Firstly, a great thanks to all! I've just picked up wireless penetration testing a couple of weeks back and its here where i've found a mountain of wealth knowledge. So thanks!
I've managed to perform wireless penetration testing on numerous APs with successful attempts. The APs are configured as such:
1) WEP 64bit or 128bit
2) Hidden SSID
3) Non-MAC filtering
1) Backtrack 3
2) Linksys WUSB54GC
However, currently on job, I've faced a situation. The following is the config:
1) WEP 104 OPEN
2) HIdden SSID
3) Non-Mac Filtering
By right, this config should be easy to penetrate and crack the wep key. But I couldn't. Here are some of the findings i've found along the way:
1) Testing of packet injection with the command:
# aireplay-ng --test -e XXX -a XXX rausb0
Results of the same AP will range from 0% to 80% (max), depending on where I'm standing.
2) Performing association with AP
# aireplay-ng -1 0 -e XXX -a XXX -h XXX rasub0
Results: will usually take a few tries to be successfully authentication and associated. But sometimes, I can't even get it authenticate and associate successfully. Nvm, let's take the cases where i am successful.
3) aireplay-ng fragmentation and chopchop attack
Result: both of these do not work for this AP! despite association successful. I will get either deauthutenticated packet while using fragmentation attack, or for chopchop, it will display the typical error messages for chopchop failure (trying to inject with unsupported chipset, driver source not patched, too far etc)
What I do not understand is if authentication and association has been succcesful, what could cause fragmentation/chopchop to fail? And how else can I attempt to crack the key?
I tried to use wireless clients method: straight away start linksys in the target AP channel, airodump-ng, and aircrack-ng.. collecting the IVs from wireless clients who are using the AP... and amazing, even after 120,000 IVs, the WEP 104 cant be cracked. Using my own setup of WEP128, OPEN, non-mac filtering, and this wireless client method, I did it within 50,000 IVs.
Is there any possibility that there are some other security implementation in place? the AP controller is CISCO WLC4402. And radius server is implementated. But radius server shouldn't be a part of this, as for a client to authenticate with an AP, there should not be any radius server involvement. Its just getting 'connected' to an AP using WEP104 open.
Any ideas that on how I can approach this? now that frag/chop attack both failed.
I am hoping that the AP can be crack so it can be proven that the overall wireless network requires more stringent security controls to be implemented.
Some of the objectives i'm trying to achieve here are:
1) Able to obtain decrypted data (btw wirless clients to the APs)
2) As users are required to login to the Active Directory (this portion will be authenticated with the radius server), able to obtain their credentials. The users are using the wireless network as well.
My thoughts have been once the WEP key has been obtained, we are able to decrypt packets etc (using tools like wireshark for instance). Do the objectives above require WEP to be cracked? Are there any methods (tools) to be used that I can prove at least there's some vulnerabilities in the wireless networks?
I've read that for Point 2, I can set up a radius server (FREERADIUS-WPE), but I do not think this method will work as the wireless clients have to connect to the AP first. With 4 APs set up in a level (storey), i don't think my 'rouge' AP will emit a stronger signal level than the 4 APs. Plus the network controller is able to detect and block out rouge APs.
Hope you, as well as anyone can guide me in the right direction for this.
I'm confused as to why passively collecting enough packets would not lead to a successful cracking of the WEP key? Assuming you are in range and there is enough encrypted traffic flowing over the air, using the PTW attack, you should be successful given enough packets. It could take more packets than you would normally need, mileage does vary, but they should eventually crack if it is indeed WEP.
Maybe theprez98 can clear this up. I understand the use of some kind of 802.1x could be limiting factors for user authentication, but if the AP is indeed using WEP as it's device authentication mechanism, then that should be crack'able. Is there some proprietary mod of WEP that I'm not aware of?
Any more suggestions will be greatly appreciated! Thanks again!
I have read before that the PTW attack requires the arpreplay attack against a client to generate the IV's, though I really don't understand the gritty details of why this is so. Maybe it has something with the way PTW does it's computation against the IV's. Anyway, if this is the case, then the cracking would be using the older Korek or similar method and for a 104/128 WEP key, you may need upwards of a million packets.
So, I guess patience will be a virtue in this instance.
Do you need to authncate with a open AP?
Ah, I was about to reply on compaq's quiry on WEP open. You beat me to it ha!
Sweet, I thought that you had to authcate to a AP that was anything but OPEN.Open as in no encryption, no. Open as in WEP Open Key vice Shared Key, yes.