New WPA TKIP Attack

wifibox

[Martin Beck] and [Erik Tews] have just released a paper covering an improved attack against WEP and a brand new attack against WPA(PDF). For the WEP half, they offer a nice overview of attacks up to this point and the optimizations they made to reduce the number of packets needed to approximately 25K. The only serious threat to WPA so far has been the coWPAtty dictionary attack. This new attack lets you decrypt the last 12 bytes of a WPA packet’s plaintext and then generate arbitrary packets to send to the client. While it doesn’t recover the WPA key, the attacker is still able to send packets directly to the machine they’re attacking and could potentially read back the response via an outbound connection to the internet.

[photo: niallkennedy]

[via SANS]

Defcon 15: WiCrawl From Midnight Research Labs


[Aaron] gave the latest on WiCrawl. The focus has been on the UI and usefulness for penetration testing. It’s got support for [David]s coWPAtty FPGA WPA cracking accelerator and some UI improvements. Even better, you can grab the WiCrawl module to put on a BackTrack Slax livecd from the project page. [Aaron] passed out some CD’s at the talk – I’ll update if the ISO gets posted.

And yes, I think I finally recovered from playing Hacker Jeopardy on team MRL. We held our own, but lost on the (LAME) final jeopardy question.