Page 238 - StudyBook.pdf
P. 238
222 Chapter 4 • Communication Security: Wireless
There are several reasons that an attacker would spoof. If a network allows only
valid interfaces through MAC or IP address filtering, an attacker would need to
determine a valid MAC or IP address to be able to communicate on the network.
Once that is accomplished, the attacker could then reprogram their interface with
that information, allowing them to connect to the network by impersonating a
valid machine.
IEEE 802.11 networks introduce a new form of spoofing: authentication
spoofing.As described in their paper “Intercepting Mobile Communications:The
Insecurities of 802.11,” Borisov, Goldberg, and Wagner identified a way to utilize
weaknesses within WEP and the authentication process to spoof authentication into
a closed network.The process of authentication, as defined by IEEE 802.11, is very
simple. In a shared-key configuration, the AP sends out a 128-byte random string
in a cleartext message to the workstation that is attempting to authenticate.The
workstation then encrypts the message with the shared key and returns the
encrypted message to the AP. If the message matches what the AP is expecting, the
workstation is authenticated onto the network and access is allowed.
As described in the paper, if an attacker has knowledge of both the original
plaintext and ciphertext messages, it is possible to create a forged encrypted mes-
sage. By sniffing the wireless network, an attacker is able to accumulate many
authentication requests, each including the original plaintext message and the
returned ciphertext-encrypted reply. From this, the attacker can easily identify the
keystream used to encrypt the response message.The attacker could then use it to
forge an authentication message that the AP accepts as a proper authentication.
The wireless hacker does not need many complex tools to succeed in spoofing
a MAC address. In many cases, these changes are either features of the wireless
manufacturers or can be easily changed through a Windows Registry modification
or through Linux system utilities. Once a valid MAC address is identified, the
attacker needs only to reconfigure his device to trick the AP into thinking he is a
valid user.
The ability to forge authentication onto a wireless network is a complex pro-
cess.There are no known “off-the-shelf” packages available that provide these ser-
vices.Attackers need to either create their own tool or take the time to decrypt the
secret key by using AirSnort or WEPCrack.
If an attacker is using Windows 2000, and their network card supports reconfig-
uring the MAC address, there is another way to reconfigure this information.A
card supporting this feature can be changed through the System Control Panel.
Once an attacker is utilizing a valid MAC address, they are able to access any
resource available from the wireless network. If WEP is enabled, the attacker will
www.syngress.com
