.

How to Avoid the WPA Attack Entirely

<<

don

User avatar

Administrator
Administrator

Posts: 4226

Joined: Sun Aug 28, 2005 10:47 pm

Location: Chicago

Post Tue Jan 20, 2009 1:07 am

How to Avoid the WPA Attack Entirely

Good write-up found at SearchNetworking.com by Lisa Phifer:


The latest crack in wireless Internet security, specifically, the Wi-Fi Protected Access (WPA) security standard, can threaten the safety of enterprise networks and business-sensitive information or data. Last week we explained how to cope with WPA cracks. Today we explain how to avoid them altogether, and what the difference is between WEP, WPA and WPA2.

It's been seven years since 802.11's Wired Equivalent Privacy (WEP) was cracked. WEP's first replacement, Wi-Fi Protected Access (WPA), has been required of all new Wi-Fi certified products since late 2003. But last month, reports surfaced about a crack in WPA -- specifically, a new attack against the Message Integrity Check (MIC) used by the Temporal Key Integrity Protocol (TKIP). While this new attack is not a death-knell for wireless local area networks (WLANs) using WPA, it is a note-worthy chip in their armor that you can avoid.

How we got here

To get a handle on this latest attack, you need to appreciate the differences between WEP, WPA, and WPA2, and how WEP cracking caused 802.11 standards to evolve.

WEP uses RC4 to scramble (encrypt) data exchanged between wireless access points (APs) and clients, applying a Cyclic Redundancy Check (CRC) checksum to spot errors. Anyone can record WEP-encrypted packets, but they cannot interpret them without the WEP key to decrypt them. Unfortunately, attackers quickly learned how to analyze WEP-encrypted packets to guess (crack) that key. Because the same WEP key is used by every client to encrypt every packet sent to a given AP, a cracked key can decrypt all future packets, no matter who sent them. As a result, WEP cannot really stop 802.11 data eavesdropping.

TKIP was created as a quick fix for older APs and clients that were crippled by WEP. Instead of using the same key to encrypt every packet, TKIP uses RC4 with a different key for each packet. These per-packet keys neutralise WEP encryption crackers. In addition, TKIP uses a keyed Message Integrity Check (MIC) to detect packets that are replayed or forged. Anyone can send (that is, inject) a TKIP-encrypted packet that has been captured and modified, but those packets are dropped because the MIC and checksum do not match the data carried by the packet. APs using TKIP usually transmit an error report when the first bad MIC is received. If a second bad packet arrives within 60 seconds, the AP stops listening for another minute and then "rekeys" the WLAN, requiring all clients to start using a new "pairwise master key" to generate both the MIC key and those per-packet encryption keys.

This plugged the gaping holes left by WEP. All WPA-certified products can use TKIP and its MIC to resist 802.11 data eavesdropping, forgery, and replay attacks. But even back in 2003, the IEEE knew there were more efficient and robust ways to provide this security. This is why 802.11i also defines a Cipher Block Chaining Message Authentication Code Protocol (CCMP) which uses the Advanced Encryption Standard (AES) to replace TKIP and its MIC. All Wi-Fi certified products must now support Wi-Fi Protected Access Version 2 (WPA2), letting customers choose the right security for their WLAN. WPA2-certified APs that talk to older clients may permit either TKIP or AES-CCMP, while those with new clients only can insist on AES-CCMP.



For full article:
http://searchnetworking.techtarget.com. ... k-entirely

Don
CISSP, MCSE, CSTA, Security+ SME
<<

Vertigo

Newbie
Newbie

Posts: 13

Joined: Thu Oct 16, 2008 10:34 am

Post Wed Feb 04, 2009 5:36 am

Re: How to Avoid the WPA Attack Entirely

Have anybody performed succesful attack against WPA TKIP Michael with tkiptun-ng tool from aircrack-ng-1.0-rc2 suite?
Previous tkiptun-ng revision 1208 from http://dl.aircrack-ng.org/aircrack-ng-s ... ent.tar.gz didn't work properly.

Vertigo
------------------
GCIH, Security+
Last edited by Vertigo on Fri Feb 20, 2009 7:26 am, edited 1 time in total.
<<

Ne0

Jr. Member
Jr. Member

Posts: 62

Joined: Thu Sep 04, 2008 5:28 pm

Post Tue Feb 17, 2009 5:17 am

Re: How to Avoid the WPA Attack Entirely

hey vertigo ,
yeah i had done a sucessfull WPA hack , it took time but i was successful in it i have my own video of cracking it , u can get it in my website
i was successfull at both WPA & WPA2
the main in getting successfull for WPA & WPA2 CRACK IS
1) U must capture the Full 4 Way Handshake.
2) Your Passphrase must be in the DICTIONARY you choose in order to sucessfully BruteForce

the video is here http://thewifihack.com/blog/?p=16
<<

Vertigo

Newbie
Newbie

Posts: 13

Joined: Thu Oct 16, 2008 10:34 am

Post Fri Feb 20, 2009 8:02 am

Re: How to Avoid the WPA Attack Entirely

Ne0 wrote:hey vertigo ,
yeah i had done a sucessfull WPA hack , it took time but i was successful in it i have my own video of cracking it , u can get it in my website
i was successfull at both WPA & WPA2
the main in getting successfull for WPA & WPA2 CRACK IS
1) U must capture the Full 4 Way Handshake.
2) Your Passphrase must be in the DICTIONARY you choose in order to sucessfully BruteForce



Hey Ne0,
You have misunderstood me completely, my question wasn't  how to crack pre-shared secret from WPA-PSK or WPA2-PSK 4-way EAPoL handshake with aircrack-ng or coWPAtty tools...
My question was quite different: How to get RC4 keystream and MIC key from victim's ARP request packet  with WPA TKIP encryption (it assumes client may use 802.1X EAP-TLS/PEAP or TTLS authentication) using tkiptun-ng tool from aircrack-ng-1.0-rc2 suite? It's requires ~ 14min = 8 byte MIC + 4 bytes ICV checksum +2 bytes from source and destination addreses. There are several stages: WPA handshake capture,  arp request capture, and attack itself based on modified Korek's chopchop attack. Attack requires QoS WMM support on both sides: AP and STA, rekeying interval  more than 1200sec.
More: http://dl.aircrack-ng.org/breakingwepandwpa.pdf

Vertigo
------------------------
GCIH, Security+
Last edited by Vertigo on Fri Feb 20, 2009 8:43 am, edited 1 time in total.

Return to Wireless

Who is online

Users browsing this forum: No registered users and 1 guest

cron
.
Powered by phpBB® Forum Software © phpBB Group.
Designed by ST Software