Why do I need packetforge-ng for KoreK?

[Der_Kanzler]

Hi there

I got a theoretical question related to KoreK attacks and hope somebody can clear this up.

On the net I found manuals that did a KoreK with first a fakeauth (works without fakeauth aswell by using MAC of associated client, but anyway), then they used an "aireplay-ng -4 ..."-command and then they forged an ARP-packet with packetforge to later inject it into the net with aireplay-ng and then they cracked the key with aircrack-ng -P and so on. I assume the method is quite popular since I found it in manuals as well as in videos.

But now I just found out that aircrack-ng has a -k [1-17] option for KoreK attacks. With this you select, which of the 17 KoreK strategies you use.

Well, I decided to be naive and tried it out on my WLAN (had to switch to WEP for that, eek...) ... just started airodump with "-w wep2" and then entered "aircrack-ng -k 1 -b BSSID wep2-01.cap" ... and well, it worked, the key was found after the capturing of 38108 IVs.

Now, what was that? Why did it work without packetforge and the other commands?
What is the packetforge strategy actually good for? Just to generate traffic or not? So that would mean in WLANS with much traffic the "aircrack -k"-way is the more efficient and silent one or not?

[imported_=Tron=]

Hi there
Now, what was that? Why did it work without packetforge and the other commands?
What is the packetforge strategy actually good for? Just to generate traffic or not? So that would mean in WLANS with much traffic the "aircrack -k"-way is the more efficient and silent one or not?

First of all you seem to have quite a few misconceptions about the whole WEP cracking process so lets try to clear those up to begin with. Airodump-ng is used only to capture packets, aireplay-ng to inject and aircrack-ng to actually crack the locally stored cap or ivs files.

You mention that you only had to use airodump-ng to listen to the AP and then aircrack-ng to crack the key. The reason this worked is that there were currently other client(s) connected to the AP generating the actual traffic for you to capture. As aireplay-ng is only used to generate traffic and speed up the capturing process of the needed ivs this part can be left out, but the process will then be much more time consuming as you have to rely on other clients to generate the needed packets.

The packetforge is used to create an valid ARP-packet to be used with aireplay-ng. This packet can then be broadcasted over and over to the AP, which will respond with the ivs that you will need to actually crack the WEP key. There are also several other methods available with aireplay-ng, of which the ARP-replay is probably the most used and in most instances also fastest one, that do not at all require the use of packetforge-ng.

You also ask whether the KoreK attack is more silent or efficient than the never PTW method. As both of these methods only come into play at the very last stage of the process, the actual calculation of the WEP key, nothing will be broadcasted using either of them and they are therefore both completely “silent”. Apart from this the KoreK method is actually slower than the new PTW method and will usually require both more time and individual captured packets to find the WEP key. On the other hand the PTW method does have some limitations and the KoreK method is therefore at times is the only option, which is why it still is included with aircrack-ng.

As for the caption of the thread, Why do I need packetforge-ng for KoreK?, the short answer is that you do not.

[Der_Kanzler]

Thanks for clearing this up
So my guess that the strategy of the packetforge method was to generate more traffic wasn't wrong...

Indeed, I had (quite a lot of) traffic on my own network, so that's probably why the method without packetforge worked so swiftly...

Now I only have one more question: what is the difference between the commands "aircrack-ng -P 2 -b BSSID airodump-wep.cap" and "aircrack-ng -k [1-17] -b BSSID airodump-wep.cap" ... with the same capture file they both lead to the same result. With the "-k" command I can purposefully select one of the 17 KoreK methods (some of them might be faster in some cases) ... but is that all or is there more difference?

[imported_=Tron=]

Now I only have one more question: what is the difference between the commands "aircrack-ng -P 2 -b BSSID airodump-wep.cap" and "aircrack-ng -k [1-17] -b BSSID airodump-wep.cap" ... with the same capture file they both lead to the same result. With the "-k" command I can purposefully select one of the 17 KoreK methods (some of them might be faster in some cases) ... but is that all or is there more difference?

-K stands for the KoreK method and the -p option is used to specify the number of CPUs to use. As you do not specifically choose the KoreK method the PTW method will be used by default in newer versions of aircrack-ng, as it uses an improved method and therefore is faster and requires less ivs to crack the WEP key.

[Der_Kanzler]

Okay, I see. So when I specify nothing, Aircrack will simply try the PTW attack on the capture file...

I now have another question though. I actually don't get the "-k" parameter. Why can the "-k" specify one out of 17 KoreK attacks? I mean, all that I heard and read was that KoreK invented the ChopChop method to guess the plaintext of a packet thus getting the keystream which can be used to inject own packets. But the ChopChop itself does not give you the WEP key, it just gives you that keystream and is actually never done via Aircrack-ng, but via "Aireplay-ng -4". So actually KoreK's attack must practically be over after forging and injecting one's own ARP. So why are there now extra "-k" options for Aircrack that are used to crack the WEP key? Did KoreK develop more than just ChopChop?

[imported_=Tron=]

Okay, I see. So when I specify nothing, Aircrack will simply try the PTW attack on the capture file...

Correct, as it uses an improved algorithm to calculate the WEP key.

I now have another question though. I actually don't get the "-k" parameter. Why can the "-k" specify one out of 17 KoreK attacks?

The reason that there are multiple KoreK attacks listed is that sometimes one attack will create a huge false positive that prevents the key from ever being found, even with a lot of IVs. In this case one can try the different options, -k 1, -k2, ... , -k 17, to manually disable the different attacks one by one.

I mean, all that I heard and read was that KoreK invented the ChopChop method to guess the plaintext of a packet thus getting the keystream which can be used to inject own packets. But the ChopChop itself does not give you the WEP key, it just gives you that keystream and is actually never done via Aircrack-ng, but via "Aireplay-ng -4".

Yes the ChopChop attack is used in this fashion and is actually called the KoreK ChopChop method. The method, as you say, does not actually recover the WEP key itself but can reveal the packet in plaintext by exploiting an ICV vulnerability. This method does nevertheless not work on all APs.

So actually KoreK's attack must practically be over after forging and injecting one's own ARP. So why are there now extra "-k" options for Aircrack that are used to crack the WEP key? Did KoreK develop more than just ChopChop?

The KoreK method used in aircrack-ng is not the same as the KoreK ChopChop used in aireplay-ng, although naturally developed by the same person.