SlideShare a Scribd company logo

Caffe Latte Attack Presented In Toorcon

Download as PPT, PDF
M
Md Sohail Ahmad

This presentation is about how WEP configured WiFi enabled roaming client can be compromised and WEP Key can be retireved, sitting thousands of miles away from actual network. The talk was presented in Toorcon 9 in 2007.

Technology
1 of 26
Vivek Ramachandran Md Sohail Ahmad www.airtightnetworks.net Caffé Latte with a Free Topping of Cracked WEP Retrieving WEP Keys From Road-Warriors
Cracks in WEP -- Historic Evolution 2001 - The insecurity of 802.11, Mobicom, July 2001 N. Borisov, I. Goldberg and D. Wagner. 2001 - Weaknesses in the key scheduling algorithm of RC4. S. Fluhrer, I. Mantin, A. Shamir. Aug 2001. 2002 - Using the Fluhrer, Mantin, and Shamir Attack to Break WEP A. Stubblefield, J. Ioannidis, A. Rubin. 2004 – KoreK, improves on the above technique and reduces the complexity of WEP cracking. We now require only around 500,000 packets to break the WEP key. 2005 – Adreas Klein introduces more correlations between the RC4 key stream and the key. 2007 – PTW extend Andreas technique to further simplify WEP Cracking. Now with just around 60,000 – 90,000 packets it is possible to break the WEP key. IEEE WG admitted that WEP cannot hold any water. Recommended users to upgrade to WPA, WPA2
WEP Attacks – exposure area WEP Attacks Distance from Authorized Network (Miles) 1 10 100 1000 On the Moon FMS, Korek PTW No Mutual Authentication Message Modification Message Injection Using known methods, exposure is limited to RF range of WEP enabled network Can your keys be cracked when roaming clients are miles away from the operational network?
Observation #1 ,[object Object],Default Default ,[object Object],[object Object],[object Object],[object Object],[object Object]
Observation #2 Can you force a WEP client connect to a honey pot without having knowledge of the key? Probe Request “Default” Probe Response Authentication Request Authentication Success Association Request Association Response Data Data
Caffé Latte – Attack timelines ,[object Object],[object Object],[object Object],2 days Open + Static IP 6 days Open + DHCP 1.5 days Shared + Static IP 3 days Shared + DHCP Approximate Cracking time Network Configuration
Can we speed it up? DAYS HOURS MINUTES
Problem Formulation ,[object Object],[object Object],[object Object],2 days Open + Static IP 6 days Open + DHCP 1.5 days Shared + Static IP 3 days Shared + DHCP Approximate Cracking time Network Configuration
Caffé latte – Shared + DHCP Challenge Enc. Challenge + 128 bytes Keystream Probe Request “Default” Probe Response Authentication Request Challenge Encrypted Challenge Authentication Success
Caffé latte – Shared + DHCP (2) ,[object Object],[object Object],[object Object],[object Object],169.254.x.y Connection Established Assoc Request Assoc Response DHCP DHCP DHCP Gratuitous ARP Gratuitous ARP Gratuitous ARP
Caffé latte – Shared + DHCP (3) ,[object Object],[object Object],[object Object],[object Object],169.254.246.161 Connection Established ARP Request for 169.254.0.1 ARP Request for 169.254.0.2 ARP Request for 169.254.0.3 ARP Request for 169.254.246.161 ARP Response from 169.254.246.161
 
Caffé latte – Shared + DHCP (4) ,[object Object],[object Object],[object Object],[object Object],169.254.246.161 Connection Established ARP Request for 169.254.246.161 ARP Response from 169.254.246.161 ARP Request for 169.254.246.161 ARP Response from 169.254.246.161
 
Caffé latte – Shared + DHCP (5) ,[object Object]
Caffé Latte for Shared Auth + DHCP - Analysis ,[object Object],[object Object],[object Object],[object Object],Is there a more general solution to the problem ? Lets look at the Open + Static IP case 2 days Open + Static IP 6 days Open + DHCP 1.5 days Shared + Static IP ~ 10 mins Shared + DHCP Approximate Cracking time Network Configuration
Caffé latte – Open + Static IP 5.5.5.5 ,[object Object],[object Object],[object Object],Probe Request “Default” Probe Response Authentication Request Authentication Success Assoc Request Assoc Response Gratuitous ARP from 5.5.5.5 Gratuitous ARP from 5.5.5.5 Gratuitous ARP from 5.5.5.5
Using flaws in WEP – Message Modification and Message Replay ,[object Object],[object Object],[object Object],[object Object]
Applying Bit Flipping to an Encrypted ARP packet + + + 5.5.5.250 WEP ICV ARP Header LLC Header WEP Params MAC Header Target MAC Target IP Sender IP Sender MAC Opcode Protocol Size Hardware Size Protocol Type Hardware Type AA AA AA AA AA AA 05 05 05 05 05 05 05 05 FF 00 00 00 00 00 FF 00 00 00 00 00 00 00 55 AA AA AA AA AA FA 05 05 05 05 05 05 05
Caffé latte – Open + Static IP (2) ,[object Object],[object Object],[object Object],5.5.5.5 Connection Established ARP Request for 5.5.5.5 from 5.5.5.250 ARP Response from 5.5.5.5 to 5.5.5.250 ARP Request for 5.5.5.5 from 5.5.5.250 ARP Response from 5.5.5.5 to 5.5.5.250
 
Caffé latte – Open + Static IP (3) ,[object Object]
Caffé Latte for Open + Static IP - Analysis ,[object Object],[object Object],[object Object],[object Object],~ 6 minutes Open + Static IP ~ 6 minutes Open + DHCP ~ 6 minutes Shared + Static IP ~ 6 minutes Shared + DHCP Approximate Cracking time Network Configuration
Implications of Caffé Latte ,[object Object],[object Object],[object Object],[object Object],[object Object]
Advisory ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Questions? [email_address] md.ahmad@airtightnetworks.com Airtight Networks www.AirTightNetworks.net Acknowledgements: Amit Vartak (amit.vartak@airtightnetworks.net)

Recommended

Caffe Latte Attack
Caffe Latte AttackCaffe Latte Attack
Caffe Latte AttackAirTight Networks
 
Cafe Latte
Cafe LatteCafe Latte
Cafe LatteAirTight Networks
 
Chapter11ccna
Chapter11ccnaChapter11ccna
Chapter11ccnarobertoxe
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIPvanhoefm
 
Cloud Native SDN
Cloud Native SDNCloud Native SDN
Cloud Native SDNRomana Project
 
Cisco Packet Tracer Overview
Cisco Packet Tracer OverviewCisco Packet Tracer Overview
Cisco Packet Tracer OverviewAli Usman
 
SSL Web VPN
SSL Web VPNSSL Web VPN
SSL Web VPNNetwax Lab
 
Phifer 3 30_04
Phifer 3 30_04Phifer 3 30_04
Phifer 3 30_04Ayano Midakso
 

Recommended

Caffe Latte Attack
Caffe Latte AttackCaffe Latte Attack
Caffe Latte AttackAirTight Networks
 
Cafe Latte
Cafe LatteCafe Latte
Cafe LatteAirTight Networks
 
Chapter11ccna
Chapter11ccnaChapter11ccna
Chapter11ccnarobertoxe
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIPvanhoefm
 
Cloud Native SDN
Cloud Native SDNCloud Native SDN
Cloud Native SDNRomana Project
 
Cisco Packet Tracer Overview
Cisco Packet Tracer OverviewCisco Packet Tracer Overview
Cisco Packet Tracer OverviewAli Usman
 
SSL Web VPN
SSL Web VPNSSL Web VPN
SSL Web VPNNetwax Lab
 
Phifer 3 30_04
Phifer 3 30_04Phifer 3 30_04
Phifer 3 30_04Ayano Midakso
 
Huiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attackHuiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attackGeekPwn Keen
 
CCNA NAT (Network Address Translation)
CCNA NAT (Network Address Translation)CCNA NAT (Network Address Translation)
CCNA NAT (Network Address Translation)Networkel
 
Zhiyun Qian-what leaves attacker hijacking USA Today site
Zhiyun Qian-what leaves attacker hijacking USA Today siteZhiyun Qian-what leaves attacker hijacking USA Today site
Zhiyun Qian-what leaves attacker hijacking USA Today siteGeekPwn Keen
 
Openstack meetup: Bootstrapping OpenStack to Corporate IT
Openstack meetup: Bootstrapping OpenStack to Corporate ITOpenstack meetup: Bootstrapping OpenStack to Corporate IT
Openstack meetup: Bootstrapping OpenStack to Corporate ITMirantis
 
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730Netgear Italia
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewallsphanleson
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilitiesvanhoefm
 
KubeCon London 2016 Ronana Cloud Native SDN
KubeCon London 2016 Ronana Cloud Native SDNKubeCon London 2016 Ronana Cloud Native SDN
KubeCon London 2016 Ronana Cloud Native SDNRomana Project
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to siteIT Tech
 
Aircrack
AircrackAircrack
AircrackNithin Sathees
 
Attacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise NetworksAttacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise NetworksNortheast Ohio Information Security Forum
 
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNICIndonesia Network Operators Group
 
CCNA Network Monitoring
CCNA Network MonitoringCCNA Network Monitoring
CCNA Network MonitoringNetworkel
 
Vpn(4)
Vpn(4)Vpn(4)
Vpn(4)Suraj Kumar
 
E Snet Authentication Fabric Pilot
E Snet Authentication Fabric PilotE Snet Authentication Fabric Pilot
E Snet Authentication Fabric PilotFNian
 
CCNA point to point
CCNA point to pointCCNA point to point
CCNA point to pointNetworkel
 
11 01 Tbd I Radius Security
11 01 Tbd I Radius Security11 01 Tbd I Radius Security
11 01 Tbd I Radius Securitysantosh_bhatkhande
 
AWS VPN with Juniper SRX- Lab Sheet
AWS VPN with Juniper SRX- Lab SheetAWS VPN with Juniper SRX- Lab Sheet
AWS VPN with Juniper SRX- Lab SheetKimberly Macias
 
CCNA Lan Redundancy
CCNA Lan RedundancyCCNA Lan Redundancy
CCNA Lan RedundancyNetworkel
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminskyDan Kaminsky
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hackingPranshu Pareek
 

More Related Content

What's hot

Huiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attackHuiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attackGeekPwn Keen
 
CCNA NAT (Network Address Translation)
CCNA NAT (Network Address Translation)CCNA NAT (Network Address Translation)
CCNA NAT (Network Address Translation)Networkel
 
Zhiyun Qian-what leaves attacker hijacking USA Today site
Zhiyun Qian-what leaves attacker hijacking USA Today siteZhiyun Qian-what leaves attacker hijacking USA Today site
Zhiyun Qian-what leaves attacker hijacking USA Today siteGeekPwn Keen
 
Openstack meetup: Bootstrapping OpenStack to Corporate IT
Openstack meetup: Bootstrapping OpenStack to Corporate ITOpenstack meetup: Bootstrapping OpenStack to Corporate IT
Openstack meetup: Bootstrapping OpenStack to Corporate ITMirantis
 
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730Netgear Italia
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewallsphanleson
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilitiesvanhoefm
 
KubeCon London 2016 Ronana Cloud Native SDN
KubeCon London 2016 Ronana Cloud Native SDNKubeCon London 2016 Ronana Cloud Native SDN
KubeCon London 2016 Ronana Cloud Native SDNRomana Project
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to siteIT Tech
 
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNICIndonesia Network Operators Group
 
CCNA Network Monitoring
CCNA Network MonitoringCCNA Network Monitoring
CCNA Network MonitoringNetworkel
 
E Snet Authentication Fabric Pilot
E Snet Authentication Fabric PilotE Snet Authentication Fabric Pilot
E Snet Authentication Fabric PilotFNian
 
CCNA point to point
CCNA point to pointCCNA point to point
CCNA point to pointNetworkel
 
AWS VPN with Juniper SRX- Lab Sheet
AWS VPN with Juniper SRX- Lab SheetAWS VPN with Juniper SRX- Lab Sheet
AWS VPN with Juniper SRX- Lab SheetKimberly Macias
 
CCNA Lan Redundancy
CCNA Lan RedundancyCCNA Lan Redundancy
CCNA Lan RedundancyNetworkel
 

What's hot (20)

Huiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attackHuiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attack
 
CCNA NAT (Network Address Translation)
CCNA NAT (Network Address Translation)CCNA NAT (Network Address Translation)
CCNA NAT (Network Address Translation)
 
Zhiyun Qian-what leaves attacker hijacking USA Today site
Zhiyun Qian-what leaves attacker hijacking USA Today siteZhiyun Qian-what leaves attacker hijacking USA Today site
Zhiyun Qian-what leaves attacker hijacking USA Today site
 
Openstack meetup: Bootstrapping OpenStack to Corporate IT
Openstack meetup: Bootstrapping OpenStack to Corporate ITOpenstack meetup: Bootstrapping OpenStack to Corporate IT
Openstack meetup: Bootstrapping OpenStack to Corporate IT
 
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewalls
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilities
 
KubeCon London 2016 Ronana Cloud Native SDN
KubeCon London 2016 Ronana Cloud Native SDNKubeCon London 2016 Ronana Cloud Native SDN
KubeCon London 2016 Ronana Cloud Native SDN
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to site
 
Aircrack
AircrackAircrack
Aircrack
 
Attacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise NetworksAttacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise Networks
 
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
 
CCNA Network Monitoring
CCNA Network MonitoringCCNA Network Monitoring
CCNA Network Monitoring
 
Vpn(4)
Vpn(4)Vpn(4)
Vpn(4)
 
E Snet Authentication Fabric Pilot
E Snet Authentication Fabric PilotE Snet Authentication Fabric Pilot
E Snet Authentication Fabric Pilot
 
CCNA point to point
CCNA point to pointCCNA point to point
CCNA point to point
 
11 01 Tbd I Radius Security
11 01 Tbd I Radius Security11 01 Tbd I Radius Security
11 01 Tbd I Radius Security
 
AWS VPN with Juniper SRX- Lab Sheet
AWS VPN with Juniper SRX- Lab SheetAWS VPN with Juniper SRX- Lab Sheet
AWS VPN with Juniper SRX- Lab Sheet
 
CCNA Lan Redundancy
CCNA Lan RedundancyCCNA Lan Redundancy
CCNA Lan Redundancy
 

Similar to Caffe Latte Attack Presented In Toorcon

Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminskyDan Kaminsky
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hackingPranshu Pareek
 
Practical webRTC - from API to Solution - webRTC Summit 2014 @ NYC
Practical webRTC - from API to Solution - webRTC Summit 2014 @ NYCPractical webRTC - from API to Solution - webRTC Summit 2014 @ NYC
Practical webRTC - from API to Solution - webRTC Summit 2014 @ NYCAlexandre Gouaillard
 
Fundamental networking concepts
Fundamental networking conceptsFundamental networking concepts
Fundamental networking conceptsreachsrirams
 
Wireless security837
Wireless security837Wireless security837
Wireless security837mark scott
 
Real time data processing with kafla spark integration
Real time data processing with kafla spark integrationReal time data processing with kafla spark integration
Real time data processing with kafla spark integrationTCS
 
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...Jiunn-Jer Sun
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6Private
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutionseroglu
 
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...Louis Göhl
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminarNilesh Sapariya
 
Securing & Enforcing Network Policy and Encryption with Weave Net
Securing & Enforcing Network Policy and Encryption with Weave NetSecuring & Enforcing Network Policy and Encryption with Weave Net
Securing & Enforcing Network Policy and Encryption with Weave NetLuke Marsden
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networksguestf2e41
 
Simplified Networking and Troubleshooting for K-12 Teachers
Simplified Networking and Troubleshooting for K-12 TeachersSimplified Networking and Troubleshooting for K-12 Teachers
Simplified Networking and Troubleshooting for K-12 Teacherswebhostingguy
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteHostedGraphite
 
Cracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless NetworksCracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless NetworksHammam Samara
 

Similar to Caffe Latte Attack Presented In Toorcon (20)

Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
 
Practical webRTC - from API to Solution - webRTC Summit 2014 @ NYC
Practical webRTC - from API to Solution - webRTC Summit 2014 @ NYCPractical webRTC - from API to Solution - webRTC Summit 2014 @ NYC
Practical webRTC - from API to Solution - webRTC Summit 2014 @ NYC
 
Fundamental networking concepts
Fundamental networking conceptsFundamental networking concepts
Fundamental networking concepts
 
Wireless security837
Wireless security837Wireless security837
Wireless security837
 
Real time data processing with kafla spark integration
Real time data processing with kafla spark integrationReal time data processing with kafla spark integration
Real time data processing with kafla spark integration
 
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
 
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminar
 
net work iTM3
net work iTM3net work iTM3
net work iTM3
 
Securing & Enforcing Network Policy and Encryption with Weave Net
Securing & Enforcing Network Policy and Encryption with Weave NetSecuring & Enforcing Network Policy and Encryption with Weave Net
Securing & Enforcing Network Policy and Encryption with Weave Net
 
Itep
ItepItep
Itep
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networks
 
Simplified Networking and Troubleshooting for K-12 Teachers
Simplified Networking and Troubleshooting for K-12 TeachersSimplified Networking and Troubleshooting for K-12 Teachers
Simplified Networking and Troubleshooting for K-12 Teachers
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
 
TCP-IP PROTOCOL
TCP-IP PROTOCOLTCP-IP PROTOCOL
TCP-IP PROTOCOL
 
Cracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless NetworksCracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless Networks
 

Recently uploaded

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxLBM Solutions
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 

Recently uploaded (20)

Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Key Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptxKey Features Of Token Development (1).pptx
Key Features Of Token Development (1).pptx
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 

Caffe Latte Attack Presented In Toorcon

  • 1. Vivek Ramachandran Md Sohail Ahmad www.airtightnetworks.net Caffé Latte with a Free Topping of Cracked WEP Retrieving WEP Keys From Road-Warriors
  • 2. Cracks in WEP -- Historic Evolution 2001 - The insecurity of 802.11, Mobicom, July 2001 N. Borisov, I. Goldberg and D. Wagner. 2001 - Weaknesses in the key scheduling algorithm of RC4. S. Fluhrer, I. Mantin, A. Shamir. Aug 2001. 2002 - Using the Fluhrer, Mantin, and Shamir Attack to Break WEP A. Stubblefield, J. Ioannidis, A. Rubin. 2004 – KoreK, improves on the above technique and reduces the complexity of WEP cracking. We now require only around 500,000 packets to break the WEP key. 2005 – Adreas Klein introduces more correlations between the RC4 key stream and the key. 2007 – PTW extend Andreas technique to further simplify WEP Cracking. Now with just around 60,000 – 90,000 packets it is possible to break the WEP key. IEEE WG admitted that WEP cannot hold any water. Recommended users to upgrade to WPA, WPA2
  • 3. WEP Attacks – exposure area WEP Attacks Distance from Authorized Network (Miles) 1 10 100 1000 On the Moon FMS, Korek PTW No Mutual Authentication Message Modification Message Injection Using known methods, exposure is limited to RF range of WEP enabled network Can your keys be cracked when roaming clients are miles away from the operational network?
  • 4.
  • 5. Observation #2 Can you force a WEP client connect to a honey pot without having knowledge of the key? Probe Request “Default” Probe Response Authentication Request Authentication Success Association Request Association Response Data Data
  • 6.
  • 7. Can we speed it up? DAYS HOURS MINUTES
  • 8.
  • 9. Caffé latte – Shared + DHCP Challenge Enc. Challenge + 128 bytes Keystream Probe Request “Default” Probe Response Authentication Request Challenge Encrypted Challenge Authentication Success
  • 10.
  • 11.
  • 12.  
  • 13.
  • 14.  
  • 15.
  • 16.
  • 17.
  • 18.
  • 19. Applying Bit Flipping to an Encrypted ARP packet + + + 5.5.5.250 WEP ICV ARP Header LLC Header WEP Params MAC Header Target MAC Target IP Sender IP Sender MAC Opcode Protocol Size Hardware Size Protocol Type Hardware Type AA AA AA AA AA AA 05 05 05 05 05 05 05 05 FF 00 00 00 00 00 FF 00 00 00 00 00 00 00 55 AA AA AA AA AA FA 05 05 05 05 05 05 05
  • 20.
  • 21.  
  • 22.
  • 23.
  • 24.
  • 25.
  • 26. Questions? [email_address] md.ahmad@airtightnetworks.com Airtight Networks www.AirTightNetworks.net Acknowledgements: Amit Vartak (amit.vartak@airtightnetworks.net)

Editor's Notes

  1. Animation