RE: Perpetuating weak wireless security

Le mardi 08 mai 2007 à 16:15 -0400, Nico Darrow a écrit :
> [ND] - All WEP decryption happens on chip so it doesn't bog CPU usuage.

Right.

> [ND] - This technology will be available for peer review by the public
> when it is released.

I'm looking forward to having a look at it.

> [ND] - When companies purchase equipment they usually have a life
> cycle of hardware (ie 5 years ) before an overhaul upgrade can be
> done.

Check previous thread. I cite two cases where I could audit companies in
this very situation.

> [ND] - I do like your WifiTap tool, I use it a lot. Althought, you do
> require the WEP key to do injection over PSPF with it.

Next version will support fragmentation so it can inject arbitrary frame
from a given keystream, and a tool to extract such keystreams. You won't
be able to read traffic though.

> [ND] Aircrack-ptw requires arp-broadcasts to work for the quick
> cracking bit.

Not quite.
Aircrack-ptw needs ARP traffic so it can easily retrieve 16 bytes of
keystream. Theses ARP packets can be requests or replies. And as you
know replies are sent unicast. In fact, when you attack a network with
ARP injection, valuable traffic for aircrack is unicast ARP traffic. You
keep replaying ARP requests to stimulate ARP replies emission, sent
unicast. As you may know as well, ARP request can also be sent unicast.

> [ND] - Cisco AP, two vlans, one running WEP, one running LEAP with
> Dynamic WEP. Client roams between the two. No tools work. I get your
> point tho.

The "Same as above" was referring to the fact that, although there's
currently no tool available to do it out of the box, attacks are still
there. It's just a question of finding an elegant (or dumb) way to
bypass the limitation and implementing ;) 

> [ND] - Which tools follow clients when roaming? Nothing off the shelf
> that I know of.

Same as above. I agree no tool can do that, but thinking of it, I'm
sceptical about this roaming thing.
Say you have two APs. Classical WEP cracking attack described everywhere
starts with associating a random MAC address you will use to reinject
ARP traffic. Right ? Now, whether your client is on AP1 or AP2, you just
don't care, because you're rewriting 802.11 header, putting your
arbitrary MAC address and BSSID you want to inject to.
There could be MAC filtering, right. So you have to use a legitimate
MAC. If this MAC is not up, then see above. If it is, what is preventing
the same MAC address to be associated to AP1 and AP2 at the same time ?
In fact, pre-authenticate to neighbour APs is sometimes done to decrease
roaming handover. 

> [ND] - Merci Bocu, you got yourself a deal.

s/Bocu/beaucoup ;) Anyway, we have a deal.

> [ND] - Yeah I love the trapeze hardware, it's really cool and works
> fantastic. We've got some awesome new features coming out in the near
> future, so stay tuned :-D

I met Matthew Gast in Singapore two weeks ago. Interesting discussion.


Regards.


-- 
http://sid.rstack.org/
PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
SyScan'07: 2 days of WiFi training and practice in Singapore
http://syscan.org/reg_training.html