Wireless Security
Re: Perpetuating weak wireless security Nov 14 2008 11:36PM
Thomas d'Otreppe (tdotreppe gmail com)
Mark,

I analyzed WEP cloaking and created airdecloak-ng. Alex gave me the
hardware. I worked hard on it and I just want to avoid that the same
thing that happened to WPA "hacking" (tkiptun-ng) where the real
author wasn't credited for his work happens to this tool.

Btw, there will be a few new things:
- More tests will be added to the wiki (currently there's only one and
I took the busiest network)
- An example where filtering isn't needed to recover the key will be
added to the wiki.
- A new option will also be added to aireplay-ng to detect cloaking.

Thomas d'Otreppe

On Fri, Nov 14, 2008 at 1:15 PM, Mark Sec <mark.sec (at) gmail (dot) com [email concealed]> wrote:
> Very nice patch friend, works fine on my network (Wep Cloaking) a great
> work!!
>
> Many thanks to Thomas Dopreppe and Alex Hernandez (alt3kx)
>
> -mark
> CISSP
>
>
> 2008/11/6 Thomas d'Otreppe <tdotreppe (at) gmail (dot) com [email concealed]>
>>
>> Hello guys,
>>
>> At defcon this year, I presented the tool I developped against wep
>> cloaking, it now publicly avaible (in our svn repository). It is
>> called airdecloak-ng and you can get more information at
>> http://www.aircrack-ng.org/doku.php?id=airdecloak-ng
>>
>> Here is an excerpt of its description:
>> -----------------------
>> Airdecloak-ng is a tool that removes wep cloaking from a pcap file.
>> Some WIPS (actually one) can actively "prevent" cracking a WEP key by
>> inserting chaff (fake wep frames) in the air to fool aircrack-ng. In
>> some rare cases, cloaking fails and the key can be recovered without
>> removing this chaff. In the cases where the key cannot be recovered,
>> use this tool to filter out chaff.
>>
>> The program works by reading the input file and selecting packets from
>> a specific network. Each selected packet is put into a list and
>> classified (default status is "unknown"). Filters are then applied (in
>> the order specified by the user) on this list. They will change the
>> status of the packets (unknown, uncloaked, potentially cloaked or
>> cloaked). The order of the filters is really important since each
>> filter will base its analysis amongst other things on the status of
>> the packets and different orders will give different results.
>> -----------------
>>
>> There's only 2 simple filters implemented that are already capable of
>> removing more than enough wep cloaked packet to break the wep key (and
>> in some cases, filtering out wep cloaked packets isn't needed at all,
>> aircrack-ng can crack the key). Other filters will be implemented
>> really soon to improve detection (and removal) of wep cloaked packets.
>>
>> Best regards,
>>
>> Thomas
>>
>> PS: Nico, do I win a Nemesis box? I broke it ;)
>>
>>
>>
>> On Wed, May 9, 2007 at 10:44 PM, Nico Darrow <ndarrow (at) airdefense (dot) net [email concealed]>
>> wrote:
>> > Yes, WEP Cloaking works both on passive as well as active attacks.
>> > Injection attacks, stream attacks, MiTM attacks etc etc.
>> >
>> >
>> > -----Original Message-----
>> > From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]]
>> > On Behalf Of Raul Siles
>> > Sent: Wednesday, May 09, 2007 8:01 AM
>> > To: Nico Darrow
>> > Cc: Cedric Blancher; Joshua Wright; wifisec (at) securityfocus (dot) com [email concealed]
>> > Subject: Re: Perpetuating weak wireless security
>> >
>> > Hi Nico,
>> > I'm trying to understand the specific WEP attacks the WEP Cloaking
>> > feature mitigates. It seems it is mainly focused on WEP statistical
>> > attacks (FMS, Korek's improvements and, now, aircrack-ptw). Is this
>> > correct?
>> >
>> > If you can disclose some details at this point, does it work against
>> > other WEP based attacks (PRGA-based): KoreK's chopchop,
>> > fragmentation...?
>> >
>> > Thanks,
>> > --
>> > Raul Siles
>> > GSE
>> > www.raulsiles.com
>> >
>> >
>> > On 5/8/07, Nico Darrow <ndarrow (at) airdefense (dot) net [email concealed]> wrote:
>> >> Guys, I was the orignal designer of the WEP Cloaking feature released
>> >> by AirDefense. I can field any questions you guys may have on it.
>> >>
>> >> I can assure you it works. Here are couple points on the technology.
>> >>
>> >> 1. The actual fake data traffic is silently dropped by both the client
>> >> and the AP, and throughput tests indicate a negligable impact at both 54 and
>> >> 11 Mbps. We don't flood the air.
>> >>
>> >> 2. You can't filter the traffic out, we have several dynamic engines to
>> >> circumvent filtering. We've had several independent teams attempt to pentest
>> >> even with the real WEP key and they have failed. I've already been through
>> >> signal strength filtering, retry filtering, sequence filtering, client
>> >> filtering, distributed sniffing, etc etc. None work. AirDefense is the best
>> >> in class solution and I assure you the work on this project is on par. I'm
>> >> not being cocky, I'm just saying that this isn't a hacked job. We have spent
>> >> over a year developing and refining this technique.
>> >>
>> >> Ok here's the thing. This technology was designed to save millions of
>> >> dollars in cost to large retailers still running WEP technology. The
>> >> technology isn't fool-proof, but it's the best option they have. What you
>> >> get for a fraction of the cost of a fork-lift upgrade is extended life on
>> >> existing hardware as well as a world class Wireless IDS/IPS as well as a
>> >> platform for other AirDefense technologies.
>> >>
>> >> Now, I'm sure someone smart will figure out some super-clever way to
>> >> bypass it but AirDefense has multiple layers of protection. We will of
>> >> course refine the technology as it gets deployed and used in the field. Like
>> >> any true Second generation WIDS/WIPS. We have Legacy Encryption Protection
>> >> (WEP), Intrusion Detection with Auto-Classification of devices (monitor
>> >> anyone actually making it past the encryption/vlans) and Intrusion
>> >> Protection (keeping them off once you find out they have the real WEP key).
>> >>
>> >>
>> >> For those currently using WEP. Here are some tips to help make WEP
>> >> cracking harder without WEP Cloaking.
>> >>
>> >> 1. Use PSPF mode (aka AP Isolation). There is a mode on most radio's
>> >> that disallow clients to communicate with eachother. Essentially by
>> >> filtering out broadcast and multicast traffic. Enabling this feature will
>> >> prevent ARP injection techniques and will prevent Aircrack-ptw from working.
>> >> Yes it can still be cracked but requires the hacker to capture traffic
>> >> passively, and in a retail environment with low traffic it can take a while.
>> >>
>> >> 2. VLANS on the ap's. Currently Aircack and other such tools don't
>> >> filter out VLAN traffic (you need to write your own tool to filter it out,
>> >> scapy works for me), so if you have multiple VLAN's don't use the MBSSID
>> >> feature and keep all your VLAN's on one BSSID. Technically MBSSID's are way
>> >> better, but we are talking older hardware.
>> >>
>> >> 3. Multiple APs. Clients connect to multiple AP's and when you start
>> >> injecting they'll roam, forcing you to use secondary radios to keep the
>> >> device on it or follow it around and combine the traffic later. Not really a
>> >> good point, but makes life harder with off the shelf tools.
>> >>
>> >> 4. If possible, do the basics. MAC filtering, throughput limiting
>> >> (54Mbps/11Mbps only), signal strength filtering.
>> >>
>> >>
>> >> For those wanting check out the technology, contact me and I'll let you
>> >> know where and when we will be demoing the technology.
>> >>
>> >>
>> >> Nico Darrow
>> >> Office of the CTO
>> >> AirDefense, Inc.
>> >>
>> >> -----Original Message-----
>> >> From: listbounce (at) securityfocus (dot) com [email concealed]
>> >> [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Cedric Blancher
>> >> Sent: Tuesday, May 08, 2007 3:19 AM
>> >> To: Joshua Wright
>> >> Cc: wifisec (at) securityfocus (dot) com [email concealed]
>> >> Subject: Re: Perpetuating weak wireless security
>> >>
>> >> Le lundi 07 mai 2007 à 10:44 -0400, Joshua Wright a écrit :
>> >> > While I haven't seen this technology in action yet, I have a pretty
>> >> > good idea how it works, and I think it's a mistake to trust said
>> >> > technology or common variants for the protection of sensitive
>> >> > networks.
>> >>
>> >> Idea of adding dummy traffic to legit WEP traffic has been mentioned
>> >> here before. A quick answer to this could be:
>> >>
>> >> 1. spot real MAC addresses
>> >> 2. PCAP filter your capture
>> >>
>> >> I don't think they want to overload real clients and AP with dummy WEP
>> >> traffic...
>> >>
>> >>
>> >> --
>> >> http://sid.rstack.org/
>> >> PGP KeyID: 157E98EE FingerPrint:
>> >> FA62226DA9E72FA8AECAA240008B480E157E98EE
>> >> SyScan'07: 2 days of WiFi training and practice in Singapore
>> >> http://syscan.org/reg_training.html
>> >>
>> >>
>> >
>
>
>
>

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus