Results 1 to 9 of 9

Thread: (newbie)howto speedup ivs on idle nets

Hybrid View

  1. #1
    Just burned his ISO
    Join Date
    Apr 2008
    Posts
    14

    Default (newbie)howto speedup ivs on idle nets

    Most people run into trouble when they try to crack wep. I did.
    Here's how I got the #data/s up to an average of about 5. This should get you about one million IVs/24h. One million ivs should be enough to crack 104bit wep.

    Waiting 24h is alot more than needed, but after being pissed off for two weeks with an average of aboot 0.1ivs/s and the friggin' shell freezing up so I have to start all over ffs!, I decided to forget about injection, chopchop etc and make my own way.

    If the router you wanna crack on is busy, you'll have the ivs fast anyway, so this method is for idle routers, but I guess it will speed up a busy router some more as well.

    What I did was this,
    I set up my bt shell as usual, capturing ivs. The iv count would stay at 0 for hours, so I borrowed a vista laptop, put it close to the ap so I got at least three bars in xp (good) and connected to the ap. Of course, when I did this, it asked me for the key... I entered FFFFFFFFFFFFFFFFFFFFFFF (doesn't really matter, you just have to feed it something that fits the profile of any wep key length) and hit connect. Looking at the iv counter, I saw that this connection attempt had caused the ap to transmit, and gave me 1000ivs! Disconnecting and reconnecting manually eventually gave me 200000ivs and I was gonna try to crack, but then for some reason the shell acted up and lost sight of the network... Had to reset the adapter and start over... jeez.
    What I did was simply clicking reset on the wzc windows zero configuration service. This makes the adapter lose connection and reconnect, thus generating traffic. Doing this manually is hellish in the long run, so I made a batch file. code again.bat

    net stop wzcsvc
    net start wzcsvc
    ping localhost
    ping localhost
    ping localhost
    ping localhost
    again.bat

    The ping localhost is to give it some time to generate traffic, I don't know of any other way to delay the script. If you put net start and stop in a loop you will have little or no traffic generated as windows needs about 10seconds to communicate with the ap. You can add more ping localhost commands or remove some, depending on your needs... Too many will guarantee that it works, but slow it down. Too few won't let it get around to communicating at all, choking things.
    I guess I have reinvented the fakeauth attack, but the fakeauth did not work for me although it said successful :-).

    Do you know of a similar approach that will produce ivs faster? This is slow, because it is not a steady stream of data. The ARP replay injection never worked for me, it gets lots of arp requests and sends a heapload of packets, but the ap ignores them all.

    Btw, your success is gonna depend on how the box you are using to associate to the net behaves, you have to use xp to connect and not a 3rd party prog, and make sure it stays connected in the limited or no connectivity mode. So long as you have good signal strength, xp should not try to renew ip and reconnect. If you see the connected icon with the exclamation mark, you are good to go.

  2. #2
    Senior Member
    Join Date
    Feb 2008
    Posts
    681

    Default

    Afaik... If you lose sight of the network and have to reset your adapter etc. you wouldn't have to restart over as you could still use the ivs that were previously captured... unless the password changes...of course, in which case you'd obviously have to restart from scratch.

    If I'm wrong here... please correct me.

    Btw... thanks for sharing
    [FONT=Courier New][SIZE=2][FONT=Courier New]hehe...
    [/FONT][/SIZE][/FONT]

  3. #3
    Just burned his ISO
    Join Date
    Apr 2008
    Posts
    14

    Default x

    Quote Originally Posted by .lonewolf View Post
    Afaik... If you lose sight of the network and have to reset your adapter etc. you wouldn't have to restart over as you could still use the ivs that were previously captured... unless the password changes...of course, in which case you'd obviously have to restart from scratch.

    If I'm wrong here... please correct me.

    Btw... thanks for sharing
    I think you think I'm doing this because I'm losing the connection=)
    I guess this skript could be used in such a situation as well, but I am doing this because I can not get injection to work on my router... no idea why, but it gets arp and transmits alot of packets to the router, but it does not work at all.
    For some reason, simply trying to connect to my router from a vista laptop, using whatever invalid key, it generates about 500ivs worth of traffic. Redoing this like thousands of times a day is what I am doing here gets me about one million ivs/24h which is fast enough for me... All else I've tried is useless, unless of course when there is alot of traffic on it to begin with, then I could have it in minutes.

    On another router I had before I put it into service, I could crack the key with 20k ivs, 100000ivs is not enough for this one for some reason, I suppose one had 64bit enkryption while the other one did not, but one won't see this with aircrack. In 12hrs I'll know if this worked... Then I'll have my million of ivs.

    I have already done this, but it was unsuccessful. I had more than a million ivs, it only tested one key, no go. I've entered the commands myself now, to prevent it from collecting ivs from another ap on the same chan.
    If it does not work this time, I dunno.

  4. #4
    Just burned his ISO
    Join Date
    Apr 2008
    Posts
    14

    Default

    If I haven't explained this klearly, this skript needs to run on a 2nd box w/xp/vista whatever that just sits there, while the 1st bt box gathers ivs.

  5. #5
    Just burned his ISO
    Join Date
    Apr 2008
    Posts
    14

    Default

    Update
    This method will get you ivs faster, but I stumbled upon something interesting, and it was not the key of my ap... It returned the key I entered on the vista box that was generating the traffic. So in order for this to work, you need to enter the correct key... Which you don't have of course. So forget about this attack=)
    However, this info isn't useless. Security wise, if you have a client associated with the wrong key, and someone gathers your ivs and tries to crack the key, it will, apparently, be thrown off by these ivs that contain info about the erroneus key entered.
    Another way to foil an attack, I guess.
    For some reason, injection decided to work, I got the key in one h gathering nearly 400000 ivs using my client associated with the right key=)

  6. #6
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010
    Location
    Somewhere
    Posts
    8,012

    Default

    I am not sure if you have gotten you wep key or not but you might wanna have a look at this thread and the associated video. Might save you a lot of trouble.

    xploitz e-z wep cracking tutorial
    To be successful here you should read all of the following.
    ForumRules
    ForumFAQ
    If you are new to Back|Track
    Back|Track Wiki
    Failure to do so will probably get your threads deleted or worse.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •