Previous Page
Next Page

Chapter 11: Advanced Attacks

Typically, the longer a protocol or system and the "hard" problems associated with it undergo scrutiny, the more security weakens. Over the past decade, this has been the case with wireless networks due, in many parts, to their popularity in modern society.

This chapter aims to explain the background and further develop methodologies that are behind the tools attackers and penetration testers utilize. As an understanding of these attacks is developed, the reader can then utilize their understanding to compensate for the inadequacy of automated tools. Many times you need to compensate for unanticipated corner cases when evaluating the security of wireless networks; therefore, understanding the problem is the key to successfully applying attacks successfully when tools fall short.

LAYER 2 FRAGMENTATION

As with any RF transmission, wireless networks are subject to intermittent breaks in communication due to noise from other devices and their synchronous mode of operation. With this in mind, the engineers of the 802.11 specification accounted for fragmentation of the layer 2 digital protocol to reduce the impact of these issues. As shown in Figure 11-1, 802.11 fragmentation works in a similar manner to IP fragmentation, in that the fragments are assembled according to a fragment sequence ID upon reaching the next hop or gateway to an alternate layer 2 protocol.

As previously mentioned in Chapter 6, fragmentation attacks, first presented by Sorbo at toorcon 2005, can be used to inject larger layer 3 packets by reusing the eight bytes of known keystream used to encrypt the SNAP header. Thus, the attacker can use any captured WEP packet to inject layer 3 packets of arbitrary size onto the network, as shown in Figure 11-2.

Image from book
Figure 11-1: Packet fragmentation and reassembly
Image from book
Figure 11-2: Fragmentation attack process

Solutions That Don't Work

A seemingly feasible fix to this problem would be to not allow fragments of less than X bytes and not allow a fragment stream to contain duplicate IVs. However, further investigation reveals that an attacker with four unique IVs can reconstruct a full 1500-byte keystream quickly and without duplicate IVs. Since you can construct fragmented packets using four unique IVs that reassemble into a broadcast ARP request, the reassembled packet can be used as a packet generator.

Solution That Works

Use WPA instead of WEP.


Previous Page
Next Page