What exactly is fake authentication in aireplay-ng
Asked Answered
T

1

10

I have started studying Wireless Security and in WEP security, there is something called fake-auth attack. I know it sends an authentication request and then associates with the AP and then we can proceed to an arp replay attack. I need to know how exactly the fake-auth attack works, because if we do not have the WEP key, how can we authenticate and then associate with the AP to replay ARP packets.

Tonita answered 18/2, 2015 at 14:20 Comment(0)
G
9

The explanation is pretty simple, an access point must authenticate a station before the station can associate with the access point or communicate with the network. The IEEE 802.11 standard defines two types of WEP authentication:

  • Open System Authentication (OSA): allows any device to join the network, assuming that the device SSID matches the access point SSID. Alternatively, the device can use the “ANY” SSID option to associate with any available access point within range, regardless of its SSID.
  • Shared Key Authentication: requires that the station and the access point have the same WEP key to authenticate.

A detailed tutorial on how to perform a fake-auth using shared key authentication here.


UPDATE: How can we associate to the AP without the key?

The fake authentication attack on the WEP protocol allows an attacker to join a WEP protected network, even if the attacker has not got the secret root key. IEEE 802.11 defines two ways a client can authenticate itself in an WEP protected environment.

The first method is called Open System authentication: a client just sends a message to an access point, telling that he wants to join the network using Open System authentication. The access point will answer the request with successful, if he allows Open System authentication.

As you can see, the secret root key is never used during this handshake, allowing an attacker to perform this handshake too and to join an WEP protected network without knowledge of the secret root key. The second method is called Shared Key authentication. Shared Key authentication uses the secret root key and a challenge-response authentication mechanism, which should make it more secure (at least in theory) than Open System authentication, which provides no kind of security.

First, a client sends a frame to an access point telling him, that he wants to join the network using Shared Key authentication. The access point answers with a frame containing a challenge, a random byte string. The client now answers with a frame containing this challenge which must be WEP encrypted. The access point decrypts the frame and if the decrypted challenge matches the challenge he send, then he answers with successful and the client is authenticated.

An attacker who is able to sni an Shared Key authentication handshake can join the network itself. First note, that besides the APs challenge, all bytes in the third frame are constant and therefore known by an attacker. The challenge itself was transmitted in cleartext in frame number 2 and is therefore known by the attacker too. The attacker can now recover the key stream which was used by WEP to encrypt frame number 3. The attacker now knows a key stream and the corresponding IV which is as long as frame number 3.

The attacker can now initiate an Shared Key authentication handshake with the AP. After having received frame number 2, he can construct a valid frame number 3 using his recovered key stream. The AP will be able to successfully decrypt and verify the frame and respond with successful. The attacker is now authenticated.

Reference here.

Gravel answered 18/2, 2015 at 14:38 Comment(6)
But, during the WEP cracking process, the WEP key is unknown, yet we use fake authentication to facilitate the arp replay. How can we associate without the key?Tonita
Check the update on how we can authenticate against an AP using Shared Key authentication using WEP.Gravel
If a shared key authentication is required to be sniffed, then how can the fake auth attack work when there are no clients on the WEP network?Tonita
The two alternatives to perform a fake authentication attack are described in the answer. If the authentication method is shared key the steps needed are described in the tutorial linked first. The fake authentication attack using shared key must have at least one client connected to the network (check "deauthenticate a connected client") or one client trying to associate to the AP.Gravel
I got the Shared Key part, but have some doubts in Open as sniffed some WEP networks in my neighbourhood having Open authentication. If Open authentication does not require any key to be used and exchange data then why does a normal user require a WEP password to connect to a WEP network and not just connect to it as in fake authentication?Tonita
The fake authentication is used for authentication only, as described in the answer, Open System authentication doesn't require the key. In that scenario, the user is required a WEP password not to authenticate, is required to encrypt the data frames in the channel.Gravel

© 2022 - 2024 — McMap. All rights reserved.