[转载]How to Recover a 104-bit WEP Key in Under a Minute
原始出处:[url=http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw/]http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw/[/url]信息来源:邪恶八进制信息安全团队([url=http://www.eviloctal.com/]www.eviloctal.com[/url])
WEP is a protocol for securing wireless LANs. WEP stands for "Wired Equivalent Privacy" which means it should provide the level of protection a wired LAN has. WEP therefore uses the RC4 stream to encrypt data which is transmitted over the air, using usually a single secret key (called the root key or WEP key) of a length of 40 or 104 bit.
[size=5][b]A history of WEP and RC4[/b][/size]
WEP was previously known to be insecure. In 2001 Scott Fluhrer, Itsik Mantin, and Adi Shamir [url=http://www.drizzle.com/~aboba/IEEE/rc4_ksaproc.pdf][color=#003366]published[/color][/url] an analysis of the RC4 stream cipher. Some time later, it was [url=http://cnscenter.future.co.kr/resource/hot-topic/wlan/wep_attack.pdf][color=#003366]shown[/color][/url] that this attack can be applied to WEP and the secret key can be recovered from about 4,000,000 to 6,000,000 captured data packets. In 2004 a hacker named KoReK [url=http://www.netstumbler.org/showthread.php?t=11869][color=#003366]improved[/color][/url] the attack: the complexity of recovering a 104 bit secret key was reduced to 500,000 to 2,000,000 captured packets.
In 2005, Andreas Klein [url=http://cage.ugent.be/~klein/RC4/][color=#003366]presented[/color][/url] another analysis of the RC4 stream cipher. Klein showed that there are more correlations between the RC4 keystream and the key than the ones found by Fluhrer, Mantin, and Shamir which can additionally be used to break WEP in WEP like usage modes.
[size=5][b]Our attack[/b][/size]
We were able to extend Klein's attack and optimize it for usage against WEP. Using our version, it is possible to recover a 104 bit WEP key with probability 50% using just 40,000 captured packets. For 60,000 available data packets, the success probability is about 80% and for 85,000 data packets about 95%. Using active techniques like [i]deauth[/i] and [i]ARP re-injection[/i], 40,000 packets can be captured in less than one minute under good condition. The actual computation takes about 3 seconds and 3 MB main memory on a Pentium-M 1.7 GHz and can additionally be optimized for devices with slower CPUs. The same attack can be used for 40 bit keys too with an even higher success probability.
[size=5][b]Countermeasures[/b][/size]
We believe that WEP should not be used anymore in sensitive environments. Most wireless equipment vendors provide support for TKIP (as known as WPA1) and CCMP (also known as WPA2) which provides a much higher security level. All users should switch to WPA1 or even better WPA2.
[size=5][b]How the attack works[/b][/size]
A [url=http://eprint.iacr.org/2007/120][color=#003366]paper[/color][/url] describing the details and methods we used in our attack is available on the [url=http://eprint.iacr.org/][color=#003366]IACR ePrint server[/color][/url].
[size=5][b]Implementation[/b][/size]
We implemented a proof-of-concept of our attack in a tool called [url=http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw/download/aircrack-ptw-1.0.0.tar.gz][color=#003366]aircrack-ptw[/color][/url]. It should be used together with the aircrack-ng toolsuite.
[size=5][b]Reproduction of our results[/b][/size]
Our tool is quite similar to [b]aircrack-ng[/b]. You can find a very good tutorial on the [url=http://www.aircrack-ng.org/doku.php?id=simple_wep_crack][color=#003366]aircrack-ng homepage[/color][/url]. For usage with our tool, you need to make some little changes.
[list][li]In [i]Step 3[/i], you [b]MUST NOT[/b] use the parameter [font=nsimsun]-ivs[/font]. Just skip this parameter, the other command line arguments still apply. [/li][li]In [i]Step 5[/i], you should use [font=nsimsun]aircrack-ptw[/font] instead of [font=nsimsun]aircrack-ng[/font]. [font=nsimsun]ls -la output*.cap[/font] will give you a list of capture files [i]airodump-ng[/i] has created. Usually, if you did not interrupt [i]airodump-ng[/i], there should be only one file named [font=nsimsun]output-01.cap[/font]. Just start [b]aircrack-ptw output-01.cap[/b] to get the key. If [i]aircrack-ptw[/i] was not successfull, wait a few seconds and start it again. [/li][/list][size=5][b]Questions and answers[/b][/size]
[size=3][b]Does [i]aircrack-ptw[/i] work with arbitrary packets?[/b][/size]
No, aircrack-ptw currently only works with ARP requests and ARP responses. Using methods like [i]ARP re-injection[/i], it is usually not a problem to generate a sufficient amount of ARP traffic.
In a future version, [i]aircrack-ptw[/i] could be extended to work with other packets too.
[size=3][b]Does [i]aircrack-ptw[/i] work with 256 bit keys?[/b][/size]
Currently, [i]aircrack-ptw[/i] does not support 256 bit WEP.
[size=3][b]Does [i]aircrack-ptw[/i] work on WPA1 or WPA2 too?[/b][/size]
No. WPA is a complete redesign. Although the TKIP specified for WPA still uses RC4 as encryption algorithm, related-key attacks are not possible in this case since the per-packet keys do not share a common suffix. Furthermore, re-injection attacks on WPA protected networks will not work: WPA requires multiple packets with the same IV to be discarded. Although no cryptographic attacks against WPA1 are known, we recommend WPA2 over WPA1 if you have the choice.
[size=3][b]Does [i]aircrack-ptw[/i] work against [b]WEPplus[/b]?[/b][/size]
This has not been tested due to lack of equipment supporting WEPplus. Since WEPplus only avoids the weak IVs of the original FMS attack, we foresee no problems in applying the attack against WEPplus.
[size=3][b]Does [i]aircrack-ptw[/i] work against [b]Dynamic WEP[/b]?[/b][/size]
This has not been tested as well. In principle we expect our attack to work on networks protected by Dynamic WEP. Since Dynamic WEP allows for re-keying, the attack will provide a key that may only be valid for a certain time frame. After the key has expired, the attack needs to be performed again.
[size=3][b]Any additional information?[/b][/size]
We are going to give a talk about [i]aircrack-ptw[/i] at the [url=http://easterhegg2007.hamburg.ccc.de/][color=#003366]easterhegg 2007[/color][/url] event in Hamburg.
[size=3][b]I cannot compile it![/b][/size]
Please make sure that you got the libpcap developement files installed. On debian or ubuntu, you can do this with [b]apt-get install libpcap0.8-dev[/b].
[size=3][b]Under which license is [i]aircrack-ptw[/i] released?[/b][/size]
[i]Copyright (c) 2007 Erik Tews, Andrei Pychkine and Ralf-Philipp Weinmann[/i]
[i]Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions:[/i]
[i]The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.[/i]
[i]THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.[/i]
[size=5][b]Who we are[/b][/size]
We (Erik Tews, Andrei Pychkine and Ralf-Philipp Weinmann) are cryptographic researchers at the cryptography and computer algebra group at the technical university Darmstadt in Germany. Head of the group is Prof. Dr. Dr. Johannes Buchmann. [size=5][b]Contact[/b][/size]
Please send questions to [url=mailto:aircrack-ptw@cdc.informatik.tu-darmstadt.de][color=#003366]aircrack-ptw@cdc.informatik.tu-darmstadt.de[/color][/url]
页:
[1]