[ale] Presentation from ALE Central last Thursday now up...

Michael H. Warfield mhw at WittsEnd.com
Tue Aug 15 13:45:02 EDT 2006


On Tue, 2006-08-15 at 13:23 -0400, Greg Freemyer wrote:
> That article is amazing.

> If I read it right the author claims full WEP penetration within 60
> seconds from recieving a single data packet.

> Michael, the author says that part of the speed comes from the fact
> that most wireless APs have a x.x.x.1 IP.

> He did not say if setting that to another IP would make a small
> difference or a large difference in the difficulty of hacking into the
> wireless network.

> Do you happen to know?

	Just as a guess, off the top of my head, probably not much.  It might
take a little more effort, initially, but I doubt it would be much of a
problem.  It might avoid their proof-of-concept but it's not much of a
stretch to see you could try a few values to see what worked and "brute
force it".  Once you know the AP's low octet, it's highly unlikely to
change and you could then track rekeying at the faster, optimized rate.
That "might" increase the difficulty by a factor of 256 (but probably
won't), up front, but that's not enough to make me comfortable.  Part of
the speed comes from that .1.  It will still work, albeit a bit slower,
if it's not on .1.

	Mike

> Thanks
> Greg
> 
> On 8/14/06, Michael H. Warfield <mhw at wittsend.com> wrote:
> > Hey all...
> >
> >         Took me a little longer to get my presentation up on my web site than I
> > anticipated, but it's finally there.
> >
> >         You can get it here:
> >
> >         http://www.wittsend.com/mhw/2006/Wireless-Security-ALE/
> >
> >         From that page, you can also download the OpenOffice, PowerPoint, or
> > PDF versions of the talk, as you like.
> >
> >
> >         Worthy of note:  Since the talk on Thursday at Emory, a paper has now
> > been announced describing a real-time attack against WEP which allows
> > the attacker to begin sending (somewhat limited) data after receiving
> > only a single WEP encrypted packet.  This, in turn, rapidly leads to
> > more extensive breakage and eventual key compromise, even for a
> > relatively quiescent network.  It allows for immediate ARP queries of
> > others devices and, if you have an Internet server at your command, it
> > allows you to independently build up your "known plaintext" keystream
> > dictionary.  Reception of a single ARP packet is sufficient.  :-(  This
> > involves a combination of IV reuse, data (ARP) leakage, and a layer 2
> > fragmentation attack, in a new, more effective, attack.  It's claimed
> > it's fast enough to even keep up with dynamic rekeying.  Like I said in
> > the live talk, when I mentioned having to revise it since the talk at
> > AUUG on the previous Monday, it's a dynamic field.  Guess I have to
> > revise that talk AGAIN.
> >
> >         The Final Nail in WEP's Coffin
> >         http://www.cs.ucl.ac.uk/staff/M.Handley/papers/fragmentation.pdf
> >
> >         It's an interesting read.  Don't let the level of technical details
> > scare you off.  You can skim the groady details and get to the chase
> > pretty easily and it's not an overly difficult read for the conclusions.
> >
> >         Mike
> > --
> > Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
> >    /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
> >    NIC whois: MHW9          | An optimist believes we live in the best of all
> >  PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!
> >
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://www.ale.org/mailman/listinfo/ale
> >
> >
> >
> 
> 
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0xDF1DD471        | possible worlds.  A pessimist is sure of it!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 307 bytes
Desc: This is a digitally signed message part




More information about the Ale mailing list