Once the wireless target has been identified, the attacker can proceed to gather information about the network using tools like kismet or airodump. Data gathered can be saved into pcap format for subsequent offline analysis.
If the traffic stream is not encrypted, immediately the attacker could look at the traffic stream and identify the network parameters (e.g. MAC address, IP address range, gateway etc) from the traffic.
If the traffic stream is WEP encrypted, there are also WEP crackers which are available for him. In this case, airodump is used to gather all the encrypted packets transmitted and aircrack (shown below) is then used to try to crack the WEP key given enough WEP IVs that are gathered.
In cases where there isn’t sufficient traffic on the network, packet injection tools like WEPWedgie can be employed to insert arbitrary traffic into the WEP encrypted network. This will solicit responses from the network, which can then be collected and send for WEP key cracking. This is made possible because in WEP implementation, as long as one obtains the keystream used for the XOR operation using a single IV value, one can effectively reuse the same IV for all subsequent communications. To obtain a single keystream that corresponds to a particular IV, one has to look for a known plaintext and a corresponding ciphertext in the network. Using that, one can then perform an XOR operation to obtain the keystream used to encrypt the packet. One example where you’ll find the plaintext and its corresponding ciphertext is when a wireless client is authenticating to the access point using shared key authentication.
Even when you are unable to get the shared key authentication traffic on the network, tools like Chopchop which makes use of the access point to help it decrypt 1 WEP encrypted packet at a time without knowing the WEP key is available.
reference:
-Christopher Low, 13 April 2005, Understanding Wireless Attacks and Detection, SANS Institute InfoSec Reading Room
-Quequero, 'How to Attack a WEP/WPA Protected Wireless Network
0 comments:
Post a Comment