The document summarizes new attacks against the WPA-TKIP protocol. It describes a denial of service attack that can disable a network by replaying two manipulated packets. It also outlines a fragmentation attack that uses predicted keystream bytes to inject packets onto the network, such as for port scanning. Finally, it proposes a MIC reset attack to decrypt packets by crafting a prefix that resets the MIC state. Proofs of concept are provided for the denial of service and fragmentation attacks.
Presentation given at the Brucon security conference in Ghent, Belgium. Two new attacks are described. The first is a Denial of Service attack capable of halting all traffic for one minute by injecting only two frames. The second attack allows the injection of arbitrary many packets towards a client. It is shown that this can be used to perform a portscan on any TKIP-secured client.
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
Presentation given at BruCON 2015 on low-level (physical layer) attacks against WiFi network. Includes selfish behavior, constant jammer, reactive and selective jamming. Additionally we show to to reliably manipulate encrypted WPA and WPA2 traffic, allowing us to attack WPA-TKIP.
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
Presentation given at ACSAC 2014 on the paper "Advanced WiFi Attacks Using Commodity Hardware". The gist is that we were able to implement several low-layer attacks using cheap hardware, the most surprising being a selective jammer. We then show how these low-layer attacks faciliate attacks against TKIP (though a man-in-the-middle attack).
The TCP/IP protocol suite has a number of vulnerability and security flaws inherent in the protocols. Those vulnerabilities are often used by crackers for Denial of Service (DOS) attacks, connection hijacking and other attacks. The following are the major TCP/IP security problems:
TCP SYN attacks (or SYN Flooding) ¡§CThe TCP uses sequence numbers to ensure data is given to the user in the correct order. The sequence numbers are initially established during the opening phase of a TCP connection in the three-way handshake. TCP SYN attacks take advantage of a flaw in how most hosts implement TCP three-way handshake. When Host B receives the SYN request from A, it must keep track of the partially opened connection in a "listen queue" for at least 75 seconds and a host can only keep track of a very limited number of connections. A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the SYN&ACK the other host sends back. By doing so, the other host's listen queue is quickly filled up, and it will stop accepting new connections, until a partially opened connection in the queue is completed or times out. This ability to effectively remove a host from the network for at least 75 seconds can be used as a denial-of-service attack, or it can be used to implement other attacks, like IP Spoofing.
IP Spoofing - IP spoofing is an attack used to gain unauthorized access to computers, whereby the attacker sends messages to a computer with a forging IP address indicating that the message is coming from a trusted host. The IP layer assumes that the source address on any IP packet it receives is the same IP address as the system that actually sent the packet -- it does no authentication. Many higher level protocols and applications also make this assumption, so it seems that anyone able to forge the source address of an IP packet could get unauthorized privileges. There are few variations of IP Spoofing such as Blind and Non-blind spoofing, man-in-the-middle- attack (connection hijacking), etc. For details, please read the IP Spoofing section.
Routing attacks ¡§C This attack takes advantage of Routing Information Protocol (RIP), which is often an essential component in a TCP/IP network. RIP is used to distribute routing information within networks, such as shortest-paths, and advertising routes out from the local network. Like TCP/IP, RIP has no built in authentication, and the information provided
in a RIP packet is often used without verifying it. Attacks on RIP change where data goes to, not where it came from. For example, an attacker could forge a RIP packet, claiming his host "X" has the fastest path out of the network. All packets sent out from that network would then be routed through X, where they could be modified or examined. An attacker could also use RIP to effectively impersonate any host, by causing all traffic sent to that host to be sent to the attacker's machine
The presentation covers information about basic and advanced ddos attacks; the tools, techniques and methods to perform them and how to prevent them using the methods present in TCP/IP. Given the different network and application protocols for tcp/ip; we tried to describe where ddos attacks are made possible in the communication process . Each attack is seperately analyzed and described and defense technique is described using the same analogy. Our motto: If there is a ddos case, there was a way to defend it.
Presentation given at the Brucon security conference in Ghent, Belgium. Two new attacks are described. The first is a Denial of Service attack capable of halting all traffic for one minute by injecting only two frames. The second attack allows the injection of arbitrary many packets towards a client. It is shown that this can be used to perform a portscan on any TKIP-secured client.
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
Presentation given at BruCON 2015 on low-level (physical layer) attacks against WiFi network. Includes selfish behavior, constant jammer, reactive and selective jamming. Additionally we show to to reliably manipulate encrypted WPA and WPA2 traffic, allowing us to attack WPA-TKIP.
Advanced WiFi Attacks Using Commodity Hardwarevanhoefm
Presentation given at ACSAC 2014 on the paper "Advanced WiFi Attacks Using Commodity Hardware". The gist is that we were able to implement several low-layer attacks using cheap hardware, the most surprising being a selective jammer. We then show how these low-layer attacks faciliate attacks against TKIP (though a man-in-the-middle attack).
The TCP/IP protocol suite has a number of vulnerability and security flaws inherent in the protocols. Those vulnerabilities are often used by crackers for Denial of Service (DOS) attacks, connection hijacking and other attacks. The following are the major TCP/IP security problems:
TCP SYN attacks (or SYN Flooding) ¡§CThe TCP uses sequence numbers to ensure data is given to the user in the correct order. The sequence numbers are initially established during the opening phase of a TCP connection in the three-way handshake. TCP SYN attacks take advantage of a flaw in how most hosts implement TCP three-way handshake. When Host B receives the SYN request from A, it must keep track of the partially opened connection in a "listen queue" for at least 75 seconds and a host can only keep track of a very limited number of connections. A malicious host can exploit the small size of the listen queue by sending multiple SYN requests to a host, but never replying to the SYN&ACK the other host sends back. By doing so, the other host's listen queue is quickly filled up, and it will stop accepting new connections, until a partially opened connection in the queue is completed or times out. This ability to effectively remove a host from the network for at least 75 seconds can be used as a denial-of-service attack, or it can be used to implement other attacks, like IP Spoofing.
IP Spoofing - IP spoofing is an attack used to gain unauthorized access to computers, whereby the attacker sends messages to a computer with a forging IP address indicating that the message is coming from a trusted host. The IP layer assumes that the source address on any IP packet it receives is the same IP address as the system that actually sent the packet -- it does no authentication. Many higher level protocols and applications also make this assumption, so it seems that anyone able to forge the source address of an IP packet could get unauthorized privileges. There are few variations of IP Spoofing such as Blind and Non-blind spoofing, man-in-the-middle- attack (connection hijacking), etc. For details, please read the IP Spoofing section.
Routing attacks ¡§C This attack takes advantage of Routing Information Protocol (RIP), which is often an essential component in a TCP/IP network. RIP is used to distribute routing information within networks, such as shortest-paths, and advertising routes out from the local network. Like TCP/IP, RIP has no built in authentication, and the information provided
in a RIP packet is often used without verifying it. Attacks on RIP change where data goes to, not where it came from. For example, an attacker could forge a RIP packet, claiming his host "X" has the fastest path out of the network. All packets sent out from that network would then be routed through X, where they could be modified or examined. An attacker could also use RIP to effectively impersonate any host, by causing all traffic sent to that host to be sent to the attacker's machine
The presentation covers information about basic and advanced ddos attacks; the tools, techniques and methods to perform them and how to prevent them using the methods present in TCP/IP. Given the different network and application protocols for tcp/ip; we tried to describe where ddos attacks are made possible in the communication process . Each attack is seperately analyzed and described and defense technique is described using the same analogy. Our motto: If there is a ddos case, there was a way to defend it.
This slideshow shows the threat ARP poisoning poses by allowing Packet sniffing attacks using Wireshark on a college network and provides possible mitigation action for the vulnerability
Praktické postupy ochrany před DDoS útoky - Přednáška se bude zabývat postupy jak se chránit před DoS/DDoS útoky a to od nejnižší po nejvyšší vrstvu, od malých webů po korporátní sítě.
www.security-session.cz
A talk given by Joseph Lorenzo Hall at the UCB TRUST Privacy workshop on 10/05/2006 that describes the tensions between institutional requirements and technical abilities of the TOR network, which severly limits TOR research on the UCB campus.
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...ShortestPathFirst
Presentation given by Roland Dobbins covering our recent draft of use case scenarios for use in DDoS Open Threat Signaling. This presentation was given on Nov. 3rd, 2015 at IETF 94 in Yokohama, Japan.
DDoS Attack on DNS using infected IoT DevicesSeungjoo Kim
[Case Study] DDoS Attack on DNS using infected IoT Devices @ ACSAC 2015 (The 31st Annual Computer Security Applications Conference 2015), which is one of the most important cyber security conferences in the world and the oldest information security conference held annually
Mitm(man in the middle) ssl proxy attacksJaeYeoul Ahn
This material is related at the Security of SSL Service as HTTPS. I used it for my security class at E-government course on the Kookmin university in south Korea.
KRACK attack is one of the most famous one in WiFi security and privacy. In this presentation a detailed description of the attack is considered and countermeasures are offered.
This slideshow shows the threat ARP poisoning poses by allowing Packet sniffing attacks using Wireshark on a college network and provides possible mitigation action for the vulnerability
Praktické postupy ochrany před DDoS útoky - Přednáška se bude zabývat postupy jak se chránit před DoS/DDoS útoky a to od nejnižší po nejvyšší vrstvu, od malých webů po korporátní sítě.
www.security-session.cz
A talk given by Joseph Lorenzo Hall at the UCB TRUST Privacy workshop on 10/05/2006 that describes the tensions between institutional requirements and technical abilities of the TOR network, which severly limits TOR research on the UCB campus.
DDoS Open Threat Signaling (DOTS) Working Group Presentation on draft-ietf-do...ShortestPathFirst
Presentation given by Roland Dobbins covering our recent draft of use case scenarios for use in DDoS Open Threat Signaling. This presentation was given on Nov. 3rd, 2015 at IETF 94 in Yokohama, Japan.
DDoS Attack on DNS using infected IoT DevicesSeungjoo Kim
[Case Study] DDoS Attack on DNS using infected IoT Devices @ ACSAC 2015 (The 31st Annual Computer Security Applications Conference 2015), which is one of the most important cyber security conferences in the world and the oldest information security conference held annually
Mitm(man in the middle) ssl proxy attacksJaeYeoul Ahn
This material is related at the Security of SSL Service as HTTPS. I used it for my security class at E-government course on the Kookmin university in south Korea.
KRACK attack is one of the most famous one in WiFi security and privacy. In this presentation a detailed description of the attack is considered and countermeasures are offered.
The WEP protocol was introduced with the original 802.11 standards as a means to provide authentication and encryption to wireless LAN implementations.
WPA, became available in 2003, and it was the Wi-Fi Alliance’s direct response and replacement to the increasingly apparent vulnerabilities of the WEP encryption standard
The Caffe Latte attack debunks the age old myth that to crack WEP, the attacker needs to be in the RF vicinity of the authorized network, with at least one functional AP up and running. We demonstrate that it is possible to retrieve the WEP key from an isolated Client - the Client can be on the Moon! - using a new technique called "AP-less WEP Cracking". With this discovery Pen-testers will realize that a hacker no longer needs to drive up to a parking lot to crack WEP. Corporations still stuck with using WEP, will realize that their WEP keys can be cracked while one of their employees is transiting through an airport, having a cup of coffee, or is catching some sleep in a hotel room. Interestingly, Caffe Latte also has a great impact on the way Honey-pots work today and takes them to the next level of sophistication.
This presentation is about how WEP configured WiFi enabled roaming client can be compromised and WEP Key can be retireved, sitting thousands of miles away from actual network. The talk was presented in Toorcon 9 in 2007.
Wired Equivalent Privacy (WEP) is an easily broken security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11 standard ratified in September 1999, its intention was to provide data confidentiality comparable to that of a traditional wired network.
Review of the WPA2 Krack Attack. The full research paper that the presentation is based on can be downloaded from here: https://www.krackattacks.com/. You can find my podcast on the iTunes Store CYSReport https://cysreport.com, and my blog is https://debinfosec.com.
A presentation which on Wireless Network Security. It contains Introduction to wireless networking, security threats and risks, best practices on using wireless networks.
Reliable data transfer CN - prashant odhavani- 160920107003Prashant odhavani
transport layer services
multiplexing/demultiplexing
connectionless transport: UDP
principles of reliable data transfer
connection-oriented transport: TCP
reliable transfer
flow control
connection management
principles of congestion control
TCP congestion control
Essentials of Automations: The Art of Triggers and Actions in FMESafe Software
In this second installment of our Essentials of Automations webinar series, we’ll explore the landscape of triggers and actions, guiding you through the nuances of authoring and adapting workspaces for seamless automations. Gain an understanding of the full spectrum of triggers and actions available in FME, empowering you to enhance your workspaces for efficient automation.
We’ll kick things off by showcasing the most commonly used event-based triggers, introducing you to various automation workflows like manual triggers, schedules, directory watchers, and more. Plus, see how these elements play out in real scenarios.
Whether you’re tweaking your current setup or building from the ground up, this session will arm you with the tools and insights needed to transform your FME usage into a powerhouse of productivity. Join us to discover effective strategies that simplify complex processes, enhancing your productivity and transforming your data management practices with FME. Let’s turn complexity into clarity and make your workspaces work wonders!
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
Maruthi Prithivirajan, Head of ASEAN & IN Solution Architecture, Neo4j
Get an inside look at the latest Neo4j innovations that enable relationship-driven intelligence at scale. Learn more about the newest cloud integrations and product enhancements that make Neo4j an essential choice for developers building apps with interconnected data and generative AI.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
2. Introduction:
WPA-TKIP Protocol
Existing Attacks
New Attacks:
Denial of Service
Fragmentation Attack
MIC Reset Attack
3. We will cover:
Connecting
Sending & receiving packets
Quality of Service (QoS) extension
Design Constraints:
Must run on legacy hardware
Uses (hardware) WEP encapsulation
4. Defined by EAPOL and results in a session key
What people normally capture & crack
5. Result of handshake is 512 bit session key
Renewed after rekeying timeout (1 hour)
EAPOL protection DataEncr MIC1 MIC2
DataEncr key: used to encrypt packets
MIC keys (Message Integrity Code):
Verify integrity of data. But why two?
6. WPA-TKIP designed for old hardware
Couldn’t use strong integrity checks (CCMP)
New algorithm called Michael was created
Weakness: plaintext + MIC reveals MIC key
To improve security two MIC keys are used
MIC1 for AP to client communication
MIC2 for client to AP communication
7. TSC Data MIC CRC
Encrypted
Calculate MIC to assure integrity
WEP Encapsulation:
Calculate CRC
Encrypt the packet using RC4
Add replay counter (TSC) to avoid replays
8. TSC Data MIC CRC
Encrypted
WEP decapsulation:
Verify TSC to prevent replays
Decrypt packet using RC4
Verify CRC
Verify MIC to assure authenticity
9. Replay counter & CRC are good, but MIC not
Transmission error unlikely
Network may be under attack!
Defense mechanism on MIC failure:
Client sends MIC failure report to AP
AP silently logs failure
Two failures in 1 min: network down for 1 min
10. Defines several QoS channels
Implemented by new field in 802.11 header
QoS TSC Data MIC CRC
unencrypted Encrypted
Individual replay counter (TSC) per channel
Used to pass replay counter check of receiver!
11. Channel TSC
0: Best Effort 4000
1: Background 0
2: Video 0
3: Voice 0
Support for up to 8 channels
But WiFi certification only requires 4
12. Introduction:
WPA-TKIP Protocol
Existing Attacks
New Attacks:
Denial of Service
Fragmentation Attack
MIC Reset Attack
13. Martin Beck: TU-Dresden, Germany
Erik Tews: TU-Darmstadt, Germany
First known attack on TKIP, requires QoS
Decrypts ARP reply sent from AP to client
MIC key for AP to client
Takes at least 8 minutes to execute
14. QoS TSC Data MIC CRC
QoS TSC Data MIC’ CRC'
Remove last byte
CRC can be corrected if last byte is known
Try all 256 values & send using diff. priority
On correct guess: MIC failure report
15. Takes 12 minutes to execute
Limited impact: injection of 3-7 small packets
16. An improved attack on TKIP
2009/11: targets DHCP Ack packet
Cryptanalysis for RC4 and Breaking WPA-TKIP
2011/11: Removes QoS requirement
Falsification Attacks against WPA-TKIP in a realistic
environment
2012/02: Reduces execution time to 8 minutes
17. Unpublished (Martin Beck, 2010)
Suggests fragmentation attack
Not implemented, unrealistic usage example
MIC Reset Attack
Implemented, but PoC not available
Incorrect theoretical analysis
Suggests a decryption attack
Not implemented & contains essential flaw
18. Papers about Denial of Service (DoS) attacks:
802.11 DoS attack: real vulnerabilities and
practical solutions
2003: Not specific to TKIP, but WiFi in general
A study of the TKIP cryptographic DoS attack
2007: Requires man-in-the-middle position
19. Introduction:
WPA-TKIP Protocol
Existing Attacks
New Attacks:
Denial of Service
Fragmentation Attack
MIC Reset Attack
20. MIC = Michael(MAC dest,
MAC source,
MIC key,
priority,
data)
Rc4key = MixKey(MAC transmitter,
key,
TSC)
21. Key observations:
Individual replay counter per priority
Priority influences MIC but not encryption key
Two MIC failures: network down
What happens when the priority is changed?
22. Capture packet, change priority, replay
On Reception :
Verify replay counter
Decrypt packet using RC4
Verify CRC (leftover from WEP)
Verify MIC to assure authenticity
23. Capture packet, change priority, replay
On Reception :
Verify replay counter OK
Decrypt packet using RC4 OK
Verify CRC (leftover from WEP) OK
Verify MIC to assure authenticity FAIL
Do this twice: Denial of Service
24. Disadvantage: attack fails if QoS is disabled
Cryptanalysis for RC4 and breaking WPA:
Capture packet, add QoS header, change priority,
replay
On Reception:
Doesn’t check whether QoS is actually used
Again bypass replay counter check
MIC still dependent on priority
25. Example: network with 20 connected clients
Old deauthentication attack:
Must continuously sends packets
Say 10 deauths per client per second
(10 * 60) * 20 = 12 000 frames per minute
New attack
2 frames per minute
26. Specifically exploits flaws in WPA-TKIP
Takes down network for 1 minute yet requires
no man-in-the-middle position
Requires sending only two packets to take
down the network for 1 minute
27. Introduction:
WPA-TKIP Protocol
Existing Attacks
New Attacks:
Denial of Service
Fragmentation Attack
MIC Reset Attack
28. What is needed to inject packets:
MIC key
Result of Beck & Tews attack
Unused replay counter
Inject packet on unused QoS channel
Keystream corresponding to replay counter
Beck & Tews results in only one keystream…
How can we get more? First need to know RC4!
29. Stream cipher
XOR-based
This means: Ciphertext
Plaintext
Keystream
Predicting the plaintext gives the keystream
30. Simplified:
All data packets start with LLC header
Different for APR, IP and EAPOL packets
Detect ARP & EAPOL based on length
Everything else: IP
Practice: almost no incorrect guesses!
Gives us 12 bytes keystream for each packet
31. But is 12 bytes enough to send a packet?
No, MIC & CRC alone are 12 bytes.
If only we could somehow combine them…
Using 802.11 fragmentation we can combine
16 keystreams to send one large packet
32. Data MIC
Data1 Data2 Data16 MIC
TSC1 Data1 CRC1 TSC16 Data16 MIC CRC16
MIC calculated over complete packet
Each fragment has CRC and different TSC
12 bytes/keystream: inject 120 bytes of data
33. Beck & Tews attack: MIC key AP to client
Predict packets & get keystreams
Combine short keystreams by fragmentation
Send over unused QoS channel
What can we do with this?
ARP/DNS Poisoning
Sending TCP SYN packets: port scan!
34. A few notes:
Scan 500 most popular ports
Detect SYN/ACK based on length
Avoid multiple SYN/ACK’s: send RST
Port scan of internal client:
Normally not possible
We are bypassing the network firewall / NAT!
36. Introduction:
WPA-TKIP Protocol
Existing Attacks
New Attacks:
Denial of Service
Fragmentation Attack
MIC Reset Attack
37. Assume we know the MIC key
We know the initial MIC state for packets
Attack idea:
Construct a packet, so that after processing
it, the state is equal to the inital state.
We can then append a random packet to it,
knowing that its MIC value is valid.
38. Targeted packet
Prefix Magic Data MIC
State1
State1: initial state of every packet
39. Targeted packet
Prefix Magic Data MIC
State2
State1: initial state of every packet
State2: state after processing prefix
40. Targeted packet
Prefix Magic Data MIC
State3
State1: initial state of every packet
State2: state after processing prefix
State3: equal to state1 due to magic bytes
41. Targeted packet
Prefix Magic Data MIC
State4
State1: initial state of every packet
State2: state after processing prefix
State3: equal to state1 due to magic bytes
State4: equal to MIC of targeted packet!
42. How to calculate the magic bytes?
Method suggested in unpublished paper
Essentially a birthday attack
Has been verified, indeed works
Theoretical analysis:
Was done very informal & contained errors
Done correctly using probability theory
43. The prefix attack can be used to decrypt the
targeted packet.
Unpublished paper:
Suggested the prefix to be a ping request
Reply will echo the data = targeted packet
Flaw: ping request contains checksum
As the targeted packet is unknown, we cannot
calculate the checksum, packet will be dropped
44. The prefix attack can be used to decrypt the
targeted packet.
Solution:
Prefix is UDP packet to closed port
UDP doesn’t require a checksum
Assuming port is closed, host will reply with
ICMP unreachable containing the UDP packet
Make it reply to external ip
45. In practice:
Capture a packet from AP to client
Send the prefix using fragmentation
Send the targeted packet
Reply of client contains complete packet
Assumes client isn’t running a firewall
Rudimantary PoC is working
46. Correct theoretical analysis
Using clear assumptions & probability theory
Verified by practical experiments!
Working decryption attack:
Their suggestion contained an essential flaw
Different technique based on UDP packets
Rudimentairy proof of concept is working (WIP)
47. Highly efficient Denial of Service
Very reliable PoC
Fragmentation to launch actual attacks
Verified that fragmentation works
Reliable PoC portscan attack
MIC reset to decrypt AP to client packets
Correct theoretical analysis
UDP technique
PoC is work in progress