gоrdey @ ptsеcurity comIntroduction
Speaking about WEP protocol vulnerabilities in 2007 seems possible only in the context of a historical retrospective, however, anyone can easily come across it even today. All the known WEP hacking techniques are primarily aimed at access points and require interaction with AP. This article describes a technique that allows restoring a WEP key not accessing AP and being within the station radio coverage.
For instance, a WEP key to a home access point can be obtained when its owner uses a laptop in a plane or office.
Attacks against wireless network clients
Attacks against wireless network clients are an effective malware tool. One of the most wide-spread techniques is creation of a false access point.
According to the researches based on the technique Gnivirdraw, up to 80% of clients contain insecure connections in a profile or connect to false access points for other reasons. However, if a station uses any security mechanisms, even such as WEP, attackers have fewer chances to succeed. A malware user can set a false access point with an arbitrary WEP key and a lot of clients will connect to this point on the channel level, but they will be unable to exchange information.
Fig. 1. Connecting to a false access point
The majority of up-to-date TCP/IP stack implementations generate some amount of network traffic upon connection to the network. The messages of such protocols as DHCP, NetBIOS, IPv6 NDP are a good example. However, the number of transferred packets in this case is not enough to conduct the KoreK attack, which requires tens of thousands of packets with different initialization vectors (IV).
To hack WEP, it is necessary to provoke a connected client to transfer sufficient number of packets with the different values of initialization vectors. This task can be solved by transferring messages, which require a response (ARP, ICMP-Echo, IPv6 NDP), to a client. And it should be done without knowing the WEP key.
There are a lot of ways to create WEP packets not knowing encryption keys. The most efficient is fragmentation in 802.11. This technique consists in conducting of an attack with a known plaintext. Exploiting the predictable format of the LLC headers, it is possible to restore 8 bytes of the array (the PRGA in RC4, hereinafter PRGA). For this, the first 8 encrypted bytes are added modulo 2 to the constant that contains the standard values of the LLC headers (see fig. 2).
Fig. 2. Restoring PRGA
As it is seen, the last two bytes of the LLC header can be changed. Their value determines the type of a higher-level protocol. Possible values of these fields are described in the IANA documents.
In the majority of cases wireless networks are used to transfer IP traffic. Therefore, the field Ether Type can take any of three possible values: IP, ARP or IPv6.
Packets are easily distinguished by their length or service MAC addresses.
The obtained 8 bytes can be used to transfer arbitrary data of the same length to the network. When a client's packet is hijacked and the PRGA is restored, the transferred packet is divided into several fragments with 4 bytes of data each (see fig. 3).
Fig. 3. Transferring of fragmented frames
Each of them is transferred as an individual frame using fragmentation in 802.11. The packets are appended by a checksum (WEP ICV) and encrypted with the restored PRGA.
It is possible to transfer a more significant data volume using peculiar features of the protocols:
- For an ARP packet, PRGA bytes can be restored using LLC, ARP or MAC addresses.
- For IPv6 NDP Neighbor Solicitation or Router Solicitation, up to 50 bytes can be restored (LLC headers + IP headers + 2 bytes of the ICMP headers).
Packets, which size is less than 736 bytes, can be transferred to the network using 50 bytes of the PRGA ((50-4)*16) — it is more than enough for practical purposes.
An ARP request can be used to generate client-side traffic. For the station to respond to an ARP request, the field Target IP should contain the current IP address of the interface. A malware user does not have this information, because addresses are transferred in an encrypted form in packets.
To obtain the IP address of the station, one can make use of ARP scanning, that is of ARP requests sending to various addresses of recipients and waiting for a response.
Fig. 4. ARP scanning
Addresses from the APIPA range (169.254/32) or RFC 1918 addresses (e.g., 192.168.0/24) can be chosen as a range for scanning. When the IP address of the station is determined, the ARP request is transferred once again to obtain such a number of packets with various initialization vectors that is needed to conduct the KoreK attack.
If the station supports IPv6, broadcast ICMPv6 echo requests (ff02::01) can be used to determine addresses.
Fig. 5. IPv6 use
The clients based on the following OS were used in the course of the research:
- Windows XP Service Pack 2
- Linux 2.6.x
- Windows Mobile 2003 SE
Summary data is provided in the table.
The wep0ff tool (and wep0ff_ng) has been developed to demonstrate the attack described above. As practice shows, the tool allows restoring keys of WEP clients for the period from 2 to 20 minutes (depending on the system used).
Fig. 6. Wep0ff