Wireless Part 4

Okay, so last time we saw exactly how WEP was working, and hopefully you will have noticed where some of the vulnerabilities are. In this post we will be looking a bit at some of them and exactly where they are and how we can get past them.

IV's

So the first major vulnerability is the IV's. If anyone here has ever done some wireless WEP cracking in the past using a program to do it for you will have heard of IV's before, basically a program from your perspective gets a lot of these then does some calculation and spits back a password. This isn't the real case. As we saw IV's are the randomized initialization vector's put into the RC4 algorithm to generate the key stream to be XOR'ed to the plain text data. Then so the AP can view the data, the secret key + IV from the packet is run through RC4 by the router and the key stream and the data and checksum are worked out. This is the vulnerability you use when your capturing IV's. What vulnerability is there you might ask, well allow me to explain.

The only 2 things being kept secret in WEP is the data + secret key. Now the beauty of RC4 is every time you run that operation you will always get the same result. So if you separate the key stream from the data, you have the result of RC4. Now RC4 read in 2 items of information, the IV and the secret key and we have the IV. Using thousands of these calculation results we can begin to reverse the hash function, and thus we have our secret key, and this is exactly what is going on behind the scenes on a WEP cracking program, the key streams are being captured, then thousands of IV's are being used with their keystreams to reverse the RC4 algorithm to get the secret key, simple really.

This is the basic method used from 2001 onwards. Now i know this post was very short but as i am still unpacking from moving and trying to get a job i don't have a lot of time to spare at current, although you can still email me questions to martyncprice@gmail.com (yes my real name is Martyn Price, anybody who has decided to follow me on twitter should have found this out already @Spectr3Sec ), or you can ask in the comments section, until next week, hack well and prosper
-Spectr3

Back in a week

Hey all, i know i have normally posted by now, but its going to have to be next week as i am so busy moving houses, see you all in a week

-Spectr3

Wireless Part 3

WEP (Wired Equivalent Privacy)

In September 1999 802.11(legacy) was released. This was the beginning of wireless LAN communications, but required some security, otherwise anybody could intercept/sniff passwords, usernames or any other data which was desired out the the airwaves. Thus WEP was created, with the intention of privacy, allowing for a passkey to encrypt wireless traffic. The major problem with WEP was it was broken before it was implemented, in other words it was never secure, when it was first proposed their were papers being published talking about flaws.

How it works

WEP uses RC4 algorithm which is a symmetric key algorithm, meaning that both parties have identical keys which are used to encrypt and decrypt the data. It is also worth noting that due to things like this, WEP was very low resource usage on the device which was using it, allowing for basic hardware to run it, thus it is still used today in some cases.

WEP is only used in the frame body of a packet. This frame body is split into 3 parts, IV, Data and ICV. IV or initialization vector is a non-encrypted part (which we will come to why later), which begins to show some vulnerability. One of the fields of this was for key id's and was 2-bits large, allowing for 4 different pass phrases to be used. Finally the IV was 24-bits large (important in a minute).

The next part was the data. This is just the data which you wish to send (nothing majorly important here for the purposes of cracking WEP.

Finally we have the ICV. This is the Integrity Check Value. This is also encrypted in WEP. The ICV merely acts as a check-sum to verify that the data has been sent/received correctly.

The steps of WEP

1. First the IV is generated at random, this is a 24-bit value. This is added to the WEP key which can be either 40-bits or 104-bits. This provides us with a value of 64-bits or 128-bits (which is why its length being 24-bits was important before). This is then inputted into the RC4 algorithm, giving us a random key stream.
2. At the same time, CRC-32 is applied to the data. This is a basic algorithm using a 32-bit chunk of data and applying a mathematical operation to give a value, which is then appended to the data.
3. Finally with a key stream the same size as the data to be sent + the ICV, a XOR operation is applied to both the result of step 1 and the result of step 2. This gives us our final cipher text. Now this data should be completely impossible to read, whether your the AP or client, which is a problem, so the IV is put infront of the cipher text, giving us the completed data set for the frame body.

Now if that was abit hard to keep up with, don't fret as there is a diagram incoming :)

This image was lifted from another blogger called Zero-Krangkaian

I think this is enough for this week, and next week I shall begin the basics on where the vulnerabilities are exactly, and how to get past them.

As always thanks for reading :) - Spectr3

Wireless Part 2

So last time we left off with saying about the different areas of the 802.11 IEEE protocol, a/b/g/n/ac etc. But all those protocols have a story, and here it is...

In June 1997 the first wireless protocol was released, this is what we now know as "legacy". At the time more and more people were beginning to use laptops as they become more and more portable, gone were the laptops that required you to haul around a box bigger than a suitcase, and in came computer the size of brief cases, and with more portable devices, a more portable connection to the internet was wanted. A connection that didn't require you having to plug your device into a switch or hub. Thus someone came up with the idea of wireless local area communications. The first implementation would transfer data at 2MB/s and used FHSS and DSSS modulation. With a range of 100m it allowed for a certain amount of cable-free portability.

Then in September 1999 two new wireless protocols were released, aimed to expand their its predecessor. One protocol was called 802.11a, its purpose was to increase the speed mainly and range of the network, and it did, using a different type of modulation (OFDM) it reached 54MB/s and a range of 120m. The other was 802.11b, its purpose was to increase range primarily, stretching to 140m, but sacrifices speed in comparison to 802.11a, having only 11MB/s maximum transfer rates.

As with all invention, progress was desired, and in June 2003, a standard was released which unified the best parts of 802.11a and 802.11b, this protocol was called 802.11g. This protocol had the range (140m) from 802.11b and the speed (54MB/s) from 802.11a. This protocol used both ODFM and DSSS to achieve this.

Next, something new was needed, and 802.11n was the answer. It had almost double the range of 802.11g (250m) and triple the maximum speed (150MB/s). The speed of this however is often quoted as being 300MB/s or 600MB/s. This is because it has the ability to use multiple streams at once, but dispute this the maximum throughput to a single device is 150MB/s.

Finally, we come to 802.11ac, this protocol was released December 2012, and allowed for speeds of nearly 900MB/s, with up to 8 streams, giving it a maximum throughput of 6.8GB/s (but no one device will see those speeds).

802.11ac also gives a new safety measure, which will be covered when we talk about specific attacks, called beam-forming. This means that the router knows approximately where the client is and the client knows approximately where the router is. Due to this, the devices can send traffic in the direction of each other, so MITM (man in the middle) becomes much harder, you will now need to be close to the targets to capture traffic from the air, but all this will be covered later.

Channels

With most wireless devices being on the 2.4GHz wave band, there is a lot of interference, so to tackle this, channels are used. So far I have been careful to call them wavebands, because 2.4GHz is not a select frequency, it is split into multiple wavebands.

The wavebands in 2.4GHz band are commonly 22MHz, meaning that a band contains 22 different frequencies. The following image is lifted from taurus2.co.uk and demonstrates perfectly.
As we can see, there are 14 channels, channel 14 is Japan only, and 12/13 are banned in the USA. Each channel uses a specific band, spanning 22MHz, allowing for multiple channels on the 2.4GHz band, that do not overlap and thus have very little interference. The most commonly used are 1,6 and 11, as these channels cannot interfere with each other.

And now for the end to todays session, next week ill start on WEP, how it was implemented and why, so we can start looking at breaking things :) - Spectr3

Wireless Part 1

Hey so as i hope you know, i'm Spectr3 - Hi :D - and i'm currently a first year at university, but i love wireless. My personal background that got me into wireless security was when WEP got broken. So i want to do a set of blog posts on wireless security. More specifically i want to show you how to break it properly.

What this will be about:

Its all well and good to know how to break it, saying "and type this in and you should get something that looks like this" without you knowing what is actually going on. So in this series, i'm going to be using my personal knowledge i have built up over the years to explain different wireless methods, and different attacks in as much detail as i know it at at the time of writing.

What is a wireless network

Wireless network means just that a network without wires. We use a radio frequency (either 2.4GHz or 5GHz and soon 60GHz) to transmit the bit patterns. This is a post set on wireless security and not on signal multiplexing etc. so i wont go into that here.

Issues arising

The problem there is for many people and business's is in metaphor you are throwing paper airplanes of information into a bin (or wireless access point). This is great, but anybody could come and grab those planes as they glide towards the bin, and even worse, not all will get there, some will miss. As a result wireless security is incredibly useful.

Wireless Bands

So we have mentioned that the wireless networking (802.11) uses different wave bands (2.4GHz, 5GHz, etc.) but how does this work?

You have different wireless types, there the a/b/g/n/y/ac/ad. These all have different properties, here's a quick table.

Wireless type	Range	Maximum Rated speed	Waveband
Legacy	100m	2MB/s	2.4GHz
802.11a	120m	54MB/s	5GHz
802.11b	140m	11MB/s	2.4GHz
802.11g	140m	54MB/s	2.4GHz
802.11n	250m	150MB/s	2.4GHz and 5GHz
802.11ac	Unknown	900MB/s	5GHz

I think that will be it for today, next time ill go through a very brief history of wireless and how we get more speed out of 802.11n than what in the table. Thanks for reading, please comment so i know how i'm doing and know what to change for next time :)

-Spectr3