Newbie WEP Wordlist attack questions

[default]

As I have been Having problems getting my Senao NL-2511CD EXT2 (E100) to inject, I have given up trying, please don't try and convince me to try again, I'm running 1.7.4 with hostap_cs can get it running on wlan0 and monitor but it won't inject no matter what I've tried, screw it, and screw prism2. I'll try an Atheros chipset next.

So because of this, i have been running word lists on what little iv's i can grab and I have a few questions:


Q1. When trying to crack wep using a wordlist should i restrict my words to 5 ascii characters for 64Bits and 13ascii characters for 128Bit? I have been using one rather large 22 Million word file that contains an assortment of alpha numeric words of various lengths from 1 to 20 characters long

Q2. Does the number of iv's matter when doing a wordlist attack, the only requirement aircrack-ng asks for is 4 iv's. I assume each iv has the same algorithm and password so it wouldn't improve my chances by having more iv's, also 4 ivs would be a lot faster than 10k iv's

Q3. Is there a command line option to convince Aircrack-ng to run a 64 scan then a 128 scan? I tried "-n 64,128" and it just ran 128, I guess i will need to script something


That's it, Thankyou in advance for anyone who has the time to answer my newbie questions and thankyou to the team who made BT2 possible.

disclaimer (No attempt to access any AP was made by me without the full permission of the AP's owner)

[purehate]

Well your first problem is that WEP is a mathematical algorithm which does not require a word list to crack. So depending on the version of aircrack you are using you will need 20,000+ ivs (which are unique to your ap).

On the other hand WPA DOES require a word list and the 4 ivs your talking about is a four way hand shake captured by airodump when a client connects.

But since at the end your talking about 64 and 128 bit encryption then you should probably watch one of my friend -=xploitz=-(name right wings and all ) excellent videos on the subject.

Just try -n 64 for a 64 bit key. I believe 124 is the default

Furthermore that disclaimer is worthless. You will be shocked to know that people often misrepresent them selves on the internet.

[streaker69]

Furthermore that disclaimer is worthless. You will be shocked to know that people often misrepresent them selves on the internet.

Next you'll be telling people that I'm not really Amish.

[level]

If you want to crack wep with a wordlist, this tutorial will show you how:

http://aircrack-ng.org/doku.php?id=aircrack-ng

Near the middle of the page, it will tell you how crack wep with a dictionary.

[default]

Well your first problem is that WEP is a mathematical algorithm which does not require a word list to crack. So depending on the version of aircrack you are using you will need 20,000+ ivs (which are unique to your ap).
.

I have been successful at cracking 64Bit WEP with just 4 IV's using a wordlist, I'm thinking once you start a wordlist attack Aircrack is just checks an encrypted key against a word and sees if it comes out un-encrypted, it doesn't need anymore iv's than 4 because they would all be encrypted the same. I guess 4 are used either because it checks the result against all 4 keys to see if the results are the same and/or there's 4 threads running.
It's kind of difficult to generate 250,000+ iv's for a basic crack or even 40,000+ iv's for a ptw attack when you can't get this card to inject, that's why I'm stuck wordlisting until my Atheros chipset gets here.

On the other hand WPA DOES require a word list and the 4 ivs your talking about is a four way hand shake captured by airodump when a client connects.
.

I know WPA needs a wordlist and a 4 way handshake, I'm not confused between wep's 4 iv requirement when wordlist attacking and wpa's 4 way handshake. I prefer not to talk about wpa as getting a handshake with this card is beyond my and or it's capabilities, I think i aged a year in the last few days trying to get a handshake.

But since at the end your talking about 64 and 128 bit encryption then you should probably watch one of my friend -=xploitz=-(name right wings and all ) excellent videos on the subject.

Just try -n 64 for a 64 bit key. I believe 124 is the default
.

I was asking if there was a command line option to First run a 64 and then a 128 on the same set of iv's with the same wordlist, but thanks anyway. Nevermind, I'll work something out, was just curious if someone knew that's all.

Furthermore that disclaimer is worthless. You will be shocked to know that people often misrepresent them selves on the internet.

The disclaimers was put there so i didn't have to explain everything i was doing was legal, I never knew I'd have to explain the damn disclaimer Anyway, thanks for your help

[default]

If you want to crack wep with a wordlist, this tutorial will show you how:

-> I'm too new to post url's lol <-

Near the middle of the page, it will tell you how crack wep with a dictionary.

Yep, that's probably the first thing i ever read on cracking wep, That and the winxp aircrack tutorial. I've read a bunch of tutorials and watched -=xploitz=- excellent videos in slow motion cause he types too fast. I even made a couple of Howto's for myself that i could follow step by step each time I ran the live cd. I then got a bit braver and installed Backtrack2 onto my lappy, trying different drivers and firmware, screwing with hostap_cs and blacklisting orinoco and hermes drivers to get my card into monitor mode. I searched and read a bit more about linux and download a list of different commands that helped me feel my way around. It's still annoying trying to do simple things when linux has a totally different name for everything, but I'm getting there. I still havent been able to do any injecting or de-authorizing with this card, I'm convinced people who claim NL-2511Cd EXT2 card to be great are delusional

[-=Xploitz=-]

But since at the end your talking about 64 and 128 bit encryption then you should probably watch one of my friend -=xploitz=-(name right wings and all ) excellent videos on the subject.

you forgot the Capital X!!!!

[-=Xploitz=-]

You know what...this whole time I never knew you could crack WEP with a freaking hex or ascii dictionary!!

From the aircrack-ng site.....

http://aircrack-ng.org/doku.php?id=aircrack-ng

Next, we look at cracking WEP with a dictionary. In order to do this, we need dictionary files with ascii or hexadecimal keys to try. Remember, a single file can only have ascii or hexadecimal keys in it, not both.
WEP keys can be entered in hexadecimal or ascii. The following table describes how many characters of each type is required in your files.
WEP key length
in bits Hexadecimal
Characters Ascii
Characters 64105 1282613 1523216 2565829 Example 64 bit ascii key: “ABCDE”
Example 64 bit hexadecimal key: “12:34:56:78:90” (Note the ”:” between each two characters.)
Example 128 bit ascii key: “ABCDEABCDEABC”
Example 128 bit hexadecimal key: “12:34:56:78:90:12:34:56:78:90:12:34:56”

To WEP dictionary crack a 64 bit key:
aircrack-ng -w h:hex.txt,ascii.txt -a 1 -n 64 -e teddy wep10-01.cap
Where:

• -w h:hex.txt,ascii.txt is the list of files to use. For files containing hexadecimal values, you must put a “h:” in front of the file name.
• -a 1 says that it is WEP
• -n 64 says it is 64 bits. Change this to the key length that matches your dictionary files.
• -e teddy is to optionally select the access point. Your could also use the ”-b” option to select based on MAC address
• wep10-01.cap is the name of the file containing the data. It can be the full packet or an IVs only file. It must contain be a minimum of four IVs.

Here is a sample of the output:
Aircrack-ng 0.7 r247


[00:00:00] Tested 2 keys (got 13 IVs)

KB depth byte(vote)
0 0/ 0 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0)
1 0/ 0 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0)
2 0/ 0 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0)
3 0/ 0 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0)
4 0/ 0 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0)

KEY FOUND! [ 12:34:56:78:90 ]
Probability: 100%

Looks like I just got myself a theme for a new video tutorial!!!

Thanks for pointing this out guys!!

See..you CAN teach an old dog new tricks!!!

[default]

You know what...this whole time I never knew you could crack WEP with a freaking hex or ascii dictionary!!


Looks like I just got myself a theme for a new video tutorial!!!

Thanks for pointing this out guys!!

See..........

I kind of assumed you guys already knew everything, but I'm glad this thread helped you learn something else



So, aircrack defaults to ascii, if you don't put in a h: it'll think it's a bunch of alpha-numeric ascii characters.
Well the first thing I'm going to do is find a program that can read my ascii wordlists and strip out only the 5, and 13 length ascii words for 64 and 128 bit attacks.

asciiset dot com

I have no idea if ascii characters from DEC 00-32 are included or the extended ascii character set from DEC 128-255? is either. The characters between DEC 0-32 are stuff like null, cancel, escape and wouldn't be something someone would type on a keypad, except for space which may or may not be used but wouldn't hurt to throw it in.

[purehate]

I stand corrected as well.