Hello guys,

At defcon this year, I presented the tool I developped against wep
cloaking, it now publicly avaible (in our svn repository). It is
called airdecloak-ng and you can get more information at
http://www.aircrack-ng.org/doku.php?id=airdecloak-ng

Here is an excerpt of its description:
-----------------------
Airdecloak-ng is a tool that removes wep cloaking from a pcap file.
Some WIPS (actually one) can actively "prevent" cracking a WEP key by
inserting chaff (fake wep frames) in the air to fool aircrack-ng. In
some rare cases, cloaking fails and the key can be recovered without
removing this chaff. In the cases where the key cannot be recovered,
use this tool to filter out chaff.

The program works by reading the input file and selecting packets from
a specific network. Each selected packet is put into a list and
classified (default status is "unknown"). Filters are then applied (in
the order specified by the user) on this list. They will change the
status of the packets (unknown, uncloaked, potentially cloaked or
cloaked). The order of the filters is really important since each
filter will base its analysis amongst other things on the status of
the packets and different orders will give different results.
-----------------

There's only 2 simple filters implemented that are already capable of
removing more than enough wep cloaked packet to break the wep key (and
in some cases, filtering out wep cloaked packets isn't needed at all,
aircrack-ng can crack the key). Other filters will be implemented
really soon to improve detection (and removal) of wep cloaked packets.

Best regards,

Thomas

PS: Nico, do I win a Nemesis box? I broke it ;)

On Wed, May 9, 2007 at 10:44 PM, Nico Darrow <ndarrow (at) airdefense (dot) net [email concealed]> wrote:
> Yes, WEP Cloaking works both on passive as well as active attacks. Injection attacks, stream attacks, MiTM attacks etc etc.
>
>
> -----Original Message-----
> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Raul Siles
> Sent: Wednesday, May 09, 2007 8:01 AM
> To: Nico Darrow
> Cc: Cedric Blancher; Joshua Wright; wifisec (at) securityfocus (dot) com [email concealed]
> Subject: Re: Perpetuating weak wireless security
>
> Hi Nico,
> I'm trying to understand the specific WEP attacks the WEP Cloaking
> feature mitigates. It seems it is mainly focused on WEP statistical
> attacks (FMS, Korek's improvements and, now, aircrack-ptw). Is this
> correct?
>
> If you can disclose some details at this point, does it work against
> other WEP based attacks (PRGA-based): KoreK's chopchop,
> fragmentation...?
>
> Thanks,
> --
> Raul Siles
> GSE
> www.raulsiles.com
>
>
> On 5/8/07, Nico Darrow <ndarrow (at) airdefense (dot) net [email concealed]> wrote:
>> Guys, I was the orignal designer of the WEP Cloaking feature released by AirDefense. I can field any questions you guys may have on it.
>>
>> I can assure you it works. Here are couple points on the technology.
>>
>> 1. The actual fake data traffic is silently dropped by both the client and the AP, and throughput tests indicate a negligable impact at both 54 and 11 Mbps. We don't flood the air.
>>
>> 2. You can't filter the traffic out, we have several dynamic engines to circumvent filtering. We've had several independent teams attempt to pentest even with the real WEP key and they have failed. I've already been through signal strength filtering, retry filtering, sequence filtering, client filtering, distributed sniffing, etc etc. None work. AirDefense is the best in class solution and I assure you the work on this project is on par. I'm not being cocky, I'm just saying that this isn't a hacked job. We have spent over a year developing and refining this technique.
>>
>> Ok here's the thing. This technology was designed to save millions of dollars in cost to large retailers still running WEP technology. The technology isn't fool-proof, but it's the best option they have. What you get for a fraction of the cost of a fork-lift upgrade is extended life on existing hardware as well as a world class Wireless IDS/IPS as well as a platform for other AirDefense technologies.
>>
>> Now, I'm sure someone smart will figure out some super-clever way to bypass it but AirDefense has multiple layers of protection. We will of course refine the technology as it gets deployed and used in the field. Like any true Second generation WIDS/WIPS. We have Legacy Encryption Protection (WEP), Intrusion Detection with Auto-Classification of devices (monitor anyone actually making it past the encryption/vlans) and Intrusion Protection (keeping them off once you find out they have the real WEP key).
>>
>>
>> For those currently using WEP. Here are some tips to help make WEP cracking harder without WEP Cloaking.
>>
>> 1. Use PSPF mode (aka AP Isolation). There is a mode on most radio's that disallow clients to communicate with eachother. Essentially by filtering out broadcast and multicast traffic. Enabling this feature will prevent ARP injection techniques and will prevent Aircrack-ptw from working. Yes it can still be cracked but requires the hacker to capture traffic passively, and in a retail environment with low traffic it can take a while.
>>
>> 2. VLANS on the ap's. Currently Aircack and other such tools don't filter out VLAN traffic (you need to write your own tool to filter it out, scapy works for me), so if you have multiple VLAN's don't use the MBSSID feature and keep all your VLAN's on one BSSID. Technically MBSSID's are way better, but we are talking older hardware.
>>
>> 3. Multiple APs. Clients connect to multiple AP's and when you start injecting they'll roam, forcing you to use secondary radios to keep the device on it or follow it around and combine the traffic later. Not really a good point, but makes life harder with off the shelf tools.
>>
>> 4. If possible, do the basics. MAC filtering, throughput limiting (54Mbps/11Mbps only), signal strength filtering.
>>
>>
>> For those wanting check out the technology, contact me and I'll let you know where and when we will be demoing the technology.
>>
>>
>> Nico Darrow
>> Office of the CTO
>> AirDefense, Inc.
>>
>> -----Original Message-----
>> From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Cedric Blancher
>> Sent: Tuesday, May 08, 2007 3:19 AM
>> To: Joshua Wright
>> Cc: wifisec (at) securityfocus (dot) com [email concealed]
>> Subject: Re: Perpetuating weak wireless security
>>
>> Le lundi 07 mai 2007 à 10:44 -0400, Joshua Wright a écrit :
>> > While I haven't seen this technology in action yet, I have a pretty
>> > good idea how it works, and I think it's a mistake to trust said
>> > technology or common variants for the protection of sensitive networks.
>>
>> Idea of adding dummy traffic to legit WEP traffic has been mentioned
>> here before. A quick answer to this could be:
>>
>> 1. spot real MAC addresses
>> 2. PCAP filter your capture
>>
>> I don't think they want to overload real clients and AP with dummy WEP
>> traffic...
>>
>>
>> --
>> http://sid.rstack.org/
>> PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE
>> SyScan'07: 2 days of WiFi training and practice in Singapore
>> http://syscan.org/reg_training.html
>>
>>
>

[ reply ]