TC7 day 1 – The fragmentation attack in practice

andrea
UPDATE: Slides, paper and code

Andrea Bittau (not blurry in real life) gave a demo of the WEP fragmentation attack. The attack only requires one sniffed packet from the WEPed network unlike replay attacks which usually require you to get an ARP packet. He built a simple tool to sniff a packet and then build packets to create a legitimate connection to the access point. At this point a server on the internet is contacted to flood the network with packets at up to 1400 packets per second. This generates a ton of unique IVs and aircrack is called every 100000 packets till the WEP key is cracked. In the demo it took under 5 minutes for the automated process to complete.

Comments

  1. CDE says:

    Is this the Arp Spoofing linked on the security section of the site? Any way to get a real translation, ie non Bablefish?

  2. Brandon says:

    This some crazy biznatch! Automated WEP cracking under 5 mins…wow. Its not really cracking anymore. It takes 5 minutes to get connected sometimes…

  3. k00zk0 says:

    Well…where can we get this automated WEP cracking app?

  4. Gouki says:

    I was searching o his site, but didnt find it.

    How do we get it? *nux only right?

    cya guys!

  5. Gouki says:

    I was searching o his site, but didnt find it.

    How do we get it? *nux only right?

    cya guys!

  6. Brandon says:

    yeah…where is it?

  7. gbag says:

    I used to be really interested in this stuff but this is over sensationalised…

    There are still only a few ways to crack WEP and all require lots (at least 10000 packets) of data to work reasonably.

    Weak keys (airsnort) are old-hat and all modern 802.11 devices avoid them. Aircrack and the new breed use roughly 17 statistical anomolies to improve on the brute force chance of a guessing a key. Their technique isn’t perfect but it does work suprisingly well.

    The ARP attack involved waiting for a packet that was the same length as an ARP packet and replaying it to the network. If it was an ARP packet, it would cause the remote host to send an ARP response packet with a unique IV. This can be done repeatedly to get the required 10000-100000 packets for WEP cracking, at which time you run aircrack.

    His is just another variation where he injects traffic from the internet to get enough packets to break WEP.

    It won’t work if the AP is behind a firewall or NAT router. It won’t work if he can’t determine the networks IP range.

    I think he’s combining another attack where you decode the contents of a single packet by sending increasingly longer dummy packets into the network and decode the packet contents one byte at a time. After that you have an IP for the internal network and you can use that to launch an Internet-initiated flood.

    I’m pretty sure it would still be better to use the ARP attack over this method, if only because this method requires a host on the Internet which is going to have to flood something, setting off all sorts of alarm bells and big flashing lights.

    Who the hell uses WEP anyway these days?

  8. Amber says:

    You have given me a very interesting insight. Now I am looking forward to trying it out. Thanks buddy!

  9. sorbo says:

    http://darkircop.org/frag-0.1.tgz

    if you launch it without args it will send arps [no internet host required]. I personally prefer inet flood. If you’re paranoid, you can spoof the inet ip while flooding…

  10. coreUK says:

    Lots of people still use WEP.(dunno why, ignorance i guess) the worrying thing is……. well known high st banks in the heart of London are still using WEP.
    oh and BTW 5 mins doesn’t impress me, my record stands at 3min 28secs for 104 bit WEP.
    i love those crappy bthomehubs!! ;-)

  11. aw says:

    @coreUK
    Sometimes its for backwards compatibility. If there were a way to put my 802.11B only devices (2 pocket PCs print server and a few other things) on an isolated part of my network for internet only, I would because I wouldn’t mind going N or WPA-PSK and all that

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 96,441 other followers