wpa migration mode wep is back to haunt you
play

WPA Migration Mode: WEP is back to haunt you Leandro Meiners - PowerPoint PPT Presentation

Mar 05, 2024 •183 likes •560 views

Black Hat USA 2010 WPA Migration Mode: WEP is back to haunt you Leandro Meiners (lmeiners@coresecurity.com / @gmail.com) Diego Sor (dsor@coresecurity.com / diegos@gmail.com)

  1. Black Hat USA 2010 WPA Migration Mode: WEP is back to haunt you… Leandro Meiners (lmeiners@coresecurity.com / @gmail.com) Diego Sor (dsor@coresecurity.com / diegos@gmail.com) ������ ��������������������������������������������� ����������������� ���������

  2. Agenda � Introduction to WEP � Introduction to WPA Migration Mode � Attacking WPA Migration Mode � Mitigations and recommendations ������ ��������������������������������������������� ����������������� ���������

  3. Introduction to WEP The boring… ������ ��������������������������������������������� ����������������� ���������

  4. Introduction to WEP WEP Properties � WEP’s confidentiality: Based on RC4, which is a symmetric stream cipher: – � Symmetric: the encryption and decryption keys are the same � Stream cipher: encryption occurs one digit at a time � WEP’s integrity: Based on a ICV (Integrity Check Value) – � Implemented as a CRC-32 � WEP’s key management: IEEE 802.11 does not define any key management service – � WEP depends on an external key distribution/management mechanism � Generally, WEP keys are set manually ����� ��������������������������������������������� ����������������� ���������

  5. Introduction to WEP WEP Encapsulation 1. Seed generation: The secret key is concatenated with an initialization vector (IV) (i.e. IV || Secret Key) 2. Compute ICV: CRC-32 of the plaintext (payload data) 3. Compute Key stream: Key stream = RC4(seed) 4. Encryption: Cipher text = Key stream XOR (Plaintext || ICV) 5. Message = IV || Cipher text �����! ��������������������������������������������� ����������������� ���������

  6. Introduction to WEP WEP Message tampering � Checksum (i.e. CRC-32) is linear: CRC-32(A XOR B) = CRC-32(A) XOR CRC-32(B) – � Let C = [M XOR WEP(iv,key), CRC-32(M) XOR WEP(iv,key)], then it is possible for an attacker to obtain C’ where: C’ = [M’ XOR WEP(iv,key), CRC-32(M’) XOR WEP(iv,key)] – where M’ = M XOR � (only knowing C and � ) C’ = [M XOR WEP(iv,key) XOR � , CRC-32(M) XOR CRC-32( � ) XOR CRC-32(Zero) XOR WEP(iv,key)] Or… in layman’s terms: • xor the data with the mask ( ∆ ) • xor the checksum with the checksum of the mask ( CRC-32( ∆ ) ) �����" ��������������������������������������������� ����������������� ���������

  7. Introduction to WPA Migration Mode Starting to get interesting… �����# ��������������������������������������������� ����������������� ���������

  8. WPA Migration Mode What is WPA Migration Mode? Cisco’s WPA Migration Mode allows stations that support the following types of authentication and encryption schemes, to associate to the access point using the same SSID: � WPA clients capable of TKIP and authenticated key management. � IEEE802.1X compliant clients (such as legacy LEAP clients and clients using TLS) capable of authenticated key management but not TKIP. � WEP clients not capable of TKIP or authenticated key management. �����$ ��������������������������������������������� ����������������� ���������

  9. WPA Migration Mode How WPA Migration Mode works � WPA Cipher Suite configuration: Multicast Cipher Suite: WEP – Unicast Cipher Suite: TKIP – � Using WEP as multicast cipher allows WEP and WPA stations to decrypt multicast traffic. � AP tracks encryption capabilities of each station, and because IEEE 802.11 networks are switched, the AP forwards unicast frames encrypted appropriately (WEP or TKIP). �����% ��������������������������������������������� ����������������� ���������

  10. WPA Migration Mode Configuring WPA Migration Mode � WPA optional � A cipher suite containing TKIP and 40-bit or 128-bit WEP � A static WEP key in key slot 2 or 3 ap# configure terminal ap(config)# interface dot11radio 0 ap(config-if)# ssid migrate ap(config-if-ssid)# authentication open ap(config-if-ssid)# encryption mode ciphers tkip wep128 ap(config-if)# encryption key 2 size 128 AAAAAAAAAAAAAAAAAAAAAAAAAA transmit-key ap(config-if)# ssid migrate ap(config-if-ssid)# authentication key-management wpa optional ap(config-if-ssid)# wpa-psk ascii migrationmode ap(config-if-ssid)# end ap# ������& ��������������������������������������������� ����������������� ���������

  11. WPA Migration Mode Detecting an AP with WPA Migration Mode Wireshark Filter: � Beacon frame: wlan.fc.type_subtype == 0x08 – � Has a WPA Information element: wlan_mgt.tag.number == 221 – � Multicast cipher suite is WEP (40 or 104 bit): wlan_mgt.tag.interpretation == "Multicast cipher suite: WEP (40-bit)" – wlan_mgt.tag.interpretation == "Multicast cipher suite: WEP (104-bit)“ – � Unicast cipher suite is TKIP: wlan_mgt.tag.interpretation == "Unicast cipher suite 1: TKIP" – ������� ��������������������������������������������� ����������������� ���������

  12. WPA Migration Mode Detecting an AP with WPA Migration Mode (2) Wireshark Filter: wlan.fc.type_subtype == 0x08 and wlan_mgt.tag.number == 221 and (wlan_mgt.tag.interpretation == "Multicast cipher suite: WEP (40- bit)" or wlan_mgt.tag.interpretation == "Multicast cipher suite: WEP (104-bit)") and wlan_mgt.tag.interpretation == "Unicast cipher suite 1: TKIP " ������� ��������������������������������������������� ����������������� ���������

  13. WPA Migration Mode Detecting an AP with WPA Migration Mode (3) Kismet (patched): ������� ��������������������������������������������� ����������������� ���������

  14. Attacking WPA Migration Mode Now we are talking… ������ ��������������������������������������������� ����������������� ���������

  15. Attacking WPA Migration Mode Scenarios “The effect of supporting both static or dynamic WEP clients and WPA clients is that security will operate at the least-secure level common to all devices . In WPA Migration Mode, although WPA key authentication, per- packet keying, and message integrity are enabled, this is not enforced for all clients. As a result, a passive WEP key attack could be launched against WEP users .” -- Cisco Systems WI-FI PROTECTED ACCESS, WPA2 AND IEEE 802.11I Q&A, 2004 � WEP stations still hanging around… � No WEP stations in sight… ������! ��������������������������������������������� ����������������� ���������

  16. Attacking WPA Migration Mode WEP stations still hanging around… 1. Passively wait (and capture) for a broadcast ARP frame (distinguished by its characteristic size) that is answered by a WEP station. 2. Replay the captured frame. 3. Capture the ARP replies sent by the WEP station (under attack). 4. Run aircrack-ng against the captured frames to obtain the WEP key. Just fire aireplay-ng against a WEP station: aireplay-ng -2 -b <BSSID> -d FF:FF:FF:FF:FF:FF -f 1 -m 68 -n 86 <WIFI INTERFACE> http://aircrack-ng.org/doku.php?id=how_to_crack_wep_via_a_wireless_client ������" ��������������������������������������������� ����������������� ���������

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

WPA Migration Mode: WEP is back to haunt you Leandro Meiners (lmeiners@coresecurity.com /

WPA Migration Mode: WEP is back to haunt you Leandro Meiners (lmeiners@coresecurity.com /

Black Hat USA 2010 WPA Migration Mode: WEP is back to haunt you Leandro Meiners (lmeiners@coresecurity.com / @gmail.com) Diego Sor (dsor@coresecurity.com / diegos@gmail.com)

491 views • 37 slides
Mainframes: The past will come back to haunt you By:

Mainframes: The past will come back to haunt you By:

Mainframes: The past will come back to haunt you By: Philip Soldier of Fortran Young Disclaimer Any views expressed in this talk are my own

1.21k views • 90 slides
Swing to SWT and Back: Patterns for API Migration by Wrapping Thiago Tonelli Bartolomei Ralf L

Swing to SWT and Back: Patterns for API Migration by Wrapping Thiago Tonelli Bartolomei Ralf L

Swing to SWT and Back: Patterns for API Migration by Wrapping Thiago Tonelli Bartolomei Ralf L ammel Krzysztof Czarnecki University of Waterloo University of Koblenz-Landau September 15, 2010 Outline Outline 1 - API Migration 2 - Study

1.33k views • 117 slides
How Can Canada .. Take Back Manufacturing Or how to reverse 30 years of poor global management

How Can Canada .. Take Back Manufacturing Or how to reverse 30 years of poor global management

12/6/2015 TBM Take Back Manufacturing WWW.SME-TBM.ORG How Can Canada.. Take Back Manufacturing The Canadian economy is in reset mode with the world-wide price drop in oil and declining international demand devastating the export orientated

716 views • 46 slides
WHY IS MIGRATION SO IMPORTANT? Why migration? German National Team 2014 Why migration?

WHY IS MIGRATION SO IMPORTANT? Why migration? German National Team 2014 Why migration?

WHY IS MIGRATION SO IMPORTANT? Why migration? German National Team 2014 Why migration? Washington Capitals 2018 Why migration? Birmingham Children Hospital, Cardiac Surgery Group ENGLAND Ohio State University Electrical Engineering Faculty

818 views • 58 slides
Lecture 3: Introduction to Sliding Mode Control Reference: S.C. Tan, Chapter 1. Sliding Mode

Lecture 3: Introduction to Sliding Mode Control Reference: S.C. Tan, Chapter 1. Sliding Mode

ELEC8406 Sliding Mode Control of Power Electronics Lecture 3: Introduction to Sliding Mode Control Reference: S.C. Tan, Chapter 1. Sliding Mode Control of Switching Power Converters History (1) SM control can be traced back to the 1930s

882 views • 45 slides
Migration and Skills: EU legislation on Legal Migration DG HOME - Legal Migration and

Migration and Skills: EU legislation on Legal Migration DG HOME - Legal Migration and

EU-India Common Agenda on Migration and Skills: EU legislation on Legal Migration DG HOME - Legal Migration and Integration Alexandra S Carvalho EU migration basic facts and figures 21.6 million third-country nationals (TCN) in the EU

274 views • 16 slides
Migration of a web service back-end from a relational to a document-oriented database Sebastian

Migration of a web service back-end from a relational to a document-oriented database Sebastian

Migration of a web service back-end from a relational to a document-oriented database Sebastian Drenckberg, Marius Politze IT Center RWTH Aachen University Outline Motivation From Relational to Document oriented Validation of

489 views • 17 slides
A normal mode back-propagation approach for broadband sound source localization and the effects of

A normal mode back-propagation approach for broadband sound source localization and the effects of

A normal mode back-propagation approach for broadband sound source localization and the effects of water column variability Ying-Tsong Lin, James F. Lynch and Timothy F. Duda Woods Hole Oceanographic Institution Outline An acoustic normal

230 views • 20 slides
EU policy on Legal Migration DG Migration and Home Affairs EU migration basic facts and figures

EU policy on Legal Migration DG Migration and Home Affairs EU migration basic facts and figures

EU policy on Legal Migration DG Migration and Home Affairs EU migration basic facts and figures 21.6 million third-country nationals (TCN) in the EU 4.2% of EU population Valid residence permits EU-25 (2008-17) Migration reasons:

162 views • 14 slides
The Hiring Process Avoiding the Legal Hazards That Can Haunt Employers June 13, 2017 Labor

The Hiring Process Avoiding the Legal Hazards That Can Haunt Employers June 13, 2017 Labor

The Hiring Process Avoiding the Legal Hazards That Can Haunt Employers June 13, 2017 Labor &amp; Employment Law Workshop Bellevue, Washington Julie S. Lucht, Partner Chelsea Dwyer Petersen, Partner Perkins Coie LLP Prologue Throughout

807 views • 14 slides
Tech in Your Haunt Beyond Simple Control INTRODUCTION Escape room techs 2001 12 (n)

Tech in Your Haunt Beyond Simple Control INTRODUCTION Escape room techs 2001 12 (n)

Tech in Your Haunt Beyond Simple Control INTRODUCTION Escape room techs 2001 12 (n) Entrepreneurial vision for the BS Computer Engineering escape room industry; Started in 17 in 2001 2016 Developed dozens of electronic and mechanical

299 views • 25 slides
File Transfer Migration SP09-01 Migration Tools Overview Who are we? Why migrate ?

File Transfer Migration SP09-01 Migration Tools Overview Who are we? Why migrate ?

File Transfer Migration SP09-01 Migration Tools Overview Who are we? Why migrate ? Issues Agenda Migration offering overview Migration approaches C:D Migration Summary 2 Who are we? Specialist in providing

767 views • 19 slides
Migration has been a feature of human culture throughout its history Some migration is

Migration has been a feature of human culture throughout its history Some migration is

Migration has been a feature of human culture throughout its history Some migration is voluntary, some is involuntary; sometimes the difference is not always clear... Migration is an important fact of global culture today Estimated Number

404 views • 23 slides
migration and urbanization: regional perspectives: Migration and Cities in Latin America and the

migration and urbanization: regional perspectives: Migration and Cities in Latin America and the

UNITED NATIONS EXPERT GROUP MEETING ON SUSTAINABLE CITIES, HUMAN MOBILITY AND INTERNATIONAL MIGRATION Population Division, Department of Economic and Social Affairs, UN, New York 7-8 September 2017 Patterns and drivers of trends in migration

525 views • 23 slides
Migration and Families The multiple role of youth in family migration Jason Gagnon International

Migration and Families The multiple role of youth in family migration Jason Gagnon International

OECD Development Centre Migration and Families The multiple role of youth in family migration Jason Gagnon International Dialogue on Migration Geneva 7/8 October 2014 What are the current dynamics of youth migration? Demographic

390 views • 11 slides
Finite and Infinite Ramsey Theorem Silvia Steila Universit` a degli studi di Torino April 28,

Finite and Infinite Ramsey Theorem Silvia Steila Universit` a degli studi di Torino April 28,

Graphs Finite Ramsey Theorem Infinite Ramsey Theorem Applications What about greater cardinals? Finite and Infinite Ramsey Theorem Silvia Steila Universit` a degli studi di Torino April 28, 2014 Silvia Steila Finite and Infinite Ramsey

380 views • 20 slides
rtt r str

rtt r str

rtt r str t rstt st q

386 views • 22 slides
Lattice closure of polyhedra Oktay G unl uk Math Sciences, IBM Research joint work with

Lattice closure of polyhedra Oktay G unl uk Math Sciences, IBM Research joint work with

Lattice closure of polyhedra Oktay G unl uk Math Sciences, IBM Research joint work with Sanjeeb Dash and Diego Moran January 2017 Aussois Cutting planes for mixed-integer sets 1 Consider the mixed-integer set: P IP = { x R n

232 views • 21 slides
Covering of ordinals Laurent Braud IGM, Univ. Paris-Est Liafa , 8 January 2010 Laurent Braud

Covering of ordinals Laurent Braud IGM, Univ. Paris-Est Liafa , 8 January 2010 Laurent Braud

Covering of ordinals Laurent Braud IGM, Univ. Paris-Est Liafa , 8 January 2010 Laurent Braud (IGM, Univ. Paris-Est) Covering of ordinals Liafa , 8 January 2010 1 / 27 Covering graphs 1 Ordinals MSO logic Fundamental sequence MSO-theory of

790 views • 64 slides
OF THE GRAVITATIONAL INTERACTION ON ANTIMATTER WITH THE AE IS EXPERIMENT 58th

OF THE GRAVITATIONAL INTERACTION ON ANTIMATTER WITH THE AE IS EXPERIMENT 58th

ADVANCES TOWARDS A DIRECT MEASUREMENT OF THE GRAVITATIONAL INTERACTION ON ANTIMATTER WITH THE AE IS EXPERIMENT 58th International Winter Meeting on Nuclear Physics 2 THE WEAK EQUIVALENCE PRINCIPLE Universality of free fall

183 views • 14 slides
Model-Driven Developm ent of Mobile Applications Florence T. Balagtas-Fernandez Adviser: Prof.

Model-Driven Developm ent of Mobile Applications Florence T. Balagtas-Fernandez Adviser: Prof.

Model-Driven Developm ent of Mobile Applications Florence T. Balagtas-Fernandez Adviser: Prof. Dr. Heinrich Hum ann Department of Computer Science, Media Informatics Group University of Munich The Mobile Age I m ages from http:/ / w w w

609 views • 14 slides
Dark E k Energy a y as the G Gravit itat atio ional F l Fee eedback k of M Mass-Va

Dark E k Energy a y as the G Gravit itat atio ional F l Fee eedback k of M Mass-Va

Dark E k Energy a y as the G Gravit itat atio ional F l Fee eedback k of M Mass-Va -Varyin ing Da Dark Ma Matter Andr Fzfa* F.N.R.S. Postdoctoral Researcher GAMASCO, University of Namur, Belgium Jean-Michel Alimi LUTh,

365 views • 14 slides
Investigating the extremal martingale measures with pre-specified marginals Luciano Campi 1 ,

Investigating the extremal martingale measures with pre-specified marginals Luciano Campi 1 ,

Outline Martingale optimal transport problem Examples of optimal martingale transports Extremal points: motivation Douglas theorem and the WEP Characterizing the support of extremal points (countable case) Investigating the extremal martingale

915 views • 40 slides

More recommend