This presentation is about how WEP configured WiFi enabled roaming client can be compromised and WEP Key can be retireved, sitting thousands of miles away from actual network. The talk was presented in Toorcon 9 in 2007.
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Caffe Latte Attack Presented In Toorcon
1. Vivek Ramachandran Md Sohail Ahmad www.airtightnetworks.net Caffé Latte with a Free Topping of Cracked WEP Retrieving WEP Keys From Road-Warriors
2. Cracks in WEP -- Historic Evolution 2001 - The insecurity of 802.11, Mobicom, July 2001 N. Borisov, I. Goldberg and D. Wagner. 2001 - Weaknesses in the key scheduling algorithm of RC4. S. Fluhrer, I. Mantin, A. Shamir. Aug 2001. 2002 - Using the Fluhrer, Mantin, and Shamir Attack to Break WEP A. Stubblefield, J. Ioannidis, A. Rubin. 2004 – KoreK, improves on the above technique and reduces the complexity of WEP cracking. We now require only around 500,000 packets to break the WEP key. 2005 – Adreas Klein introduces more correlations between the RC4 key stream and the key. 2007 – PTW extend Andreas technique to further simplify WEP Cracking. Now with just around 60,000 – 90,000 packets it is possible to break the WEP key. IEEE WG admitted that WEP cannot hold any water. Recommended users to upgrade to WPA, WPA2
3. WEP Attacks – exposure area WEP Attacks Distance from Authorized Network (Miles) 1 10 100 1000 On the Moon FMS, Korek PTW No Mutual Authentication Message Modification Message Injection Using known methods, exposure is limited to RF range of WEP enabled network Can your keys be cracked when roaming clients are miles away from the operational network?
4.
5. Observation #2 Can you force a WEP client connect to a honey pot without having knowledge of the key? Probe Request “Default” Probe Response Authentication Request Authentication Success Association Request Association Response Data Data
19. Applying Bit Flipping to an Encrypted ARP packet + + + 5.5.5.250 WEP ICV ARP Header LLC Header WEP Params MAC Header Target MAC Target IP Sender IP Sender MAC Opcode Protocol Size Hardware Size Protocol Type Hardware Type AA AA AA AA AA AA 05 05 05 05 05 05 05 05 FF 00 00 00 00 00 FF 00 00 00 00 00 00 00 55 AA AA AA AA AA FA 05 05 05 05 05 05 05