SlideShare a Scribd company logo
1 of 44
Download to read offline
Mathy Vanhoef



                @vanhoefm

                Brucon 2012
0x00   The WPA-TKIP protocol
0x04   Denial of Service
0x08   Demo
0x0C   Beck & Tews attack
0x10   Fragmentation attack
0x14   Performing a port scan
We will cover:
 Connecting
 Sending & receiving packets
 Quality of Service (QoS) extension


Design Constraints:
 Must run on legacy hardware
 Uses (hardware) WEP encapsulation
   Defined by EAPOL and results in a session key
   What you normally capture & crack
   Result of handshake is 512 bit session key
   Renewed after rekeying timeout (1 hour)

      EAPOL protection      DataEncr   MIC1 MIC2


   DataEncr key: used to encrypt packets
   MIC keys (Message Integrity Code):
     Verify integrity of data. But why two?
   WPA-TKIP designed for old hardware
     Couldn’t use strong integrity checks (CCMP)
   New algorithm called Michael was created
     Weakness: plaintext + MIC reveals MIC key


   To improve security two MIC keys are used
     MIC1 for AP to client communication
     MIC2 for client to AP communication
TSC             Data               MIC      CRC

                       Encrypted

   Calculate MIC to assure integrity
   WEP Encapsulation:
     Calculate CRC
     Encrypt the packet using RC4
     Add replay counter (TSC) to avoid replays
TSC                Data               MIC   CRC

                          Encrypted

   WEP decapsulation:
     Verify TSC to prevent replays
     Decrypt packet using RC4
     Verify CRC
   Verify MIC to assure authenticity
   Replay counter & CRC are good, but MIC not
     Transmission error unlikely
     Network may be under attack!


Defense mechanism on MIC failure:
 Client sends MIC failure report to AP
 AP silently logs failure
 Two failures in 1 min: network down for 1 min
   Defines several QoS channels
     Implemented by new field in 802.11 header

QoS TSC              Data               MIC    CRC

unencrypted                 Encrypted

     Individual replay counter (TSC) per channel
     Used to pass replay counter check of receiver!
Channel            TSC
       0: Best Effort       4000
       1: Background        0
       2: Video             0
       3: Voice             0


   Support for up to 8 channels
   But WiFi certification only requires 4
   MIC = Michael(MAC dest,
                  MAC source,
                  MIC key,
                  priority,
                  data)

   Rc4key = MixKey(MAC transmitter,
                    key,
                    TSC)
   The previous slides contain all the info to find
    a denial of service attack, any ideas? 
   The previous slides contain all the info to find
    a denial of service attack, any ideas?

   Key observations:
     Individual replay counter per priority
     Priority influences MIC but not encryption key
     Two MIC failures: network down


   What happens when the priority is changed?
   Capture packet, change priority, replay

On Reception :
 Verify replay counter
 Decrypt packet using RC4
 Verify CRC (leftover from WEP)
 Verify MIC to assure authenticity
   Capture packet, change priority, replay

On Reception :
 Verify replay counter                OK
 Decrypt packet using RC4             OK
 Verify CRC (leftover from WEP)       OK
 Verify MIC to assure authenticity    FAIL
 Do this twice: Denial of Service
   Disadvantage: attack fails if QoS is disabled
   Solution: Capture packet, add QoS header,
    change priority, replay

On Reception:
 Doesn’t check whether QoS is actually used
 Again bypass replay counter check
 MIC still dependent on priority
             [Cryptanalysis for RC4 and breaking WEP/WPA-TKIP]
Attacker: VMWare   vs.   Victim: Windows
   Example: network with 20 connected clients

   Deauthentication attack:
     Must continuously sends packets
     Say 10 deauths per client per second
     (10 * 60) * 20 = 12 000 frames per minute
   New attack
     2 frames per minute
0x00   The WPA-TKIP protocol
0x04   Denial of Service
0x08   Demo
0x0C   Beck & Tews attack
0x10   Fragmentation attack
0x14   Performing a port scan
   First known attack on TKIP, requires QoS
   Decrypts ARP reply sent from AP to client

   Simplified: each byte is decrypted by sending
    a modified packet for all 256 possible values:
     Wrong guess: CRC invalid
     Correct guess: CRC valid but MIC failure
   MIC key for AP to client
   Takes 12 minutes to execute
   Limited impact: injection of 3-7 small packets
What is needed to inject packets:
 MIC key
     Result of Beck & Tews attack
   Unused replay counter
     Inject packet on unused QoS channel
   Keystream corresponding to replay counter
     Beck & Tews results in only one keystream…
     How can we get more? First need to know RC4!
   Stream cipher
   XOR-based

This means:         Ciphertext

                    Plaintext

                    Keystream

 Predicting the plaintext gives the keystream
Simplified:
 All data packets start with LLC header
 Different for APR, IP and EAPOL packets
 Detect ARP & EAPOL based on length
 Everything else: IP


   Practice: almost no incorrect guesses!
   Gives us 12 bytes keystream for each packet
   But is 12 bytes enough to send a packet?
   No, MIC & CRC alone are 12 bytes.

If only we could somehow combine them…
…well, title of this section is fragmentation
   But is 12 bytes enough to send a packet?
   No, MIC & CRC alone are 12 bytes.

If only we could somehow combine them…
…well, title of this section is fragmentation

   Using 802.11 fragmentation we can combine
    16 keystreams to send one large packet
Data             MIC


     Data1      Data2             Data16 MIC


TSC1    Data1    CRC1          TSC16 Data16    MIC   CRC16


    MIC calculated over complete packet
    Each fragment has CRC and different TSC
    12 bytes/keystream: inject 120 bytes of data
   Beck & Tews attack: MIC key AP to client
   Predict packets & get keystreams
   Combine short keystreams by fragmentation
   Send over unused QoS channel

What can we do with this?
 ARP/DNS Poisoning
 Sending TCP SYN packets: port scan!
A few notes:
 Scan 500 most popular ports
 Detect SYN/ACK based on length
 Avoid multiple SYN/ACK’s: send RST


Port scan of internal client:
 Normally not possible
 We are bypassing the network firewall / NAT!
Building packets sucks… 
tcpdump -i mon0 -w crash.pcap
   Target will send outgoing SYN/ACK
   Will this go through the firewall/NAT?
   Normally not…

       Device             SYN/ACK forwarded?
       Scarlet VDSL Box   No
       WAG320N            No
       OpenBSD/PF         No
       DD-WRT             When SPI is disabled
   Realistic in practice?
   Bidirectional traffic is possible

                                   Internet
         Access Point




Client                  Attacker
   Realistic in practice?
   Bidirectional traffic is possible

                                   Internet
         Access Point




Client                  Attacker
   Realistic in practice?
   Bidirectional traffic is possible

                                   Internet
         Access Point




Client                  Attacker
   Realistic in practice?
   Can connect to open ports

                                   Internet
         Access Point




Client                  Attacker
   Client running SSH server with weak password
   Bypass firewall using fragmentation attack
   Bidirectional communication is possible
   Connect to SSH server as root
   Dump the network password!



Note: not been tested
Beck & Tews:
 Inject 3-7 packets of 28 bytes


Fragmentation:
 Inject arbitrary amount of packets
 With a size up to 120 bytes
 Additionally, exploit IP fragmentation to
  transmit IP packets of arbitrary size
Belkin F5D7053:
 Ignores TSC… you can simply replay a packet
 When connected to a protected network, it
  still accepts unencrypted packets
   Very efficient Denial of Service
   Use fragmentation to launch actual attacks

   Forced to use WPA-TKIP?
     Use short rekeying timeout (2 mins)
     Disable QoS and update drivers (if possible)


   Update to WPA2-AES
     Specifically set encryption to AES only
@vanhoefm

Brucon 2012

More Related Content

What's hot

Cracking wpa2 psk in the cloud
Cracking wpa2 psk in the cloudCracking wpa2 psk in the cloud
Cracking wpa2 psk in the cloud
Fotios Lindiakos
 

What's hot (20)

Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
 
Hacking Wireless Networks : Null Delhi (November)
Hacking Wireless Networks : Null Delhi (November)Hacking Wireless Networks : Null Delhi (November)
Hacking Wireless Networks : Null Delhi (November)
 
Practical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacksPractical steps to mitigate DDoS attacks
Practical steps to mitigate DDoS attacks
 
Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)Ddos and mitigation methods.pptx (1)
Ddos and mitigation methods.pptx (1)
 
Cracking wpa2 psk in the cloud
Cracking wpa2 psk in the cloudCracking wpa2 psk in the cloud
Cracking wpa2 psk in the cloud
 
Hacking wireless networks
Hacking wireless networksHacking wireless networks
Hacking wireless networks
 
DDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT DevicesDDoS Attack on DNS using infected IoT Devices
DDoS Attack on DNS using infected IoT Devices
 
10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques10 DDoS Mitigation Techniques
10 DDoS Mitigation Techniques
 
Packet sniffing & ARP Poisoning
 Packet sniffing & ARP Poisoning  Packet sniffing & ARP Poisoning
Packet sniffing & ARP Poisoning
 
DDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDNDDoS Attack Detection & Mitigation in SDN
DDoS Attack Detection & Mitigation in SDN
 
Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hacking
 
Anton Chuvakin on Honeypots
Anton Chuvakin on HoneypotsAnton Chuvakin on Honeypots
Anton Chuvakin on Honeypots
 
Wireless Attacks
Wireless AttacksWireless Attacks
Wireless Attacks
 
Barriers to TOR Research at UC Berkeley
Barriers to TOR Research at UC BerkeleyBarriers to TOR Research at UC Berkeley
Barriers to TOR Research at UC Berkeley
 
Securing wireless network
Securing wireless networkSecuring wireless network
Securing wireless network
 
Строим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атакиСтроим ханипот и выявляем DDoS-атаки
Строим ханипот и выявляем DDoS-атаки
 
How the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development LifecycleHow the CC Harmonizes with Secure Software Development Lifecycle
How the CC Harmonizes with Secure Software Development Lifecycle
 
Type of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 exampleType of DDoS attacks with hping3 example
Type of DDoS attacks with hping3 example
 
DDoS Attack Preparation and Mitigation
DDoS Attack Preparation and MitigationDDoS Attack Preparation and Mitigation
DDoS Attack Preparation and Mitigation
 
Exploiting WiFi Security
Exploiting WiFi Security Exploiting WiFi Security
Exploiting WiFi Security
 

Similar to New flaws in WPA-TKIP

Wireless security837
Wireless security837Wireless security837
Wireless security837
mark scott
 
4 wifi security
4 wifi security4 wifi security
4 wifi security
al-sari7
 
5169 wireless network_security_amine_k
5169 wireless network_security_amine_k5169 wireless network_security_amine_k
5169 wireless network_security_amine_k
Rama Krishna M
 

Similar to New flaws in WPA-TKIP (20)

Wireless security837
Wireless security837Wireless security837
Wireless security837
 
4 wifi security
4 wifi security4 wifi security
4 wifi security
 
Hacking Cisco
Hacking CiscoHacking Cisco
Hacking Cisco
 
5169 wireless network_security_amine_k
5169 wireless network_security_amine_k5169 wireless network_security_amine_k
5169 wireless network_security_amine_k
 
Pentesting layer 2 protocols
Pentesting layer 2 protocolsPentesting layer 2 protocols
Pentesting layer 2 protocols
 
12 tcp-dns
12 tcp-dns12 tcp-dns
12 tcp-dns
 
Wireless hacking and security
Wireless hacking and securityWireless hacking and security
Wireless hacking and security
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminar
 
Wireless network security
Wireless network securityWireless network security
Wireless network security
 
Wifi Security
Wifi SecurityWifi Security
Wifi Security
 
Resilience in the ZigBee Residential Mode
Resilience in the ZigBee Residential ModeResilience in the ZigBee Residential Mode
Resilience in the ZigBee Residential Mode
 
WLAN SECURITY BY SAIKIRAN PANJALA
WLAN SECURITY BY SAIKIRAN PANJALAWLAN SECURITY BY SAIKIRAN PANJALA
WLAN SECURITY BY SAIKIRAN PANJALA
 
Security Issues of IEEE 802.11b
Security Issues of IEEE 802.11bSecurity Issues of IEEE 802.11b
Security Issues of IEEE 802.11b
 
Security Issues of 802.11b
Security Issues of 802.11bSecurity Issues of 802.11b
Security Issues of 802.11b
 
Cys Report Krack Attack Threat Briefing
Cys Report Krack Attack Threat BriefingCys Report Krack Attack Threat Briefing
Cys Report Krack Attack Threat Briefing
 
SAS (Secure Active Switch)
SAS (Secure Active Switch)SAS (Secure Active Switch)
SAS (Secure Active Switch)
 
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhar...
 
Cours4.pptx
Cours4.pptxCours4.pptx
Cours4.pptx
 
Wpa vs Wpa2
Wpa vs Wpa2Wpa vs Wpa2
Wpa vs Wpa2
 
6005679.ppt
6005679.ppt6005679.ppt
6005679.ppt
 

Recently uploaded

Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
panagenda
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Peter Udo Diehl
 

Recently uploaded (20)

Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
AI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří KarpíšekAI revolution and Salesforce, Jiří Karpíšek
AI revolution and Salesforce, Jiří Karpíšek
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptxWSO2CONMay2024OpenSourceConferenceDebrief.pptx
WSO2CONMay2024OpenSourceConferenceDebrief.pptx
 
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdfHow Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
PLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. StartupsPLAI - Acceleration Program for Generative A.I. Startups
PLAI - Acceleration Program for Generative A.I. Startups
 
How we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdfHow we scaled to 80K users by doing nothing!.pdf
How we scaled to 80K users by doing nothing!.pdf
 
IESVE for Early Stage Design and Planning
IESVE for Early Stage Design and PlanningIESVE for Early Stage Design and Planning
IESVE for Early Stage Design and Planning
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...
 
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
Behind the Scenes From the Manager's Chair: Decoding the Secrets of Successfu...
 
Oauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoftOauth 2.0 Introduction and Flows with MuleSoft
Oauth 2.0 Introduction and Flows with MuleSoft
 
A Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System StrategyA Business-Centric Approach to Design System Strategy
A Business-Centric Approach to Design System Strategy
 
TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024TopCryptoSupers 12thReport OrionX May2024
TopCryptoSupers 12thReport OrionX May2024
 
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo DiehlFuture Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
Future Visions: Predictions to Guide and Time Tech Innovation, Peter Udo Diehl
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 

New flaws in WPA-TKIP

  • 1. Mathy Vanhoef @vanhoefm Brucon 2012
  • 2. 0x00 The WPA-TKIP protocol 0x04 Denial of Service 0x08 Demo 0x0C Beck & Tews attack 0x10 Fragmentation attack 0x14 Performing a port scan
  • 3. We will cover:  Connecting  Sending & receiving packets  Quality of Service (QoS) extension Design Constraints:  Must run on legacy hardware  Uses (hardware) WEP encapsulation
  • 4. Defined by EAPOL and results in a session key  What you normally capture & crack
  • 5. Result of handshake is 512 bit session key  Renewed after rekeying timeout (1 hour) EAPOL protection DataEncr MIC1 MIC2  DataEncr key: used to encrypt packets  MIC keys (Message Integrity Code):  Verify integrity of data. But why two?
  • 6. WPA-TKIP designed for old hardware  Couldn’t use strong integrity checks (CCMP)  New algorithm called Michael was created  Weakness: plaintext + MIC reveals MIC key  To improve security two MIC keys are used  MIC1 for AP to client communication  MIC2 for client to AP communication
  • 7. TSC Data MIC CRC Encrypted  Calculate MIC to assure integrity  WEP Encapsulation:  Calculate CRC  Encrypt the packet using RC4  Add replay counter (TSC) to avoid replays
  • 8. TSC Data MIC CRC Encrypted  WEP decapsulation:  Verify TSC to prevent replays  Decrypt packet using RC4  Verify CRC  Verify MIC to assure authenticity
  • 9. Replay counter & CRC are good, but MIC not  Transmission error unlikely  Network may be under attack! Defense mechanism on MIC failure:  Client sends MIC failure report to AP  AP silently logs failure  Two failures in 1 min: network down for 1 min
  • 10. Defines several QoS channels  Implemented by new field in 802.11 header QoS TSC Data MIC CRC unencrypted Encrypted  Individual replay counter (TSC) per channel  Used to pass replay counter check of receiver!
  • 11. Channel TSC 0: Best Effort 4000 1: Background 0 2: Video 0 3: Voice 0  Support for up to 8 channels  But WiFi certification only requires 4
  • 12. MIC = Michael(MAC dest, MAC source, MIC key, priority, data)  Rc4key = MixKey(MAC transmitter, key, TSC)
  • 13. The previous slides contain all the info to find a denial of service attack, any ideas? 
  • 14. The previous slides contain all the info to find a denial of service attack, any ideas?  Key observations:  Individual replay counter per priority  Priority influences MIC but not encryption key  Two MIC failures: network down  What happens when the priority is changed?
  • 15. Capture packet, change priority, replay On Reception :  Verify replay counter  Decrypt packet using RC4  Verify CRC (leftover from WEP)  Verify MIC to assure authenticity
  • 16. Capture packet, change priority, replay On Reception :  Verify replay counter OK  Decrypt packet using RC4 OK  Verify CRC (leftover from WEP) OK  Verify MIC to assure authenticity FAIL  Do this twice: Denial of Service
  • 17. Disadvantage: attack fails if QoS is disabled  Solution: Capture packet, add QoS header, change priority, replay On Reception:  Doesn’t check whether QoS is actually used  Again bypass replay counter check  MIC still dependent on priority [Cryptanalysis for RC4 and breaking WEP/WPA-TKIP]
  • 18. Attacker: VMWare vs. Victim: Windows
  • 19. Example: network with 20 connected clients  Deauthentication attack:  Must continuously sends packets  Say 10 deauths per client per second  (10 * 60) * 20 = 12 000 frames per minute  New attack  2 frames per minute
  • 20. 0x00 The WPA-TKIP protocol 0x04 Denial of Service 0x08 Demo 0x0C Beck & Tews attack 0x10 Fragmentation attack 0x14 Performing a port scan
  • 21. First known attack on TKIP, requires QoS  Decrypts ARP reply sent from AP to client  Simplified: each byte is decrypted by sending a modified packet for all 256 possible values:  Wrong guess: CRC invalid  Correct guess: CRC valid but MIC failure  MIC key for AP to client
  • 22. Takes 12 minutes to execute  Limited impact: injection of 3-7 small packets
  • 23. What is needed to inject packets:  MIC key  Result of Beck & Tews attack  Unused replay counter  Inject packet on unused QoS channel  Keystream corresponding to replay counter  Beck & Tews results in only one keystream…  How can we get more? First need to know RC4!
  • 24. Stream cipher  XOR-based This means: Ciphertext Plaintext Keystream  Predicting the plaintext gives the keystream
  • 25. Simplified:  All data packets start with LLC header  Different for APR, IP and EAPOL packets  Detect ARP & EAPOL based on length  Everything else: IP  Practice: almost no incorrect guesses!  Gives us 12 bytes keystream for each packet
  • 26. But is 12 bytes enough to send a packet?  No, MIC & CRC alone are 12 bytes. If only we could somehow combine them… …well, title of this section is fragmentation
  • 27. But is 12 bytes enough to send a packet?  No, MIC & CRC alone are 12 bytes. If only we could somehow combine them… …well, title of this section is fragmentation  Using 802.11 fragmentation we can combine 16 keystreams to send one large packet
  • 28. Data MIC Data1 Data2 Data16 MIC TSC1 Data1 CRC1 TSC16 Data16 MIC CRC16  MIC calculated over complete packet  Each fragment has CRC and different TSC  12 bytes/keystream: inject 120 bytes of data
  • 29. Beck & Tews attack: MIC key AP to client  Predict packets & get keystreams  Combine short keystreams by fragmentation  Send over unused QoS channel What can we do with this?  ARP/DNS Poisoning  Sending TCP SYN packets: port scan!
  • 30. A few notes:  Scan 500 most popular ports  Detect SYN/ACK based on length  Avoid multiple SYN/ACK’s: send RST Port scan of internal client:  Normally not possible  We are bypassing the network firewall / NAT!
  • 31.
  • 33.
  • 34. tcpdump -i mon0 -w crash.pcap
  • 35. Target will send outgoing SYN/ACK  Will this go through the firewall/NAT?  Normally not… Device SYN/ACK forwarded? Scarlet VDSL Box No WAG320N No OpenBSD/PF No DD-WRT When SPI is disabled
  • 36. Realistic in practice?  Bidirectional traffic is possible Internet Access Point Client Attacker
  • 37. Realistic in practice?  Bidirectional traffic is possible Internet Access Point Client Attacker
  • 38. Realistic in practice?  Bidirectional traffic is possible Internet Access Point Client Attacker
  • 39. Realistic in practice?  Can connect to open ports Internet Access Point Client Attacker
  • 40. Client running SSH server with weak password  Bypass firewall using fragmentation attack  Bidirectional communication is possible  Connect to SSH server as root  Dump the network password! Note: not been tested
  • 41. Beck & Tews:  Inject 3-7 packets of 28 bytes Fragmentation:  Inject arbitrary amount of packets  With a size up to 120 bytes  Additionally, exploit IP fragmentation to transmit IP packets of arbitrary size
  • 42. Belkin F5D7053:  Ignores TSC… you can simply replay a packet  When connected to a protected network, it still accepts unencrypted packets
  • 43. Very efficient Denial of Service  Use fragmentation to launch actual attacks  Forced to use WPA-TKIP?  Use short rekeying timeout (2 mins)  Disable QoS and update drivers (if possible)  Update to WPA2-AES  Specifically set encryption to AES only