Typically, the longer a protocol or system and the "hard" problems associated with it undergo scrutiny, the more security weakens. Over the past decade, this has been the case with wireless networks due, in many parts, to their popularity in modern society.
This chapter aims to explain the background and further develop methodologies that are behind the tools attackers and penetration testers utilize. As an understanding of these attacks is developed, the reader can then utilize their understanding to compensate for the inadequacy of automated tools. Many times you need to compensate for unanticipated corner cases when evaluating the security of wireless networks; therefore, understanding the problem is the key to successfully applying attacks successfully when tools fall short.
As with any RF transmission, wireless networks are subject to intermittent breaks in communication due to noise from other devices and their synchronous mode of operation. With this in mind, the engineers of the 802.11 specification accounted for fragmentation of the layer 2 digital protocol to reduce the impact of these issues. As shown in Figure 11-1, 802.11 fragmentation works in a similar manner to IP fragmentation, in that the fragments are assembled according to a fragment sequence ID upon reaching the next hop or gateway to an alternate layer 2 protocol.
As previously mentioned in Chapter 6, fragmentation attacks, first presented by Sorbo at toorcon 2005, can be used to inject larger layer 3 packets by reusing the eight bytes of known keystream used to encrypt the SNAP header. Thus, the attacker can use any captured WEP packet to inject layer 3 packets of arbitrary size onto the network, as shown in Figure 11-2.
A seemingly feasible fix to this problem would be to not allow fragments of less than X bytes and not allow a fragment stream to contain duplicate IVs. However, further investigation reveals that an attacker with four unique IVs can reconstruct a full 1500-byte keystream quickly and without duplicate IVs. Since you can construct fragmented packets using four unique IVs that reassemble into a broadcast ARP request, the reassembled packet can be used as a packet generator.