Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: Wep 104

  1. #1
    Just burned his ISO
    Join Date
    Jan 2009
    Posts
    17

    Default Wep 104

    Hi guys,

    Firstly, a great thanks to all! I've just picked up wireless penetration testing a couple of weeks back and its here where i've found a mountain of wealth knowledge. So thanks!

    I've managed to perform wireless penetration testing on numerous APs with successful attempts. The APs are configured as such:
    1) WEP 64bit or 128bit
    2) Hidden SSID
    3) Non-MAC filtering

    Software:
    1) Backtrack 3
    2) Linksys WUSB54GC

    However, currently on job, I've faced a situation. The following is the config:
    1) WEP 104 OPEN
    2) HIdden SSID
    3) Non-Mac Filtering

    By right, this config should be easy to penetrate and crack the wep key. But I couldn't. Here are some of the findings i've found along the way:

    1) Testing of packet injection with the command:
    # aireplay-ng --test -e XXX -a XXX rausb0

    Results of the same AP will range from 0% to 80% (max), depending on where I'm standing.

    2) Performing association with AP
    # aireplay-ng -1 0 -e XXX -a XXX -h XXX rasub0

    Results: will usually take a few tries to be successfully authentication and associated. But sometimes, I can't even get it authenticate and associate successfully. Nvm, let's take the cases where i am successful.

    3) aireplay-ng fragmentation and chopchop attack
    Result: both of these do not work for this AP! despite association successful. I will get either deauthutenticated packet while using fragmentation attack, or for chopchop, it will display the typical error messages for chopchop failure (trying to inject with unsupported chipset, driver source not patched, too far etc)

    What I do not understand is if authentication and association has been succcesful, what could cause fragmentation/chopchop to fail? And how else can I attempt to crack the key?

    I tried to use wireless clients method: straight away start linksys in the target AP channel, airodump-ng, and aircrack-ng.. collecting the IVs from wireless clients who are using the AP... and amazing, even after 120,000 IVs, the WEP 104 cant be cracked. Using my own setup of WEP128, OPEN, non-mac filtering, and this wireless client method, I did it within 50,000 IVs.

    Is there any possibility that there are some other security implementation in place? the AP controller is CISCO WLC4402. And radius server is implementated. But radius server shouldn't be a part of this, as for a client to authenticate with an AP, there should not be any radius server involvement. Its just getting 'connected' to an AP using WEP104 open.

    Any ideas that on how I can approach this? now that frag/chop attack both failed.

    Thanks guys!

  2. #2
    Moderator theprez98's Avatar
    Join Date
    Jan 2010
    Location
    Maryland
    Posts
    2,533

    Default

    Quote Originally Posted by frederickyip View Post
    Is there any possibility that there are some other security implementation in place? the AP controller is CISCO WLC4402. And radius server is implementated. But radius server shouldn't be a part of this, as for a client to authenticate with an AP, there should not be any radius server involvement. Its just getting 'connected' to an AP using WEP104 open.
    Some access points (particular business-grade) may simply not be vulnerable to the typical wireless attacks.

    Also, FYI, WEP104 is the same as 128. 28 bits of the key are reserved for the IV; it's the same way with 40/64.
    "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

  3. #3
    Just burned his ISO
    Join Date
    Jan 2009
    Posts
    17

    Default

    Quote Originally Posted by theprez98 View Post
    Some access points (particular business-grade) may simply not be vulnerable to the typical wireless attacks.
    Thanks theprez98! I am particularly worried about the APs being not vulnerable, and you have made my confirmation 'worse' Perhaps I should drop cisco a question about this.

    I am hoping that the AP can be crack so it can be proven that the overall wireless network requires more stringent security controls to be implemented.

    Some of the objectives i'm trying to achieve here are:
    1) Able to obtain decrypted data (btw wirless clients to the APs)
    2) As users are required to login to the Active Directory (this portion will be authenticated with the radius server), able to obtain their credentials. The users are using the wireless network as well.

    My thoughts have been once the WEP key has been obtained, we are able to decrypt packets etc (using tools like wireshark for instance). Do the objectives above require WEP to be cracked? Are there any methods (tools) to be used that I can prove at least there's some vulnerabilities in the wireless networks?

    I've read that for Point 2, I can set up a radius server (FREERADIUS-WPE), but I do not think this method will work as the wireless clients have to connect to the AP first. With 4 APs set up in a level (storey), i don't think my 'rouge' AP will emit a stronger signal level than the 4 APs. Plus the network controller is able to detect and block out rouge APs.

    Hope you, as well as anyone can guide me in the right direction for this.

    Thanks!

  4. #4

    Default

    I'm confused as to why passively collecting enough packets would not lead to a successful cracking of the WEP key? Assuming you are in range and there is enough encrypted traffic flowing over the air, using the PTW attack, you should be successful given enough packets. It could take more packets than you would normally need, mileage does vary, but they should eventually crack if it is indeed WEP.

    Maybe theprez98 can clear this up. I understand the use of some kind of 802.1x could be limiting factors for user authentication, but if the AP is indeed using WEP as it's device authentication mechanism, then that should be crack'able. Is there some proprietary mod of WEP that I'm not aware of?

  5. #5
    Just burned his ISO
    Join Date
    Jan 2009
    Posts
    17

    Default

    Quote Originally Posted by cybrsnpr View Post
    I'm confused as to why passively collecting enough packets would not lead to a successful cracking of the WEP key? Assuming you are in range and there is enough encrypted traffic flowing over the air, using the PTW attack, you should be successful given enough packets. It could take more packets than you would normally need, mileage does vary, but they should eventually crack if it is indeed WEP.
    Indeed I am as confusing as you are cybrsnpr. I too believe if its purely passive collection, the WEP should be crackable. The wireless clients have the connection/authentication/association successfully made to the AP already, thus being passive, its just the packets (IVs) that matters. Based on what i've done so far, the max i've used was 72,000 IVs for WEP128. Thus I stopped at 120,000 IVs for passive. I shall try passive one more time and go as far as I can. Its running as we speak.

    Any more suggestions will be greatly appreciated! Thanks again!

  6. #6

    Default

    I have read before that the PTW attack requires the arpreplay attack against a client to generate the IV's, though I really don't understand the gritty details of why this is so. Maybe it has something with the way PTW does it's computation against the IV's. Anyway, if this is the case, then the cracking would be using the older Korek or similar method and for a 104/128 WEP key, you may need upwards of a million packets.

    So, I guess patience will be a virtue in this instance.

    Good Luck...

  7. #7
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    Do you need to authncate with a open AP?

  8. #8

    Default

    Quote Originally Posted by compaq View Post
    Do you need to authncate with a open AP?
    Open as in no encryption, no. Open as in WEP Open Key vice Shared Key, yes.

    I'm assuming from his first post that he is working with a system using WEP in an Open vice Shared Key scenario.

  9. #9
    Just burned his ISO
    Join Date
    Jan 2009
    Posts
    17

    Default

    Ah, I was about to reply on compaq's quiry on WEP open. You beat me to it ha!

  10. #10
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    Open as in no encryption, no. Open as in WEP Open Key vice Shared Key, yes.
    Sweet, I thought that you had to authcate to a AP that was anything but OPEN.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •