13 replies to this topic

[SPEhosting]

WIRED EQUIVALENT PRIVACY (WEP) a wireless security measure

hi, I need to try and find more information on WEP I am doing a project (1 of many ) and i need to learn everything I can about WEP ... in extreme detail .. I need to see how and why it is so easily exploited with detailed explanations (I dont need to know how to hack it...just making that clear)

any help will be great..

once again to be clear (just so admins know) I am not asking how to hack a WEP I am asking about the wifi encryption standard and details on the know exploits .. for example, when a key is being obtained handshakes and arps are exchanged ... why? how? what is then done with the information? etc

[Torolol]

Windows Entertaintment Pack (for win 3.x) ?

[SPEhosting]

Torolol, on 02 March 2013 - 00:40, said:

Windows Entertaintment Pack (for win 3.x) ?

I see your point... there we go all sorted

[n_K]

Look up the RFCs and IEEE standards on it which will give you all the knowledge you need to know...?
Here's one http://ieeexplore.ie...Emetadata&pos=0

[SPEhosting]

n_K, on 02 March 2013 - 00:56, said:

Look up the RFCs and IEEE standards on it which will give you all the knowledge you need to know...?
Here's one http://ieeexplore.ie...Emetadata&pos=0

woowww that is a price tag....

[n_K]

Join a college/university that subscribes and you'll get it free.

[the evn show]

You don't learn (and actually understand) that stuff in "extreme" detail in a short amount of time. It's like saying you want to know physical chemistry but don't want to get bogged down with all those orbital shapes and baryons and stuff. To get a solid understanding is going to take some real work so maybe you want to scale back a bit.

There are a number of issues with WEP - to try and boil it down to something "simple" is like trying to explain why Greece's economy is buggered. It's not a question with a meaningful 'short' answer. The first major paper discussing issues with WEP was by Borisov, Goldberg, and Wagner (which I only remember because we used to make wrestling jokes about it during the lectures when it was discussed). That'd be the place to start I suppose. It's a cryptanalysis of WEP from around 2000-ish that was a pretty big deal.

Since then there have been hundreds of papers that identify different weaknesses in WEP and RC4 and highlight novel attacks against them. Not only are their systemic problems WEP (like allowing initialization vectors to be recycled allowing for message injection) but it also inherits problems with RC4 (ie: RC4's early bits are biased such that--for example the second byte is twice as likely to be xord with 0 than it should be or after long streams the "00" pair shows up more frequently than it would in a truly random stream). That paper will give you an idea of what the weaknesses are - from there you can look at the ways to convert them into proper attacks. To get a proper understanding of all the different ways you could attack WEP and RC4 is a "big deal" (ie: I've TA'd a 3rd-year course that spent weeks on just two attacks - and there are dozens to choose from).

While writing this post I skimmed a paper by "Erik Tews, Ralf-Philipp Weinmann, and Andrei Pyshkin" titled "breaking 104-bit wep in 60 seconds". That seems to be a pretty approachable piece for an undergrad (ie: I was able to understand follow it pretty well, and I was a really terrible student). It's not too heavy on math and has a pretty good description of the method they used (an extension of another famous method). There's certainly enough to start on an implementation of their attack though probably not enough detail to go all the way to completion.

The text I have on the topic ("RC4 stream cypher and its variants") covers WEP and WPA attacks in chapter 7. It has details about FMS, Martin, Klein, PTW/VX attacks on RC4 in WEP mode. I'm not sure it counts as particularly easy reading -- I flipped through this one before the earlier paper - it crams a lot of information into ~10 pages. I didn't recommend this one first because I found myself doubling-back to the earlier chapters just trying to follow the FMS section. It's a much more difficult read but if you worked through it start-to-finish you'd probably get a lot out of it. It certainly nails the "extreme detail" check box without getting bogged down in algorithms.

If you don't care about specific attacks then I think reading about TKIP is probably the way to go - it was was the major improvement of WPA over WEP. If you know what the fix was, you can probably infer a bit about the problem they were addressing without going through the effort of understanding RC4 and WEP in detail.

[Detection]

You might find some useful info and tools here, they have a forum too
http://www.backtrack-linux.org/

[+BudMan]

The evn show post

/thread

Not much more to say after that detailed way of saying RTFM Loved it!!

[SPEhosting]

n_K, on 02 March 2013 - 01:07, said:

Join a college/university that subscribes and you'll get it free.

I will get it from my uni then they should have it

the evn show, on 02 March 2013 - 03:41, said:

You don't learn (and actually understand) that stuff in "extreme" detail in a short amount of time. It's like saying you want to know physical chemistry but don't want to get bogged down with all those orbital shapes and baryons and stuff. To get a solid understanding is going to take some real work so maybe you want to scale back a bit.

I Know I say in my post I need to know everything ... its more... I need access to everything but I know specifically what I am looking for its just to long to google search it and I was just coming here for sources or someone with an expert knowledge... I have read your post and will take your points on .... I am going to start ... there is a couple of issues with wep that I will be directly addressing for a program I am writing ... simple OPN WEP to start with then eventually moving on untill my program has all aspects of WEP security down..

[the evn show]

BudMan, on 02 March 2013 - 12:00, said:

Not much more to say after that detailed way of saying RTFM Loved it!!

Kinda the opposite of RTFM: the FM tells you how it's supposed to work and how to build an implementation. It doesn't tell you why an implementation is weak (if it did, we'd never have used it). I went for more of a "read the bug reports and patch notes" recommendation.

Quote

. there is a couple of issues with wep that I will be directly addressing for a program I am writing ... simple OPN WEP to start with then eventually moving on untill my program has all aspects of WEP security down..

It sounds more like you don't really care about how or why WEP is weak - that's going to be a discussion for math or comp-sci nerds who like to use lots of letters and symbols when they talk about things. You sound like you're more interested in the steps necessary to exploit a vulnerability.

Consider two imaginary descriptions of a weakness in some piece of cryptographic software:

• Algorithm X has a bias in byte 3 that makes it 1/2^384 % more likely to return 0 than any other a-bit sequence. You can use that to discover 1 bit of key information in time 2^56 with 95% probability. (1.5 assloads of math and stats follow here. Lots of brackets and letters)
  
• Capture 300,000 packets, then compute byte 5 + byte 9 xor byte 3 for each packet. Count how many times you get 1, 2,3,4,5,… as a result of that calculation and store the the number of times for each value. If a value occurs twice as often as any other number then there is a 95% chance that bit 4 of that value is bit #7 in the key. if you get { 1= 953, 2=888, 3=1,965, 3=1,001, 4=920… } then there's a good chance that the 7th bit in the key is 0 (because 3 occurs most often, 3dec = 0b00000011, so bit #4 is 0, so bit #7 of the key is probably 0). You can use this new information about the key + new packets + different calculations to determine the value of more bits in the key.

The first answer is what you'll get out of comp-sci text books and papers. It's the "real understanding" of why WEP is weak. You will see bits of the second in research papers but its typically a mathematical description rather than an algorithm. If you're not a huge math nerd it's going to be somewhat difficult to convert that into a useful algorithm. On the plus side, you know why those algorithms work.

If you prefer the second kind of answer then you're probably best off just reading the source code for a tool like aircrack-ng or metasploit. It won't give you an understanding about why the code works, but you will understand how to use it. The second is saying "you can perform a statistical attack" but it hand-waves passed the details about why particular data is used or exactly how it reveals particular bits of key information (why byte 5+9 and not 7+6? why do we get the bit in the key at postion 7 instead of 3? why do we need 300k packets and not 3m or 300?). If you don't really care why it works then reading the source code is the quickest way to enlightenment.

[YounGMessiah]

IEEE has most of your answers, other than that like suggested above look at reports/papers and such

[+warwagon]

Have a listen. This is from Security Now #89
Even More Badly Broken WEP
Leo and I review the operation of wireless network security and discuss in detail the operation of the latest attack on the increasingly insecure WEP encryption system. This new technique allows any WEP-protected WiFi network's secret cryptographic key to be discovered in less than 60 seconds.

http://www.grc.com/sn/past/2007.htm

[SPEhosting]

the evn show, on 02 March 2013 - 18:06, said:

Kinda the opposite of RTFM: the FM tells you how it's supposed to work and how to build an implementation. It doesn't tell you why an implementation is weak (if it did, we'd never have used it). I went for more of a "read the bug reports and patch notes" recommendation.
[/color]

It sounds more like you don't really care about how or why WEP is weak - that's going to be a discussion for math or comp-sci nerds who like to use lots of letters and symbols when they talk about things. You sound like you're more interested in the steps necessary to exploit a vulnerability.

Consider two imaginary descriptions of a weakness in some piece of cryptographic software:

• Algorithm X has a bias in byte 3 that makes it 1/2^384 % more likely to return 0 than any other a-bit sequence. You can use that to discover 1 bit of key information in time 2^56 with 95% probability. (1.5 assloads of math and stats follow here. Lots of brackets and letters)
  
• Capture 300,000 packets, then compute byte 5 + byte 9 xor byte 3 for each packet. Count how many times you get 1, 2,3,4,5,… as a result of that calculation and store the the number of times for each value. If a value occurs twice as often as any other number then there is a 95% chance that bit 4 of that value is bit #7 in the key. if you get { 1= 953, 2=888, 3=1,965, 3=1,001, 4=920… } then there's a good chance that the 7th bit in the key is 0 (because 3 occurs most often, 3dec = 0b00000011, so bit #4 is 0, so bit #7 of the key is probably 0). You can use this new information about the key + new packets + different calculations to determine the value of more bits in the key.

The first answer is what you'll get out of comp-sci text books and papers. It's the "real understanding" of why WEP is weak. You will see bits of the second in research papers but its typically a mathematical description rather than an algorithm. If you're not a huge math nerd it's going to be somewhat difficult to convert that into a useful algorithm. On the plus side, you know why those algorithms work.

If you prefer the second kind of answer then you're probably best off just reading the source code for a tool like aircrack-ng or metasploit. It won't give you an understanding about why the code works, but you will understand how to use it. The second is saying "you can perform a statistical attack" but it hand-waves passed the details about why particular data is used or exactly how it reveals particular bits of key information (why byte 5+9 and not 7+6? why do we get the bit in the key at postion 7 instead of 3? why do we need 300k packets and not 3m or 300?). If you don't really care why it works then reading the source code is the quickest way to enlightenment.

you are half right while I am looking as to how its exploited (i am not looking to exploit it with a program like aircrack and aireplay I want to know what these programs do to exploit it) but I feel I should have an understanding of the math as well but not to a massive indepth level to the point that I can write a book my self