358 Chapter 15 ■ Wireless Networking
The important part of breaking the WEP protocol is intercepting as many IVs as possible
before attempting to recover the key. The collection of IVs is done through the process of
sniffing or capturing. Collecting and saving IVs allows analysis to be performed: the more
packets, the easier it becomes to retrieve the keys. However, there can be a problem with
this process: collecting enough IVs can take a substantial period of time, which depends
on how active the network is over the period in which the packets are being collected. To
speed up this process, it is possible to perform a packet injection to induce the network
to speed up the generation and gathering process.
To perform this process (including cracking the keys), follow these steps:- Start the wireless interface on the attacking system in monitor mode on the specific
access point channel. This mode is used to listen to packets in the air. - Probe the target network with the wireless device to determine if packet injection can
be performed. - Select a tool such as aireplay-ng to perform a fake authentication with the access point.
- Start the Wi-Fi sniffing tool to capture IVs. If you’re using aireplay-ng, ARP request
packets can be intercepted and reinjected back into the network, causing more packets
to be generated and then captured. - Run a tool such as Cain & Abel or aircrack-ng to extract the encryption keys from the IVs.
When using some of the tools for sniffing wireless, additional equipment
is needed such as Riverbed Technology’s AirPcap hardware. This device is
used to sniff wireless frames in ways that standard Wi-Fi cards cannot. If
you are going to be doing auditing of wireless networks, an investment in
this device is very much worth it.WPA: A Closer Look
The successor to WEP is WPA, or Wi-Fi Protected Access. This standard was intended
to be a replacement for the flawed and insecure WEP protocol. The WPA protocol was
designed to be a software upgrade instead of requiring full hardware upgrades. However, in
some cases where older hardware is present and processing power or other mechanisms are
limiting, a hardware upgrade may be required.
The most significant development introduced with the WPA protocol was the TKIP
system, whose purpose is to improve data encryption. TKIP improves on the WEP protocol
(where a static unchanging key is used for every frame transmitted) by changing the key
after every frame. This dynamic changing of keys makes WPA much more difficult to crack
t h a n W E P.
WPA suffers from the following flaws:
■ Weak keys chosen by the user
■ Packet spoofing
■ Authentication issues with Microsoft Challenge Handshake Authentication Protocol
version 2 (MS-CHAP v2)