Description: Welcome to Part 19 of the WLAN Security Megaprimer! Please start this series by watching Part 1 http://www.securitytube.net/video/1756, if you have not done so already.
In this video, we will understand the basics of fragmentation attacks and then learn how to apply it along with the Caffe latte attack basics, to the Hirte attack. Fragmentation attacks use the fact that the first 8 bytes of the encrypted packet are known to be the LLC header. Thus using this known plaintext, an attacker can easily XOR it with the encrypted packet, to get the first 8 bytes of the RC4 keystream.
The attacker can now use this keystream along with the matching IV to create encrypted packets. However, the amount of data he can fit into 8 bytes is only 4 bytes as the last 4 bytes will go to the WEP ICV. This is where fragmentation is our friend! Fragmentation allows us to send a maximum of 16 fragments per packet, thus allowing us to send a packet of reassembled size 64 bytes. Using this, we are easily able to injection packets such as ARP.
The Hirte attack sniffs an ARP packet and relocates the IP address in the ARP header to convert the reassembled packet into an ARP request for the wireless client. The Client responds to this with an ARP Reply, thus allowing the attacker to collect new data packets encrypted with the WEP key. Once sufficient number of packets are collected, tools such as aircrack-ng can easily crack the WEP key!