In addition to the laboratory environment described in Chapter 5, experi- mentation with other hardware and software configurations was performed. This was carried out in order to give a perspective on which systems to chose as the main laboratory environment. These experiments were also an essential part of the iterative method of research applied in this thesis, as described in Section 1.5. This section will give an overview of the differ- ent hardware and software setups, and the experiments carried out on these. Table 6.1 gives an overview of the different configurations that were used as the victim STA in these experiments. As described in Chapter 5, a MacBook laptop with the built-in WLAN adapter was chosen as the main laboratory environment STA.
System WLAN Adapter
MacBook Broadcom Ubuntu 8.10 RT73 MacBook Pro Atheros MacBook Pro RT73 Windows XP Intel Windows XP RT73
In addition to experimenting with various STAs, miscellaneous APs were also tested. These were the Linksys WRT54GL, D-Link DIR-655, Hostapd and Linksys WRT54GL with OpenWRT firmware2. The Linksys WRT54GL
with original firmware was chosen as the main laboratory environment AP as detailed in Chapter 5. Hostapd3 is a piece of software that can make a
Linux PC function as a wireless AP. Hostapd was installed on a computer running Ubuntu 8.10 with a wireless network card from 3Com Corporation using the Atheros AR5413 chipset.
The setups were tested for compatibility with the original tkiptun-ng
attack, as well as the number of injectable QoS channels. In addition to this the setups were tested with parts of our improved attack, namely the ability to force DHCP renewal and the predictability of the DHCP Transaction ID. The results from these experiments are presented in Section 7.5.
2OpenWRT website:
http://openwrt.org/
Chapter
7
Results
Conducting scientific research culminates in results. Consequently, this chapter will present the main findings of our research, starting with the verification of the original attack on TKIP. Next, we will describe the out- come of the ARP poisoning attack and the cryptographic DoS attack. Then, we will present the results of our main contribution, the improved attack on TKIP. Finally, the results from experimenting with different configurations are presented.
7.1
Verification of the Original Attack
As part of our experimentation we wanted to verify the implementation of Beck and Tews’ attack: tkiptun-ng. The procedure carried out to execute this test was described in Section 6.2 and the theory behind the attack was thoroughly explained in Chapter 3. It should be noted that this implemen- tation, at the time of testing, was still in early development, and that it will most likely undergo some improvements before it is declared complete. While working on this thesis, we observed that a few improvements were added to the tkiptun-ng tool in the aircrack-ng svn repository. This in- cluded our own improvement to the attack, as described in Section 6.2.
Our experimentation shows that the tkiptun-ng implementation works. It is able to obtain keystream and MIC key for AP-to-STA communication, and then inject an ARP request into the network on a different QoS channel. As mentioned in Section 6.2, the original implementation would fail quite often because it did not detect the MIC failure report frames sent by the STA. The program would then start guessing the chopped byte over again, thus triggering the MIC countermeasures. To avoid this we edited the pro- gram to wait one minute if 256 bytes were guessed without seeing a MIC failure report frame, this modification was detailed in Section 6.2. It should
be noted that the experimentation was executed in an environment with large amounts of wireless traffic. This could have influenced our results, in a low traffic environment the MIC failures might have been detected more easily. On the other hand, our experimentation was closer to a real-world scenario with this presence of other wireless networks.
Beck and Tews claim that their attack takes “little more than 12 min- utes” [32] to complete. Our experience is that this is an understatement. The implementation defaults to a speed of guessing ten bytes per second. Thus the average time to complete without initialization or missed MIC failure reports is:
12×128
10 + 11×60≈13minutes and34seconds. (7.1) Where 12 is the number of bytes to chop, 128 is the average number of guesses per byte, 10 represents ten guesses per second, 11 is the number of times to wait between bytes and 60 is the MIC failure interval in seconds.
Figure 7.1: A successful completion of the original tkiptun-ng attack
In addition to this, the program has to initialize before it can start the ac- tual attack. This includes interface setup, de-authentication of the STA, capturing the WPA handshake and most importantly capturing the ARP packet from the AP. Additionally, the program waits for ten seconds after
ARP Poisoning Attack 91
capturing the ARP packet to let EAPOL messages pass by uninterrupted. The time for this process to complete varies from around 20 seconds to a minute or longer. As explained earlier, we also experienced that MIC failure reports were quite often missed. Every time this happens the pro- gram has to wait an additional minute if our improvement is implemented. If this improvement is not implemented the MIC countermeasures will be activated, and the attacker has to start the entire attack from the beginning. The result of this is that the time for the attack to complete in a real- world scenario varies from about 15 to 20 minutes, depending on the initial- ization time and the number of missed MIC failure report frames. This is a bit more than claimed in the paper by Beck and Tews, but still well within the common re-keying interval of one hour. Figure 7.1 shows a complete run of the tkiptun-ng tool, as can be seen this took almost 20 minutes to complete because several MIC failure report frames were missed. The time could be reduced by increasing the number of packets guessed per second, but this will come at a risk of missing MIC failure report frames which introduce a 60 second time penalty.