SlideShare a Scribd company logo

Caffe Latte Attack Presented In Toorcon

Download as PPT, PDF
M
Md Sohail Ahmad

This presentation is about how WEP configured WiFi enabled roaming client can be compromised and WEP Key can be retireved, sitting thousands of miles away from actual network. The talk was presented in Toorcon 9 in 2007.

Technology
1 of 26
Vivek Ramachandran Md Sohail Ahmad www.airtightnetworks.net Caffé Latte with a Free Topping of Cracked WEP Retrieving WEP Keys From Road-Warriors
Cracks in WEP -- Historic Evolution 2001 - The insecurity of 802.11, Mobicom, July 2001 N. Borisov, I. Goldberg and D. Wagner. 2001 - Weaknesses in the key scheduling algorithm of RC4. S. Fluhrer, I. Mantin, A. Shamir. Aug 2001. 2002 - Using the Fluhrer, Mantin, and Shamir Attack to Break WEP A. Stubblefield, J. Ioannidis, A. Rubin. 2004 – KoreK, improves on the above technique and reduces the complexity of WEP cracking. We now require only around 500,000 packets to break the WEP key. 2005 – Adreas Klein introduces more correlations between the RC4 key stream and the key. 2007 – PTW extend Andreas technique to further simplify WEP Cracking. Now with just around 60,000 – 90,000 packets it is possible to break the WEP key. IEEE WG admitted that WEP cannot hold any water. Recommended users to upgrade to WPA, WPA2
WEP Attacks – exposure area WEP Attacks Distance from Authorized Network (Miles) 1 10 100 1000 On the Moon FMS, Korek PTW No Mutual Authentication Message Modification Message Injection Using known methods, exposure is limited to RF range of WEP enabled network Can your keys be cracked when roaming clients are miles away from the operational network?
Observation #1 ,[object Object],Default Default ,[object Object],[object Object],[object Object],[object Object],[object Object]
Observation #2 Can you force a WEP client connect to a honey pot without having knowledge of the key? Probe Request “Default” Probe Response Authentication Request Authentication Success Association Request Association Response Data Data
Caffé Latte – Attack timelines ,[object Object],[object Object],[object Object],2 days Open + Static IP 6 days Open + DHCP 1.5 days Shared + Static IP 3 days Shared + DHCP Approximate Cracking time Network Configuration
Can we speed it up? DAYS HOURS MINUTES
Problem Formulation ,[object Object],[object Object],[object Object],2 days Open + Static IP 6 days Open + DHCP 1.5 days Shared + Static IP 3 days Shared + DHCP Approximate Cracking time Network Configuration
Caffé latte – Shared + DHCP Challenge Enc. Challenge + 128 bytes Keystream Probe Request “Default” Probe Response Authentication Request Challenge Encrypted Challenge Authentication Success
Caffé latte – Shared + DHCP (2) ,[object Object],[object Object],[object Object],[object Object],169.254.x.y Connection Established Assoc Request Assoc Response DHCP DHCP DHCP Gratuitous ARP Gratuitous ARP Gratuitous ARP
Caffé latte – Shared + DHCP (3) ,[object Object],[object Object],[object Object],[object Object],169.254.246.161 Connection Established ARP Request for 169.254.0.1 ARP Request for 169.254.0.2 ARP Request for 169.254.0.3 ARP Request for 169.254.246.161 ARP Response from 169.254.246.161
 
Caffé latte – Shared + DHCP (4) ,[object Object],[object Object],[object Object],[object Object],169.254.246.161 Connection Established ARP Request for 169.254.246.161 ARP Response from 169.254.246.161 ARP Request for 169.254.246.161 ARP Response from 169.254.246.161
 
Caffé latte – Shared + DHCP (5) ,[object Object]
Caffé Latte for Shared Auth + DHCP - Analysis ,[object Object],[object Object],[object Object],[object Object],Is there a more general solution to the problem ? Lets look at the Open + Static IP case 2 days Open + Static IP 6 days Open + DHCP 1.5 days Shared + Static IP ~ 10 mins Shared + DHCP Approximate Cracking time Network Configuration
Caffé latte – Open + Static IP 5.5.5.5 ,[object Object],[object Object],[object Object],Probe Request “Default” Probe Response Authentication Request Authentication Success Assoc Request Assoc Response Gratuitous ARP from 5.5.5.5 Gratuitous ARP from 5.5.5.5 Gratuitous ARP from 5.5.5.5
Using flaws in WEP – Message Modification and Message Replay ,[object Object],[object Object],[object Object],[object Object]
Applying Bit Flipping to an Encrypted ARP packet + + + 5.5.5.250 WEP ICV ARP Header LLC Header WEP Params MAC Header Target MAC Target IP Sender IP Sender MAC Opcode Protocol Size Hardware Size Protocol Type Hardware Type AA AA AA AA AA AA 05 05 05 05 05 05 05 05 FF 00 00 00 00 00 FF 00 00 00 00 00 00 00 55 AA AA AA AA AA FA 05 05 05 05 05 05 05
Caffé latte – Open + Static IP (2) ,[object Object],[object Object],[object Object],5.5.5.5 Connection Established ARP Request for 5.5.5.5 from 5.5.5.250 ARP Response from 5.5.5.5 to 5.5.5.250 ARP Request for 5.5.5.5 from 5.5.5.250 ARP Response from 5.5.5.5 to 5.5.5.250
 
Caffé latte – Open + Static IP (3) ,[object Object]
Caffé Latte for Open + Static IP - Analysis ,[object Object],[object Object],[object Object],[object Object],~ 6 minutes Open + Static IP ~ 6 minutes Open + DHCP ~ 6 minutes Shared + Static IP ~ 6 minutes Shared + DHCP Approximate Cracking time Network Configuration
Implications of Caffé Latte ,[object Object],[object Object],[object Object],[object Object],[object Object]
Advisory ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Questions? [email_address] md.ahmad@airtightnetworks.com Airtight Networks www.AirTightNetworks.net Acknowledgements: Amit Vartak (amit.vartak@airtightnetworks.net)

Recommended

Caffe Latte Attack
Caffe Latte AttackCaffe Latte Attack
Caffe Latte Attack
AirTight Networks
 
Cafe Latte
Cafe LatteCafe Latte
Cafe Latte
AirTight Networks
 
Chapter11ccna
Chapter11ccnaChapter11ccna
Chapter11ccna
robertoxe
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIP
vanhoefm
 
Cloud Native SDN
Cloud Native SDNCloud Native SDN
Cloud Native SDN
Romana Project
 
Cisco Packet Tracer Overview
Cisco Packet Tracer OverviewCisco Packet Tracer Overview
Cisco Packet Tracer Overview
Ali Usman
 
SSL Web VPN
SSL Web VPNSSL Web VPN
SSL Web VPN
Netwax Lab
 
Phifer 3 30_04
Phifer 3 30_04Phifer 3 30_04
Phifer 3 30_04
Ayano Midakso
 

Recommended

Caffe Latte Attack
Caffe Latte AttackCaffe Latte Attack
Caffe Latte Attack
AirTight Networks
 
Cafe Latte
Cafe LatteCafe Latte
Cafe Latte
AirTight Networks
 
Chapter11ccna
Chapter11ccnaChapter11ccna
Chapter11ccna
robertoxe
 
New flaws in WPA-TKIP
New flaws in WPA-TKIPNew flaws in WPA-TKIP
New flaws in WPA-TKIP
vanhoefm
 
Cloud Native SDN
Cloud Native SDNCloud Native SDN
Cloud Native SDN
Romana Project
 
Cisco Packet Tracer Overview
Cisco Packet Tracer OverviewCisco Packet Tracer Overview
Cisco Packet Tracer Overview
Ali Usman
 
SSL Web VPN
SSL Web VPNSSL Web VPN
SSL Web VPN
Netwax Lab
 
Phifer 3 30_04
Phifer 3 30_04Phifer 3 30_04
Phifer 3 30_04
Ayano Midakso
 
Huiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attackHuiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attack
GeekPwn Keen
 
CCNA NAT (Network Address Translation)
CCNA NAT (Network Address Translation)CCNA NAT (Network Address Translation)
CCNA NAT (Network Address Translation)
Networkel
 
Zhiyun Qian-what leaves attacker hijacking USA Today site
Zhiyun Qian-what leaves attacker hijacking USA Today siteZhiyun Qian-what leaves attacker hijacking USA Today site
Zhiyun Qian-what leaves attacker hijacking USA Today site
GeekPwn Keen
 
Openstack meetup: Bootstrapping OpenStack to Corporate IT
Openstack meetup: Bootstrapping OpenStack to Corporate ITOpenstack meetup: Bootstrapping OpenStack to Corporate IT
Openstack meetup: Bootstrapping OpenStack to Corporate IT
Mirantis
 
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Netgear Italia
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewalls
phanleson
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilities
vanhoefm
 
KubeCon London 2016 Ronana Cloud Native SDN
KubeCon London 2016 Ronana Cloud Native SDNKubeCon London 2016 Ronana Cloud Native SDN
KubeCon London 2016 Ronana Cloud Native SDN
Romana Project
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to site
IT Tech
 
Aircrack
AircrackAircrack
Aircrack
Nithin Sathees
 
Attacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise NetworksAttacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise Networks
Northeast Ohio Information Security Forum
 
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
Indonesia Network Operators Group
 
CCNA Network Monitoring
CCNA Network MonitoringCCNA Network Monitoring
CCNA Network Monitoring
Networkel
 
Vpn(4)
Vpn(4)Vpn(4)
Vpn(4)
Suraj Kumar
 
E Snet Authentication Fabric Pilot
E Snet Authentication Fabric PilotE Snet Authentication Fabric Pilot
E Snet Authentication Fabric Pilot
FNian
 
CCNA point to point
CCNA point to pointCCNA point to point
CCNA point to point
Networkel
 
11 01 Tbd I Radius Security
11 01 Tbd I Radius Security11 01 Tbd I Radius Security
11 01 Tbd I Radius Security
santosh_bhatkhande
 
AWS VPN with Juniper SRX- Lab Sheet
AWS VPN with Juniper SRX- Lab SheetAWS VPN with Juniper SRX- Lab Sheet
AWS VPN with Juniper SRX- Lab Sheet
Kimberly Macias
 
CCNA Lan Redundancy
CCNA Lan RedundancyCCNA Lan Redundancy
CCNA Lan Redundancy
Networkel
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
Dan Kaminsky
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
Pranshu Pareek
 

More Related Content

What's hot

44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON
 
Attacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise NetworksAttacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise Networks
Northeast Ohio Information Security Forum
 

What's hot (20)

Huiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attackHuiming Liu-'resident evil' of smart phones--wombie attack
Huiming Liu-'resident evil' of smart phones--wombie attack
 
CCNA NAT (Network Address Translation)
CCNA NAT (Network Address Translation)CCNA NAT (Network Address Translation)
CCNA NAT (Network Address Translation)
 
Zhiyun Qian-what leaves attacker hijacking USA Today site
Zhiyun Qian-what leaves attacker hijacking USA Today siteZhiyun Qian-what leaves attacker hijacking USA Today site
Zhiyun Qian-what leaves attacker hijacking USA Today site
 
Openstack meetup: Bootstrapping OpenStack to Corporate IT
Openstack meetup: Bootstrapping OpenStack to Corporate ITOpenstack meetup: Bootstrapping OpenStack to Corporate IT
Openstack meetup: Bootstrapping OpenStack to Corporate IT
 
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
Webinar NETGEAR - Nuovi AP Professionali Prosafe WAC720 e WAC730
 
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
44CON 2014 - I Hunt TR-069 Admins: Pwning ISPs Like a Boss, Shahar Tal
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewalls
 
Practical Verification of TKIP Vulnerabilities
Practical Verification of TKIP VulnerabilitiesPractical Verification of TKIP Vulnerabilities
Practical Verification of TKIP Vulnerabilities
 
KubeCon London 2016 Ronana Cloud Native SDN
KubeCon London 2016 Ronana Cloud Native SDNKubeCon London 2016 Ronana Cloud Native SDN
KubeCon London 2016 Ronana Cloud Native SDN
 
Vpn site to site
Vpn site to siteVpn site to site
Vpn site to site
 
Aircrack
AircrackAircrack
Aircrack
 
Attacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise NetworksAttacking and Securing WPA Enterprise Networks
Attacking and Securing WPA Enterprise Networks
 
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
02 - IDNOG04 - Sheryl Hermoso (APNIC) - IPv6 Deployment at APNIC
 
CCNA Network Monitoring
CCNA Network MonitoringCCNA Network Monitoring
CCNA Network Monitoring
 
Vpn(4)
Vpn(4)Vpn(4)
Vpn(4)
 
E Snet Authentication Fabric Pilot
E Snet Authentication Fabric PilotE Snet Authentication Fabric Pilot
E Snet Authentication Fabric Pilot
 
CCNA point to point
CCNA point to pointCCNA point to point
CCNA point to point
 
11 01 Tbd I Radius Security
11 01 Tbd I Radius Security11 01 Tbd I Radius Security
11 01 Tbd I Radius Security
 
AWS VPN with Juniper SRX- Lab Sheet
AWS VPN with Juniper SRX- Lab SheetAWS VPN with Juniper SRX- Lab Sheet
AWS VPN with Juniper SRX- Lab Sheet
 
CCNA Lan Redundancy
CCNA Lan RedundancyCCNA Lan Redundancy
CCNA Lan Redundancy
 

Similar to Caffe Latte Attack Presented In Toorcon

Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
Dan Kaminsky
 
Practical webRTC - from API to Solution - webRTC Summit 2014 @ NYC
Practical webRTC - from API to Solution - webRTC Summit 2014 @ NYCPractical webRTC - from API to Solution - webRTC Summit 2014 @ NYC
Practical webRTC - from API to Solution - webRTC Summit 2014 @ NYC
Alexandre Gouaillard
 
Wireless security837
Wireless security837Wireless security837
Wireless security837
mark scott
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
eroglu
 
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
Louis Göhl
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networks
guestf2e41
 
Simplified Networking and Troubleshooting for K-12 Teachers
Simplified Networking and Troubleshooting for K-12 TeachersSimplified Networking and Troubleshooting for K-12 Teachers
Simplified Networking and Troubleshooting for K-12 Teachers
webhostingguy
 
Cracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless NetworksCracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless Networks
Hammam Samara
 

Similar to Caffe Latte Attack Presented In Toorcon (20)

Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
 
Fundamentals of network hacking
Fundamentals of network hackingFundamentals of network hacking
Fundamentals of network hacking
 
IoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideasIoT Secure Bootsrapping : ideas
IoT Secure Bootsrapping : ideas
 
Practical webRTC - from API to Solution - webRTC Summit 2014 @ NYC
Practical webRTC - from API to Solution - webRTC Summit 2014 @ NYCPractical webRTC - from API to Solution - webRTC Summit 2014 @ NYC
Practical webRTC - from API to Solution - webRTC Summit 2014 @ NYC
 
Fundamental networking concepts
Fundamental networking conceptsFundamental networking concepts
Fundamental networking concepts
 
Wireless security837
Wireless security837Wireless security837
Wireless security837
 
Real time data processing with kafla spark integration
Real time data processing with kafla spark integrationReal time data processing with kafla spark integration
Real time data processing with kafla spark integration
 
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
Protect Your DHCP Infrastructure from Cyber Attacks - Cybersecurity Training ...
 
Getting started with IPv6
Getting started with IPv6Getting started with IPv6
Getting started with IPv6
 
T C P I P Weaknesses And Solutions
T C P I P Weaknesses And SolutionsT C P I P Weaknesses And Solutions
T C P I P Weaknesses And Solutions
 
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
SVR401: DirectAccess Technical Drilldown, Part 1 of 2: IPv6 and transition te...
 
Wireless Security null seminar
Wireless Security null seminarWireless Security null seminar
Wireless Security null seminar
 
net work iTM3
net work iTM3net work iTM3
net work iTM3
 
Securing & Enforcing Network Policy and Encryption with Weave Net
Securing & Enforcing Network Policy and Encryption with Weave NetSecuring & Enforcing Network Policy and Encryption with Weave Net
Securing & Enforcing Network Policy and Encryption with Weave Net
 
Itep
ItepItep
Itep
 
Cracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless NetworksCracking Wep And Wpa Wireless Networks
Cracking Wep And Wpa Wireless Networks
 
Simplified Networking and Troubleshooting for K-12 Teachers
Simplified Networking and Troubleshooting for K-12 TeachersSimplified Networking and Troubleshooting for K-12 Teachers
Simplified Networking and Troubleshooting for K-12 Teachers
 
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted GraphiteSREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
SREcon Europe 2016 - Full-mesh IPsec network at Hosted Graphite
 
TCP-IP PROTOCOL
TCP-IP PROTOCOLTCP-IP PROTOCOL
TCP-IP PROTOCOL
 
Cracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless NetworksCracking WEP Secured Wireless Networks
Cracking WEP Secured Wireless Networks
 

Recently uploaded

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Recently uploaded (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​Elevate Developer Efficiency & build GenAI Application with Amazon Q​
Elevate Developer Efficiency & build GenAI Application with Amazon Q​
 

Caffe Latte Attack Presented In Toorcon

  • 1. Vivek Ramachandran Md Sohail Ahmad www.airtightnetworks.net Caffé Latte with a Free Topping of Cracked WEP Retrieving WEP Keys From Road-Warriors
  • 2. Cracks in WEP -- Historic Evolution 2001 - The insecurity of 802.11, Mobicom, July 2001 N. Borisov, I. Goldberg and D. Wagner. 2001 - Weaknesses in the key scheduling algorithm of RC4. S. Fluhrer, I. Mantin, A. Shamir. Aug 2001. 2002 - Using the Fluhrer, Mantin, and Shamir Attack to Break WEP A. Stubblefield, J. Ioannidis, A. Rubin. 2004 – KoreK, improves on the above technique and reduces the complexity of WEP cracking. We now require only around 500,000 packets to break the WEP key. 2005 – Adreas Klein introduces more correlations between the RC4 key stream and the key. 2007 – PTW extend Andreas technique to further simplify WEP Cracking. Now with just around 60,000 – 90,000 packets it is possible to break the WEP key. IEEE WG admitted that WEP cannot hold any water. Recommended users to upgrade to WPA, WPA2
  • 3. WEP Attacks – exposure area WEP Attacks Distance from Authorized Network (Miles) 1 10 100 1000 On the Moon FMS, Korek PTW No Mutual Authentication Message Modification Message Injection Using known methods, exposure is limited to RF range of WEP enabled network Can your keys be cracked when roaming clients are miles away from the operational network?
  • 4.
  • 5. Observation #2 Can you force a WEP client connect to a honey pot without having knowledge of the key? Probe Request “Default” Probe Response Authentication Request Authentication Success Association Request Association Response Data Data
  • 6.
  • 7. Can we speed it up? DAYS HOURS MINUTES
  • 8.
  • 9. Caffé latte – Shared + DHCP Challenge Enc. Challenge + 128 bytes Keystream Probe Request “Default” Probe Response Authentication Request Challenge Encrypted Challenge Authentication Success
  • 10.
  • 11.
  • 12.  
  • 13.
  • 14.  
  • 15.
  • 16.
  • 17.
  • 18.
  • 19. Applying Bit Flipping to an Encrypted ARP packet + + + 5.5.5.250 WEP ICV ARP Header LLC Header WEP Params MAC Header Target MAC Target IP Sender IP Sender MAC Opcode Protocol Size Hardware Size Protocol Type Hardware Type AA AA AA AA AA AA 05 05 05 05 05 05 05 05 FF 00 00 00 00 00 FF 00 00 00 00 00 00 00 55 AA AA AA AA AA FA 05 05 05 05 05 05 05
  • 20.
  • 21.  
  • 22.
  • 23.
  • 24.
  • 25.
  • 26. Questions? [email_address] md.ahmad@airtightnetworks.com Airtight Networks www.AirTightNetworks.net Acknowledgements: Amit Vartak (amit.vartak@airtightnetworks.net)

Editor's Notes

  1. Animation