same secret key would reduce this time. Devices that use random IVs would also reduce time required for an (1)IV collision occurs and an attacker has two different plain-text messages by XORing the two cipher text messages. The XOR that results can then be used to decrypt traffic. (1) = when same IV is used again in network it is called IV collision *Example of how XORing two ciphertexts cancels out the key stream: C1 = Ciphertext 1 C2 = Ciphertext 2 P1 = Plaintext 1 P2 = Plaintext 2 V = Initialization vector K = Secret key If C1 = P1 XOR RC4(V,K) And C2 = P2 XOR RC4(V,K) Then C1 XOR C2 = (P1 XOR RC4(V,K)) XOR (P2 XOR RC4(V,K)) = P1 XOR P2 *Example of teory showed above: *----------* | DATA | *-------------------------*----------* | Letter "a" plain-text | 01100001 | *-------------------------*----------* | Letter "n" - secret key | 01101110 | *-------------------------*----------* | XOR - "a" | 00001111 | *-------------------------*----------* *----------* | DATA | *-------------------------*----------* | Letter "b" plain-text | 01100010 | *-------------------------*----------* | Letter "n" - secret key | 01101110 | *-------------------------*----------* | XOR - "b" | 00001100 | *-------------------------*----------* *----------* | DATA | *-------------------------*----------* | XOR - "a" | 00001111 | *-------------------------*----------* | XOR - "b" | 00001100 | *-------------------------*----------* | XOR - "a" & "b" |*00000011*|----------* *-------------------------*----------* | | *----------* | | DATA | = *-------------------------*----------* = | Letter "a" plain-text | 01100001 | | *-------------------------*----------* | | Letter "a" plain-text | 01100010 | | *-------------------------*----------* | | XOR - "a" & "b" |*00000011*|----------* *-------------------------*----------* As showed when using the same secret key, the XORed value of the plain-text messages ("a" and "b") is equivalent to the XORed value of the encrypted messages. If attacker has knowledge of contents of the other plain-text messages when IV collision occurs, he could then decipher the contents of the other plain-text messages without any knowledge of the key stream used for encryption. CYCLIAL REDUNDANCY CHECK ------------------------ Cyclial redundancy check (CRC) is part of WEP which calculates a checksum that is included with each packet. When we send packet from place A we calculate CRC checksum that is included in packet. When is packet received in place B it first calculates checksum of packet and checks if checksums are same, if not that packet is rejected and if checksums are same the packet is valid. As seen CRC is used to ensure that packets haven't been changed in transmission. Transmitted messages are divided into predetermined lengths, and are divided by fixed divisor. The reminder is one bit smaller than the divisor and serves as the checksum. In the case of CRC-32, the reminder is a 32-bit number and this checksum is then appended when message is sent. According to the Berkley report, CRC-32 is not an appropriate integrity check for WEP as it is a linear checksum, and because of that modifications could be made to ciphertext, and the bit difference between the original and modified checksum could be calculated. An attacker may adjust the cecksum appropriately, and a recipient wouldn't be aware the data has been modified. *Example: The letter "b" is being encrypted using a secret key "n". To ensure data integrity CRC-8 checksum is used and encrypted in the data packet (*CRC-8 bit checksum is used because CRC-32 is too long and because letters are 8 bit too, so it is easyer to understand but princip is same!). An attacker wants to modify message by flipping bits in the encrypted data packet. If he simply flip the appropriate bits in the ciphertext, the decripted checksum would no longer match and WEP would reveal that the data was modifyed, so he must also determine the appropriate bits to flip in the encrypted checksum. The encrypted data packet is calculated as followed: *----------*----------* | DATA | CRC-8 | *-------------------------*----------*----------* | Letter "b" plain-text | 01100010 | 00101001 | *-------------------------*----------*----------* | Letter "n" - secret key | 01101110 | 01101110 | *-------------------------*----------*----------* | XOR encryption | 00001100 | 01000111 | *-------------------------*----------*----------* The attacker could determine the bits that need to be flipped in the checksum by XORing the change to the data and its corresponding CRC-8 cecksum against the original data and its checksum as followed: *----------*----------* | DATA | CRC-8 | *-------------------------*----------*----------* | XOR encryption | 00001100 | 01000111 | *-------------------------*----------*----------* | Change | 00000011 | 00001001 | *-------------------------*----------*----------* | Changed XOR encryption | 00001111 | 00100000 | *-------------------------*----------*----------* To see if changed checksum was calculated correctly, first decrypt the data and its checksum. *----------*----------* | DATA | CRC-8 | *-------------------------*----------*----------* | Changed XOR encryption | 00001111 | 01001110 | *-------------------------*----------*----------* | Letter "n" - secret key | 01101110 | 01101110 | *-------------------------*----------*----------* |Decrypted data-letter "a"| 01100001 | 00100000 | *-------------------------*----------*----------* The decrypted data (01100001) turns out to be the letter "a". Next, I will calculate CRC-8 checksum for the letter "a". (I will not paste output but if you are interested to calculate this yourself download CRC Polynomial division). The checksum was calculated correctly (00100000), therefore the changed packet would appear as valid. (Note: Attacker does not need to have complete knowledge of the original plain-text message, but only requires knowledge of the bits to be changed. =============================== {011} [==Attacks against WEP==] =============================== PASSIVE ATTACK TO DECRYPT TRAFFIC --------------------------------- A passive sniffer can intercept all wireless traffic until IV collision occurs. By XORing two packets that use the same IV, the attacker obtains the XOR of the two plaintext messages, and resulting XOR can be used to infer data about the contents of the two messages. An more complex attack would be to use a host on the internet and send traffic from that host to a host inside that wireless network. The contents of traffic will be known to the attacker. When attacker intercepts the encrypted version of his message sent over 802.11b, he will be able to decrypt all packets that use the same IV. ACTIVE ATTACK TO INJECT TRAFFIC ------------------------------- Suppose that attacker knows the exact plaintext for one encrypted message. He could use this knowledge to construct correct encrypted packets. The procedure involves constructing a new message, calculating the CRC-32, and performing bit flips on the original encrypted message to change the plaintext to new message, and then packet can be sent to the access point or client, and it will be accepted as a valid packet. As explained previously it is also possible to intercept and inject without complete knowledge of the content of packet. ACTIVE ATTACK FROM BOTH ENDS ---------------------------- In this case attacker makes a guess about the headers of packets rather than contents. This information is usually quite easy to obtain or guess, all that is neccessary to guess is the destination IP address. With this knowledge, the attacker can flip appropriate bits to transform the destination IP address to send the packet to machine he controls on the internet. Most wireless networks have internet connectivity, therefore packet will be successfully decrypted by the access point and forwarded unencrypted to attacker's machine, revealing the plaintext. If a guess can be made about the TCP headers of the packet, it is possible to change the destination port on the packet to be port 80, which will be forwarded through most firewalls. TABLE-BASED ATTACK ------------------ Small number of possible IVs allows attacker to build a decryption table (or dictionary). Once he learns the plaintext for some packet, he can compute RC4 key stream generated by the IV used. This key stream can be used to decrypt all other packets that use same IV. Over time attacker can build up table of IVs and corresponding key streams. This table tequires a fairly small number of storage (~15GB), and once it is built attacker can decrypt EVERY packet that is sent over the wireless network. ======================= {100}. [==Final word==] ======================= It is finaly over ;)))) I really hope you learned something and liked it, and if you don't like it don't read it. I am really sorry on my bad english ;) If you have some questions about this you can send it to hazard@trava.ffk.hr GREETZ ------ II-Labs Crew (BoyScout, DownBload, Fr1c, StYx), and all on #hr.hackers (i will not write names cause I don't want to forget anyone ;)) ==================== The carriers' ability to see into encrypted data is a conspiracy theorists' dream, provoking fears that our secrets could be passed to spammers, competitors, or government agents. ====================