A replay attack on a wireless network can be used to take advantage of a vulnerability in wireless protocols. In this video, I’ll demonstrate how a limitation in WEP can be used to speed the identification of the WEP shared password.
<< Previous Video: Spoofing Next: Rogue Access Points and Evil Twins >>
When you’re on a wireless network performing a replay attack, looks and feels exactly like you’re on a wired network. But on a wireless network, there’s additional concerns from a security perspective that you don’t have on a wired network. For example, on a wireless network it’s much easier to capture the data that you will eventually be replaying. That’s because on a wireless network all of the traffic is going over the air. It’s much easier for a device to tune in to that frequency and capture traffic than it would be to capture traffic from a wired connection
One place we saw a lot of problems with replay attacks was when we were using WEP encryption on our wireless networks. That stands for a Wired Equivalent Privacy, and it’s obviously a type of encryption that we no longer use because of the cryptographic vulnerabilities that we found. WEP did not have a method built into the encryption process that would prevent the replay of 802.11 packets.
One place where you’re able to take advantage of this replay vulnerability on 802.11 WEP encrypted networks is if you’re someone who’s trying to crack the password for that network. To be able to do that, you need to have at least 10,000 to 15,000 data packets so you can collect the initialization vector information that’s in each one of those packets. If it’s a network that’s not used very much, you could be sitting there for hours to gather the information you need. Or you can simply replay a number of Address Resolution Protocol requests and gather thousands of packets yourselves in a relatively short period of time. Once you’ve collected all of those data frames, it becomes much easier now to crack that password and gain access to that 802.11 WEP network.
To give an idea of what this replay would look like, I’m going to gather some packets from my 802.11 WEP network that I’ve set up just for this purpose. I’m going to start capturing those packets with a utility called Airodump. Dump And you can see in this view that there is a data packet view and that data’s not moving very quickly. And as I mentioned, you need about 10,000 to 15,000 data packets to be able to really crack the password.
I’ve got another window here all set up to associate to this wireless network and then to begin replaying traffic across this network. And when I hit Enter, look at the number of data packets now. Suddenly, it increases quite a bit. And now all I have to do is collect enough of those data packets to be able to perform the cracking function.
One thing to note during this capture process is we’re not performing the crack yet. We’re not determining what the password is. We are simply gathering data at this point. The cracking process will be relatively fast compared to the amount of time that it takes to capture the actual data.
Now that we’ve had this going for a while, I’ve captured over 28,000 data packets in just a few minutes. And now I can run the actual crack program against the capture file. And now it goes through and that quickly has already found what my WEP key was, just a second or two. And the WEP key is 7B89DC1CA5. And if I put that key into another device, it can now join this wireless network and begin accessing all of the devices and data that’s on this network.