Follow us
Description: Welcome to Part 19 of the WLAN Security Megaprimer! Please start this series by watching Part 1 http://www.securitytube.net/video/1756, if you have not done so already.
In this video, we will understand the basics of fragmentation attacks and then learn how to apply it along with the Caffe latte attack basics, to the Hirte attack. Fragmentation attacks use the fact that the first 8 bytes of the encrypted packet are known to be the LLC header. Thus using this known plaintext, an attacker can easily XOR it with the encrypted packet, to get the first 8 bytes of the RC4 keystream.
The attacker can now use this keystream along with the matching IV to create encrypted packets. However, the amount of data he can fit into 8 bytes is only 4 bytes as the last 4 bytes will go to the WEP ICV. This is where fragmentation is our friend! Fragmentation allows us to send a maximum of 16 fragments per packet, thus allowing us to send a packet of reassembled size 64 bytes. Using this, we are easily able to injection packets such as ARP.
The Hirte attack sniffs an ARP packet and relocates the IP address in the ARP header to convert the reassembled packet into an ARP request for the wireless client. The Client responds to this with an ARP Reply, thus allowing the attacker to collect new data packets encrypted with the WEP key. Once sufficient number of packets are collected, tools such as aircrack-ng can easily crack the WEP key!
Tags: 802.11 , WEP , Cracking , Aireplay-ng , ARP , replay , security , hacking , wireless , weak IV , Caffe Latte , Message Modification , fragmentation , known plain text , hirte attack ,
Comments:
Login to post a comment
-
Defeating Getimagesize() Checks In File Uploads
-
Challenge 6: Digest Authentication Reloaded
-
Challenge 5: Digest Authentication Attack
-
Basic Authentication And Form Bruteforcing
-
Http Basic Authentication Attack (Easy)
-
Challenge 2: Http Form Attacks Reloaded
-
Http Verb Tampering Demo
-
Web Application Pentesting Course Introduction
-
Introducing Pentester Academy
-
Hack Of The Day 13: Remote Shellcode Launcher: Testing Shellcode Over A Network
-
Hack Of The Day 12: Pivots And Port Forwards In Scenario Based Pentesting
-
Hack Of The Day: Customizing Shellcode For Fun And Profit
-
Hack Of The Day: How Do I Run Untrusted Shellcode?
-
Securitytube Linux Assembly Expert Exam Format
-
[Slae] Writing An Custom Insertion Encoder
-
[Slae] Execve Shellcode Stack Method
-
[Slae] Shellcoding Basics
-
[Slae] Using Libc And Nasm
-
[Slae] Hello World In Assembly Language
-
[Slae] What Is Assembly Language?
Fantastic - I'm looking forward to this!
wooo-hooo! Man, I love these videos. How am I am going to get any work done now?
Thanks again Vivek, just PURE AWESOME Videos. I already know almost all Aircrack Commands and all different attacks. But the important thing that i didn't have an idea about was how those attacks do and the important use of Wireshark. Thanks Vivek, your the man. I know quite a lot of infos related to Security, but i missed a huge important topic ,Wireless Security , that you're teaching it to us in an excellent way and i really doubt that someone could really explain it in such an awesome way.
I'm really looking forward to the WPA/WPA2 videos because I work for a WISP. I know people still use WEP but most have heard the news about its insecurity and don't use it.
Another Excellent Video Vivek, Keep them coming !!!!!
Hey, Vivek. How does one turn off comment notification? There's nothing in the control panel and there is no contact page.
Great tutorial Vivek and rest assured its all still VERY interesting, we are all with you and always looking out for each video....Thanks man.
Greats Videos ... Thanks vivek for making this videos .
in your site i see you writing a book " Wireless Pentesting With Backtrck " ?! thats right ?
i know this book is free ?
and make parts about RADIUS Server Attack - airoloib-ng - airtun-ng and os on.
i know you are a master in security .
thanks ..........
This WEP attacks are so beautiful =)
Thanks for explaining them in such detail to us.
btw Vivek, as WCNA said, how can we disable or stop the comments notifications, they're kind of annoying and i guess some people aren't commenting because of this reason.
Nice video....keep it up............
upload more videos.like this ...specially on WPA..
Thanks
Thank you vivek :)
do you want to continue "Scenario Based Hacking" video tutorials?
Love the series Vivek. A couple of comments and observations:
I live in a large UK city and even if I war drive or visit industrial & retail estates I'm lucky to find a single WEP AP. Nobody is using it here, so whilst the info is really good and thorough - it's a bit 'legacy'. Where it may be very useful is breaking into an isolated client that has an old WEP station stored in it's PNL from some point in its past. This would raise this question: How does one know or find out if the probes are for an Open / WEP / or WPA AP?
Also using VirtualBox on my dual core Intel box where Ubuntu 9.10 is the host OS I don't get any memory issues or problems running the airx-ng suite. However, if I run it on my G5 (10.6 Snow Leopard, dual proc) I get all the slowing down and freezing you mention! Just pointing out that my big old shiny Apple has a rotten old core!
Really looking forward to the WPA section coming up. I bet you just OWN this subject too!
@Blackmarketeer :I was in Geneva a couple of weeks ago, I fired up my BT and did an airodump-ng from my hotel room....WEPs all over the place. Here in South Africa its much of the same. Seems like folks are either not aware of the security risks or just don't care. One would expect that in Switzerland of all places people would be more clued in.
cheers.
@fitzroy: Agree that parts of the world have different takes on it. In the UK I can't say I've seen more than a handful of WEP AP's in the last five years.
That said, there will always be low hanging fruit everywhere, just it grows better in some places :-) (Unless it's an Apple, then it's a rotten fruit!!!........)
@Blackmarketeer: I agree with Vivek's approach about this. I realise that WEP is old and broken but, as Fitzroy said, there are still many folks that use it. Like you, I'm in the UK and rarely see WEP.
I think it's important to understand the basics about what's happening and why at the packet level. Details about the various attacks against WEP have been fascinating. I have done a number of IT courses and exams (including CCNA) and have learned a lot from Vivek's clear and practical explanation about WEP. I'm sure that he'll get on to the important and much more complicated WPA, WPA2, TKIP, CCMP etc.
I guess an analogy is that it's important to understand the basics of binary maths before delving into the relatively more involved VLSM/CIDR.
Can I download these videos for later viewing?
@Smallies: Create an account on Vimeo and go to Vivek's videos (hxxp: //vimeo .com/ user2264240) then to one of the videos in the series. You'll see a link which will allow you to download it.
I've broken the link because I'm not sure of the protocol here and it's something that I usually do when posting links in a thread on a forum.
Sir, what is meant by channel id > 100???
You are unbelievably awesome! Thank you for devoting your valuable time making these wonderful videos.
canĀ“t wait for wpa/wpa2 :D
go on Vivek!
Clear, easy to follow - truely excellent. Thank you Vivek
(Looking forward for wpa/wpa2)
I've finally caught up and now can't wait for the WPA/WPA2 videos!!
After all most APs I now see are running at least WPA and I also have to defend some WPA2 wireless networks.
Don't worry Vivek, I don't think this series is too long, as we can easily see the flow of the subject content and jump around it in the future if needed, so keep going Vivek, keep going :-)
Awesome work!
Hello.
This subjects are useful and intersting :
WPA/WPA2 Analysis & Attack
802.1x
Setup RADIUS Server & Attacks
Explaining tools for example : wesside-ng-airolib-ng-airsnarf-ng and ..
and ...
Thanks .
vivek,
Thanks for such a wonderful series. I just want to say that please create a series for reverse-engineering as the topic is really very hard for starters and there is very little help available. As the topic is really very basic and necessary for any serious security enthusiast, I really like that you help others to learn the basics and tools of the trade.
Thanks as always for your lovely series.
hey vivek
thank you for such an amazing video tutorial.Everything is so crystal clear and so easy to understand.Thanks so much.
hey when is the big monster WPA/WPA2 coming. waiting since 5 days. each day i log in to securitytube with the hope that wpa/wpa2 would be here.but still no luck.
just can't wait anymore!!
thanks so much!!!
Vivek,
Parts 18 & 19 of the series are not showing up in the WLAN megaprimer listing. Could you please add them to the list? Thanks.
Come on Vivek, starting to get withdrawal symptoms now. What an excellent series you are producing. Need the next one soon. I am an experienced technical trainer (Security, networking and development) and I am loving the way you progress the understanding. Please keep them coming. I think it is important that we understand the threats to our networks and private data. I am certainly more wary of surfing in public. I thought I knew most of this stuff, but you present it in a very clear way that re-enforces everything and makes me realise that there are some things that I just didn't appreciate properly.
Keep it coming, I am really looking forward to the next released video.
Yuppieee.....My Alfa card arrived today. Worked straight out of the box, set up a bridge and all worked first time.
Bought this card off eBay for $29.50 including shipping to South Africa, was a bit skeptical as i have never shopped on eBay before but I must say i am impressed.
@simmerdim: Vivek has to work also :), cant spend all his time making vids for us. But dont worry I am sure he will be back soon.
Hello All,
I am back from a long break! Cannot really call it a break as I have been working like a dog :) but now i am back to the videos :)
Regarding the comments - this is a custom platform I coded up in over a week, so I need to add more code for the settings. I will do this in June when I have more time. For the time being I have disabled comment broadcasts completely - apart from when the author of the video replies on the thread. Sorry about this, but there is only so much a single man can do for now :)
You will see a lot of interesting updates on the site very soon! Most importantly I will be creating tons of free videos on a diverse range of advanced topics this year and posting it on SecurityTube. I am sure it will be fun :)
So, just posted the WPA/WPA2 first video here:
http://www.securitytube.net/video/1854
Let the games begin!!!
Can you make a video about metaexploit and how it works and how 2 use it. Vista and Win7 and I AM STILL HERE and watching everything. Going in depth with packets im completely lost but you no what... I still keep watching !!!!! Make forum or something.
Greats videos. Thanks vivek.
You are such a great teacher, thank you so much for these videos, they are awesome, kudos vivek !
You mention this series being very long but don't sweat it, I can speak for everyone when I say "continue with the great videos!".
Excellent videos on WEP cracking. I didn't think it would be this easy...makes me wonder why some people still use WEP when there are better solutions available.
Thaaaaaaaanks :D
I can't express how much happy I am learning all these neat stuff, I just started a computer engineering course, and surely wireless security is my field for now on. keep on Vivek =]
hi vivek, nothing to add. great work. appreciate it.
ginger tea is the best.
maybe you want to uncomment the lines below
"# enable bash completion in interactive shells" in your /etc/bash.bashrc = gives your tab more power (unfortunately not for the aircrack suite)
two thumbs up!
You are doing a great job and your videos are not to long.
Even if they were I would get a cup of coffee and keep going.
You have covered this subject very well my friend.
Thanks a lot Vivek for all these videos, you are doing a great job!