WEP and WPA PSK cracking
Since the turn of the century, wireless networking has grown from a very exclusive tech toy into a full-blown phenomenon. For less than $50, anyone who can plug in a toaster can essentially set up a wireless local area network (WLAN). The problem with this plug-and-play generation of users is that very few understand how their data is sent through the air, much less comprehend the associated risks. Even as I write this, an estimated 40–50% of all wireless users are not implementing any form of protection. On the bright side, this percentage is falling, albeit very slowly.
The security problem is exacerbated by the fact that early attempts at encryption were flawed. Wired Equivalent Privacy (WEP) was found to be vulnerable to various statistical weaknesses in the encryption algorithm it employed to scramble data passed over the WLAN. While attempts were made to correct the problem, it’s still a relatively simple feat to crack WEP and essentially pull the password right out of the air. In addition, WEP suffers from other problems that make it unacceptable for use in any secure environment.
The wireless community knew early on that these problems existed. However, they also realized that it would take years until the standardized correction was designed and implemented into new hardware. In the meantime, millions of users needed reliable protection. The Wi-Fi Alliance stepped up to the challenge and created an interim “standard” called Wi-Fi Protected Access (WPA).
WPA did an excellent job of patching the problems in WEP. With only a software upgrade, it corrected almost every security problem either created or ignored by WEP. However, WPA also created new problems:
- One flaw allowed an attacker to cause a denial-of-service attack, if the attacker could bypass several other layers of protection.
- A second flaw exists in the method with which WPA initializes its encryption scheme. Consequently, it’s actually easier to crack WPA than it is to crack WEP. This flaw is the subject of this article.
WEP and WPA PSK cracking
As indicated by its name, WEP serves to provide privacy. However, as I mentioned, its algorithms are flawed. WEP also doesn’t include any support for authorization. To correct this problem, WPA has two main components:
- The Temporal Key Integrity Protocol (TKIP) addresses the privacy concerns via enhanced encryption schemes.
- The authentication component uses 802.1x and an authentication server to provide user-level access.
The authentication mechanism comes in two varieties, which is necessary because WPA has to address two very different markets: enterprise and consumer. The following list outlines the general security requirements for each variety.
- Enterprise. Authorization, authentication, and auditing are all essential components for providing a secure resource to an enterprise user. As a result, it’s possible to configure WPA to authenticate users, typically via a RADIUS server. (RADIUS is not the standard—just the most common way of implementing the standard.) During this process, the user obtains the primary master key (PMK), which is then used to set up the encryption algorithm used by TKIP. Because the PMK is derived as a result of the authentication process, there’s no need for locally stored passwords. In addition, the authentication information is passed via an encrypted channel to protect it against eavesdroppers.
- Consumer. WPA is not just an enterprise solution. It was also created to help secure the SOHO user. However, the consumer environment offers little justification for an authentication server. As a result, WPA had to include some internal method to create the PMK used to initialize the TKIP encryption process. This solution was created by using a pre-shared password that’s previously configured in the access point and all nodes.
The attacks discussed in this article affect only the consumer version of WPA, known as WPA Pre-Shared Key (WPA-PSK). The enterprise solution is not susceptible to this particular attack, but that doesn’t make it any less dangerous. With the widespread understanding that WEP is flawed, many SOHO users have switched to WPA-PSK without realizing the risks involved.
Weak IVs and Collisions
The initialization vector (IV) value is used to provide each packet with a unique key (IV plus pre-shared key). This unique key provides a serious obstacle to any attacker, simply because each packet must be treated as a unique target. Cracking one packet’s password only provides access to that one packet.
However, WEP’s implementation of the IV is flawed:
- The IV is only 24 bits. As a result, IVs are repeated every few hours. Therefore, over time, an attacker can leverage repeated IV values, known as collisions, to help gain access to the data.
- WEP’s algorithm is flawed. This flaw led to the widely known WEP cracking scandal that has surrounded wireless networking for years.
WPA corrected these problems in the following manner:
- WPA increased the size of the IV to 48 bits, which provides at least 900 years of unique passwords and basically eliminates the problem of collision.
- WPA alters the values acceptable as IVs. This fix allows WPA to use the same algorithm as WEP, but plugs the hole by controlling the IV values going into the algorithm. Finally, a new password is generated automatically every 10,000 packets. This is well below the threshold of even the most successful WEP cracking efforts and all but eliminates the threat of a statistical attack.
Integrity Check Value (ICV)
WEP uses an integrity check value (ICV) to ensure that packets are not corrupted during transmission. This integrity check has little to offer in the way of security, however. The algorithm is widely used and easy to fool.
To correct this problem, WPA incorporates an algorithm known as Michael that creates a unique integrity value, using the sender’s and receiver’s MAC addresses. However, Michael uses a simple encryption scheme that can be cracked using brute-force methods. To compensate for this issue, if Michael detects more than two invalid packets in under a minute, it halts the network for one minute and resets all passwords. But this arrangement opens the doors for a malicious attacker to perform a denial-of-service attack by purposefully injecting faulty packets; to accomplish this goal, however, the attacker must first work through several other layers of protection.
Forgery and Replay
WEP has no protection against forgery or replay attacks. Any attacker can inject any packet into a network. In addition, an attacker can reuse a captured packet in this injection. WPA incorporates protections against these attacks via the 48-bit IV value.
First, the IV is created using the MAC address of the sending network card and a sequential counter value. This technique stops forgery attacks because an attacker must know the MAC and IV values that are encrypted into the packet. Second, the IV includes a sequential counter (TSC). When a packet is received, its counter value must fall within an accepted range or it will be dropped. As a result, replay attacks don’t work because the fake TSC probably won’t be within the valid range.
WEP offers little in the way of authentication. It’s possible to set up a shared authentication system, but enabling this method opens other security risks and is considered dangerous. To compensate, WPA includes support for authentication via 802.1x Extensible Authentication Protocol over LAN (EAPoL), generally with a RADIUS server.
As you can see, WPA has helped to increase the security available to wireless network users. Of course, this statement assumes that the WLAN owner knows about these technologies and uses them. Unfortunately, this is not often the case.
WEP and WPA PSK cracking tools
To successfully crack WEP/WPA, you first need to be able to set your wireless network card in “monitor” mode to passively capture packets without being associated with a network. This NIC mode is driver-dependent, and only a relatively small number of network cards support this mode under Windows.
One of the best free utilities for monitoring wireless traffic and cracking WEP/WPA-PSK keys is the aircrack-ng suite, which we will use throughout this article. It has both Linux and Windows versions (provided your network card is supported under Windows). The aircrack-ng site has a comprehensive list of supported network cards available here: NIC chipset compatability list.
If your network card is not supported under Windows, one can use a free Linux Live CD to boot the system. BackTrack is probably the most commonly used distribution, since it runs from a Live CD, and has aircrack-ng and a number of related security auduting tools already installed.
For this article, I am using aircrack-ng on another Linux distro (Fedora Core) on a Sony Vaio SZ-680 laptop, using the built-in Intel 4965agn network card. If you’re using the BackTrack CD aircrack-ng is already installed, with my version of linux it was as simple as finding it with:
- yum search aircrack-ng
- yum install aircrack-ng
The aircrack-ng suite is a collection of command-line programs aimed at WEP and WPA-PSK key cracking. The ones we will be using are:
- airmon-ng – script used for switching the wireless network card to monitor mode
- airodump-ng – for WLAN monitoring and capturing network packets
- aireplay-ng – used to generate additional traffic on the wireless network
aircrack-ng – used to recover the WEP key, or launch a dictionary attack on WPA-PSK using the captured data.