Infoz Who: Hackers like you. What: ToorCon 9 When: October 19th-21st, 2007 Where: San Diego Convention Center Why: What could possibly go wrong?

Cafe Latte with a Free Topping of Cracked WEP: Retrieving WEP Keys From Road-Warriors

This presentation debunking the age old myth that to crack WEP, the attacker needs to be in the RF vicinity of the authorized network, with at least one functional AP up and running. We demonstrate that it is possible to retrieve the WEP key from an isolated Client - the Client can be on the Moon! - using a new technique called "AP-less WEP Cracking". After this presentation Pen-testers will realize that a hacker no longer needs to drive up to a parking lot to crack WEP. Corporations still stuck with using WEP, will realize that their WEP keys can be cracked while one of their employees is transiting through an airport, having a cup of coffee, or is catching some sleep in a hotel room. Interestingly, our discovery also has a great impact on the way Honey-pots work today and takes them to the next level of sophistication.

At its core, the attack uses various behavioral characteristics of the Windows Wireless stack along with already known flaws in WEP to pull off this feat! Depending upon the network configuration of the authorized network we will show that it is possible to recover the WEP key from an isolated Client within a time slot ranging between just a few minutes to a couple of hours. It is important to note that though our talk will center on wireless Clients which run a Windows operating system, the core idea presented can be easily used to find similar attacks for other operating systems.