TC7 Day 1 – The Fragmentation Attack In Practice

UPDATE: Slides, paper and code

Andrea Bittau (not blurry in real life) gave a demo of the WEP fragmentation attack. The attack only requires one sniffed packet from the WEPed network unlike replay attacks which usually require you to get an ARP packet. He built a simple tool to sniff a packet and then build packets to create a legitimate connection to the access point. At this point a server on the internet is contacted to flood the network with packets at up to 1400 packets per second. This generates a ton of unique IVs and aircrack is called every 100000 packets till the WEP key is cracked. In the demo it took under 5 minutes for the automated process to complete.

10 thoughts on “TC7 Day 1 – The Fragmentation Attack In Practice

  1. I used to be really interested in this stuff but this is over sensationalised…

    There are still only a few ways to crack WEP and all require lots (at least 10000 packets) of data to work reasonably.

    Weak keys (airsnort) are old-hat and all modern 802.11 devices avoid them. Aircrack and the new breed use roughly 17 statistical anomolies to improve on the brute force chance of a guessing a key. Their technique isn’t perfect but it does work suprisingly well.

    The ARP attack involved waiting for a packet that was the same length as an ARP packet and replaying it to the network. If it was an ARP packet, it would cause the remote host to send an ARP response packet with a unique IV. This can be done repeatedly to get the required 10000-100000 packets for WEP cracking, at which time you run aircrack.

    His is just another variation where he injects traffic from the internet to get enough packets to break WEP.

    It won’t work if the AP is behind a firewall or NAT router. It won’t work if he can’t determine the networks IP range.

    I think he’s combining another attack where you decode the contents of a single packet by sending increasingly longer dummy packets into the network and decode the packet contents one byte at a time. After that you have an IP for the internal network and you can use that to launch an Internet-initiated flood.

    I’m pretty sure it would still be better to use the ARP attack over this method, if only because this method requires a host on the Internet which is going to have to flood something, setting off all sorts of alarm bells and big flashing lights.

    Who the hell uses WEP anyway these days?

  2. Lots of people still use WEP.(dunno why, ignorance i guess) the worrying thing is……. well known high st banks in the heart of London are still using WEP.
    oh and BTW 5 mins doesn’t impress me, my record stands at 3min 28secs for 104 bit WEP.
    i love those crappy bthomehubs!! ;-)

  3. @coreUK
    Sometimes its for backwards compatibility. If there were a way to put my 802.11B only devices (2 pocket PCs print server and a few other things) on an isolated part of my network for internet only, I would because I wouldn’t mind going N or WPA-PSK and all that

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.