Add support for Cisco WPA Migration Mode attack

[misterx]

URL:  http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=WPA_MIGRATION_MODE

From "WPA Migration Mode: WEP is back to haunt you..." talk at BlackHat? 2010 (Las Vegas):

"Cisco access points support WPA migration mode, which enables both WPA and WEP clients to associate to an access point using the same Service Set Identifier (SSID). Cisco warns (inside a Q&A document1) about the dangers by stating “that security will operate at the least-secure level common to all devices” and “as a result, a passive WEP key attack could be launched against WEP users”. The scenario where WEP clients are connected is a serious risk; besides “a passive WEP key attack”, an active WEP cracking attack against a connected WEP client station (i.e. not the access point) could be launched, leveraging the WEP key in minutes.

We focused on analyzing the consequences of having this feature enabled when no WEP clients are present; for example after the migration to WPA has been carried out but this feature has been left enabled. According to Cisco’s statement we should be operating “at the least-secure level common to all devices”, meaning WPA; however, we found that it is possible for an attacker to crack the WEP key under this scenario (i.e. no WEP clients) and connect to the network. This is accomplished by mounting an active attack against the access point with migration mode enabled (and no WEP clients) to recover the WEP key; once recovered, it is possible to connect to the access point using this key (as it is operating in WPA migration mode) and access the network.

Furthermore, Cisco also offers an additional security setting “broadcast key rotation” that according to the documentation2 “in WPA migration mode, this feature significantly improves the security of key-management capable clients when there are no static-WEP clients associated to the access point”. We also found that this setting could be trivially bypassed.

The obvious solution is to disable WPA migration mode; thus disabling support for legacy WEP stations. We further discuss mitigation strategies and suggest alternative configurations that support legacy WEP stations in a more secure manner."

[misterx]

Difference against v1.1

[misterx]

URL:  http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=tool&name=WPA_Migration_Mode_patches_for_aircrack-ng_and_Kismet

The WPA Migration Mode patches for the Aircrack-ng suite (aircrack-ng.org) are a set of patches that do the following to the standard Aircrack-ng suite:

• Adds an attack mode (-W or --migmode) to aireplay-ng (for details see the publications detailed below) that targets access points configured in WPA Migration Mode.
• Adds an option (-Q) to aireplay-ng fake authentication attack mode (-1 option), that sends reassociation requests instead of performing a complete authentication and association after each delay period.
• Changes aircrack-ng so that when an attack mode is forced (-a option), frames encrypted with a different encryption scheme than that specified are disregarded for the cryptanalysis phase.
• Adds logic to aircrack-ng to determine if a WEP-encapsulated frame is a WLCCP packet based on its characteristic size.
• Integrated into aircrack-ng the ability to use for cryptanalytic purposes WLCCP WEP-encapsulated frames as part of the PTW cryptanalytic attack.

[misterx]

The short option will be renamed to '8' instead of 'W' and an entry in the manpage will need to be added.

[misterx]

Manpage update from Leandro

[misterx]

renamed attack 'Q' to '8' and updated for r1766

[misterx]

Updated for r1767 and added some more fixes

[misterx]

v2 - slight modification + copyright update.

[misterx]

r1769