我最近正在阅读一本名为802.11 Wireless Networks The Definitive Guide(第二版)的书。我发现自己无法理解WEP共享密钥身份验证的算法。
在本书的第8.3章“共享密钥认证的遗产”一节中,它说
第三帧是移动台对挑战的响应。为了证明在网络上允许它,移动台构造具有三个信息元素的管理帧:认证算法标识符,序列号3和挑战文本。在发送帧之前,移动台用WEP (BUT HOW ???)处理帧。标识帧作为认证帧的标题被保留,但信息元素被WEP隐藏。
所以,我想问一下这里的社区。
以下是我使用Tamosoft Commview为wifi 6.3捕获的示例WEP auth会话数据包。
您可以在此处找到我的数据包捕获:http://down.nlscan.com/misc/WEP128-shared-key-success-1.ncf
数据包#55,#57,#59,#61是WEP认证数据包。 #59是“第三帧”。
============================================================================
Packet #55, Direction: Pass-through, Time:16:11:42.634285, Size: 30
Wireless Packet Info
Signal level: 100%
Rate: 2.0 Mbps
Band: 802.11g
Channel: 11 - 2462 MHz
802.11
Frame Control: 0x00B0 (176)
Protocol version: 0
To DS: 0
From DS: 0
More Fragments: 0
Retry: 0
Power Management: 0
More Data: 0
Protected Frame: 0
Order: 0
Type: 0 - Management
Subtype: 11 - Authentication
Duration: 0x0102 (258)
Destination Address: 00:0E:2E:7C:52:A9
Source Address: 00:20:4A:96:23:C7
BSS ID: 00:0E:2E:7C:52:A9
Fragment Number: 0x0000 (0)
Sequence Number: 0x000E (14)
Authentication
Algorithm Number: 0x0001 (1) - Shared Key
Transaction Sequence Number: 0x0001 (1)
Status Code: 0x0000 (0) - Successful
Raw Data:
0x0000 B0 00 02 01 00 0E 2E 7C-52 A9 00 20 4A 96 23 C7 °......|R©. J–#Ç
0x0010 00 0E 2E 7C 52 A9 E0 00-01 00 01 00 00 00 ...|R©à.......
============================================================================
Packet #57, Direction: Pass-through, Time:16:11:42.638429, Size: 160
Wireless Packet Info
Signal level: 100%
Rate: 1.0 Mbps
Band: 802.11g
Channel: 11 - 2462 MHz
802.11
Frame Control: 0x00B0 (176)
Protocol version: 0
To DS: 0
From DS: 0
More Fragments: 0
Retry: 0
Power Management: 0
More Data: 0
Protected Frame: 0
Order: 0
Type: 0 - Management
Subtype: 11 - Authentication
Duration: 0x013A (314)
Destination Address: 00:20:4A:96:23:C7
Source Address: 00:0E:2E:7C:52:A9
BSS ID: 00:0E:2E:7C:52:A9
Fragment Number: 0x0000 (0)
Sequence Number: 0x0343 (835)
Authentication
Algorithm Number: 0x0001 (1) - Shared Key
Transaction Sequence Number: 0x0002 (2)
Status Code: 0x0000 (0) - Successful
Challenge text: 28 B8 9B EC 79 C1 AC B6 24 AD 54 A5 5A 96 EE 24 3E 25 F2 D5 B8 11 1C 2F E9 8D 2B A2 63 EA 3D 1F 40 6E 8C 3D 2C 7E 37 E9 5C 9C F4 0E F2 9C 50 88 21 DA 35 09 97 AE E3 BA 4E 56 77 9A B4 B1 F2 34 E9 AD
Raw Data:
0x0000 B0 00 3A 01 00 20 4A 96-23 C7 00 0E 2E 7C 52 A9 °.:.. J–#Ç...|R©
0x0010 00 0E 2E 7C 52 A9 30 34-01 00 02 00 00 00 10 80 ...|R©04.......€
0x0020 28 B8 9B EC 79 C1 AC B6-24 AD 54 A5 5A 96 EE 24 (¸›ìyÁ¬¶$T¥Z–î$
0x0030 3E 25 F2 D5 B8 11 1C 2F-E9 8D 2B A2 63 EA 3D 1F >%òÕ¸../é+¢cê=.
0x0040 40 6E 8C 3D 2C 7E 37 E9-5C 9C F4 0E F2 9C 50 88 @nŒ=,~7é\œô.òœPˆ
0x0050 21 DA 35 09 97 AE E3 BA-4E 56 77 9A B4 B1 F2 34 !Ú5.—®ãºNVwš´±ò4
0x0060 E9 AD 8D 98 05 28 A1 AD-3F DA 66 05 60 66 EA 24 é˜.(¡?Úf.`fê$
0x0070 02 DA 14 AC 66 CD DC E6-93 A8 79 23 70 87 39 44 .Ú.¬fÍÜ擨y#p‡9D
0x0080 17 4E 0F AC A2 CA 9F 84-5F 94 66 3C 04 AB 86 8E .N.¬¢ÊŸ„_”f<.«†Ž
0x0090 99 78 AB C9 E9 C0 91 95-9E 52 B1 7C 6B 22 63 C0 ™x«ÉéÀ‘•žR±|k"cÀ
============================================================================
Packet #59, Direction: Pass-through, Time:16:11:42.639825, Size: 168
Wireless Packet Info
Signal level: 100%
Rate: 2.0 Mbps
Band: 802.11g
Channel: 11 - 2462 MHz
802.11
Frame Control: 0x40B0 (16560)
Protocol version: 0
To DS: 0
From DS: 0
More Fragments: 0
Retry: 0
Power Management: 0
More Data: 0
Protected Frame: 1
Order: 0
Type: 0 - Management
Subtype: 11 - Authentication
Duration: 0x0102 (258)
Destination Address: 00:0E:2E:7C:52:A9
Source Address: 00:20:4A:96:23:C7
BSS ID: 00:0E:2E:7C:52:A9
Fragment Number: 0x0000 (0)
Sequence Number: 0x000F (15)
Authentication
Algorithm Number: 0x1300 (4864) - Reserved
Transaction Sequence Number: 0x00F6 (246)
Status Code: 0xB4BA (46266) - Reserved
Raw Data:
0x0000 B0 40 02 01 00 0E 2E 7C-52 A9 00 20 4A 96 23 C7 °@.....|R©. J–#Ç
0x0010 00 0E 2E 7C 52 A9 F0 00-00 13 F6 00 BA B4 A9 F5 ...|R©ð...ö.º´©õ
0x0020 77 E9 5D 1F A2 B2 CE 3A-AD 1E FD 31 EA 55 90 B8 wé].¢²Î:.ý1êU¸
0x0030 56 F6 EF 81 CE C5 95 B6-9B 2F C4 77 BD E0 DD 73 VöïÎÅ•¶›/Äw½àÝs
0x0040 C6 C8 CE F6 0B 3F 0E 8D-08 15 93 5C 26 6E DA 17 ÆÈÎö.?...“\&nÚ.
0x0050 83 34 A2 53 51 65 3C AE-7A 5C A5 EA 04 97 6E F0 ƒ4¢SQe<®z\¥ê.—nð
0x0060 53 02 02 91 08 51 87 8E-83 38 CD 23 35 E7 56 1B S..‘.Q‡Žƒ8Í#5çV.
0x0070 1D A8 52 8F E1 D4 21 FD-46 41 65 AD 26 AB 74 3D .¨RáÔ!ýFAe&«t=
0x0080 E0 13 12 66 F5 C1 67 B3-71 7F 83 77 A0 34 16 55 à..fõÁg³qƒw 4.U
0x0090 25 96 31 01 A0 9C D9 13-1E 7C E6 8F 15 8D 8A 7B %–1. œÙ..|æ.Š{
0x00A0 8E 6B 65 97 74 0B 23 71- Žke—t.#q
============================================================================
Packet #61, Direction: Pass-through, Time:16:11:42.640916, Size: 30
Wireless Packet Info
Signal level: 100%
Rate: 1.0 Mbps
Band: 802.11g
Channel: 11 - 2462 MHz
802.11
Frame Control: 0x00B0 (176)
Protocol version: 0
To DS: 0
From DS: 0
More Fragments: 0
Retry: 0
Power Management: 0
More Data: 0
Protected Frame: 0
Order: 0
Type: 0 - Management
Subtype: 11 - Authentication
Duration: 0x013A (314)
Destination Address: 00:20:4A:96:23:C7
Source Address: 00:0E:2E:7C:52:A9
BSS ID: 00:0E:2E:7C:52:A9
Fragment Number: 0x0000 (0)
Sequence Number: 0x0344 (836)
Authentication
Algorithm Number: 0x0001 (1) - Shared Key
Transaction Sequence Number: 0x0004 (4)
Status Code: 0x0000 (0) - Successful
Raw Data:
0x0000 B0 00 3A 01 00 20 4A 96-23 C7 00 0E 2E 7C 52 A9 °.:.. J–#Ç...|R©
0x0010 00 0E 2E 7C 52 A9 40 34-01 00 04 00 00 00 ...|R©@4......
============================================================================
我知道,从书中,RC4是如何工作的,我编写了一个python程序来验证WEP如何加密802.11数据包。
剩下的问题是我无法弄清楚WEP身份验证算法是如何工作的(如何计算#59。
等待你的慷慨帮助。
答案 0 :(得分:3)
我的猜测是,当挑战以明文形式发送时,移动台选择随机IV并使用预共享的WEP密钥,当IV用作密钥的前3个字节时,它使用RC4加密质询。这3个字节通过通道清晰发送。然后,问题从这里开始,如本书后面所述。任何正在收听通信的人,都可以窃听并找出挑战和密文,将这两者放在一起,攻击者获得密钥流并请求新的挑战,并使用与合法用户和相同密钥流相同的IV对其进行加密。然后他可以简单地进行身份验证,但他仍然不知道WEP密钥:)
答案 1 :(得分:2)
这是一个很好的问题,但关于它们的规范和书籍在您最需要它们的地方往往是不完整的。
在这种情况下,工作源代码是最好的选择,并且linux / net / mac80211 / wep.c代码可供阅读。