13:26 Attacks on wireless networks Part 3 wpa | |
This article is a logical extension of this and this articles. The third part of a series of articles about the attacks on wireless networks will be considered an attack on the protocol, until recently, is a fairly safe - WPA. 1. WPA-TKIP For more than a week, the attention of computer and computer media about some chained to a new vulnerability in the protocol of WPA-TKIP, discovered by researchers and members of the team aircrack-ng Martin Beck and Eric Tyuzom. Try to answer the question whether this means the collapse of another system of wireless network security? Actually, not so bad, because in the exploitation of the vulnerability of the primary key can not be restored. You can only find the key used to verify the integrity and the key stream. Based on this, not knowing the master key, it is possible to send packets to the network. Receive back packs for the scheme this easside-ng. Already, the vulnerability can be verified using a test program tkiptun-ng added to the unstable branch of aircrack-ng a few days ago. Complete instructions for using the promise soon to add. So far, only aware that an attack is necessary to change the MAC of its adapter to the MAC client that atakuetsya.Takzhe attacked the access point must support QoS or WMM, use WPA + TKIP (not AES), and changing time temporary key must be greater than 3600 seconds . If all this is present, then you can run: tkiptun-ng-h <MAC adaptera>-a <MAC point dostupa>-m 80-n 100 <interface> After a successful execution, you receive a stream of key that allows you to create packages and run them into the network. At the moment this is limited functionality tkiptun-ng. It is not enough to declare a WPA-TKIP cracked, but there are reasons to think about a full transition to WPA2, which is not affected by this vulnerability. 2.Klassichesky cracking WPA The second method is much older and the first attempts to implement it first appeared in 2004 with the release of the program cowpatty. The essence of the attack - in search of all possible combinations of keys to its definition. The method guarantees success, but if the key is sufficiently long to be in the dictionary, then we can consider itself immune from this attack. But, so cracked as wpa-tkip and wpa2-ccmp network, but only in the PSK mode. This attack is built into the package aircrack-ng. First you need to catch the authentication client, on the basis that it has to restore the primary key. This is most easily done by running airodump-ng and waiting for authentication, or running attack deautentifikatsii (aireplay-ng -0 <number deautentifikatsy) After a while, airodump-ng shows that authentication is captured and written to the file. After that, we just need to run aircrack-ng <file authentication> and wait. You can expedite the process by using a large dictionary of frequently used words. More help speed up the process of using specialized microcontrollers, or as we described earlier - video cards. Without this enumeration of all possible keys would take too long. So, as usual, we recommend to use only WPA2 with a long enough and unusual key. Author: Kozhara Jaroslav, Glaive Security Group UPD. Date Published: 23 November 2008 | |
|
Total comments: 0 | |