Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: Wep 104

  1. #11

    Default

    Quote Originally Posted by compaq View Post
    Sweet, I thought that you had to authcate to a AP that was anything but OPEN.
    Just to clarify my earlier point (poor syntax could have caused some confusion), you also need to authenticate with WEP using a Shared Key system.

  2. #12
    Just burned his ISO
    Join Date
    Jan 2009
    Posts
    17

    Default

    okie guys!

    After 3hrs of patience (I only have that available time that day), loads of traffic going, with over 1million IVs... the WEP is still uncrackable!

    This is pretty insane and confusing and weird. I just don't get it how even a business-grade AP can prevent pure passive collection of IVs from cracking WEP.

    I doubt the Cisco wlc4402 does any other cisco-implemented encryption over the WEP traffic. Neither is it on dynamic.

    I'm seriously stumped for now.

  3. #13
    Just burned his ISO
    Join Date
    Jan 2009
    Posts
    10

    Default

    Quote Originally Posted by frederickyip View Post
    okie guys!

    After 3hrs of patience (I only have that available time that day), loads of traffic going, with over 1million IVs... the WEP is still uncrackable!

    This is pretty insane and confusing and weird. I just don't get it how even a business-grade AP can prevent pure passive collection of IVs from cracking WEP.

    I doubt the Cisco wlc4402 does any other cisco-implemented encryption over the WEP traffic. Neither is it on dynamic.

    I'm seriously stumped for now.
    Is this a passive attack? Someone will correct me if I'm wrong but I think only injecting will cause you to capture ARP replies which the ptw attack relies on. If you are just sniffing you might need around 1.5million IVs to crack a 104/128bit

    Capture some more tomorrow to the same file and then use aircrack with something like -n 128 -f 15 maybe?

  4. #14
    Just burned his ISO
    Join Date
    Jan 2009
    Posts
    17

    Default

    Quote Originally Posted by illy123 View Post
    Is this a passive attack? Someone will correct me if I'm wrong but I think only injecting will cause you to capture ARP replies which the ptw attack relies on. If you are just sniffing you might need around 1.5million IVs to crack a 104/128bit

    Capture some more tomorrow to the same file and then use aircrack with something like -n 128 -f 15 maybe?
    Thanks illy123 for ur suggestion. But the problem here lies in that when I set another 2 routers for testing (linksys wrt54gc - home router type, and another one, forgot the brand), using the exact same method of passive attack (sniffing), all i need was 50,000 - 60,000 IVs to crack a 104/128bit.

    So you see, same method of obtaining IVs, on 2 routers, and the other is a business-grade wlan controller... it shld produce the same results.

    nonetheless, i'll try your suggestion tmr. thx!

  5. #15
    Just burned his ISO
    Join Date
    Jan 2009
    Posts
    17

    Default

    I would also like to add that the wireless network is using 802.1x. Not sure if this protocol being implemented will affect any of the cracking for WEP.

  6. #16

    Default

    fredrickyip: Talked to a couple friends at Shmoocon about this. Here are a few things that might apply:

    PTW works it's magic via ARP packets, so if you are not doing an arpreplay attack, you are going to need many many packets to crack WEP 104. Also, if I remember correctly, no need to limit PTW to just IVS, capture the entire dump.

    To counter these and other similar attacks, some wireless devices will send out bogus packets in addition to the correct ARP packet. The "legit" client will discard the bogus ones and just respond to the correctly formed packet. Most crackers will, however, try to read these packets and because of that, not be able to correctly decode the key.

    I believe that Zero_Chaos mentioned that this type of counter has been taken into account with the newer versions of aircrack, so if you are using an older version, try updating to the latest version of aircrack-ng.

    There are some wireless authentication mechanisms (such as Symbol Keyguard, if I can read my scratchy notes correctly), that will report they are WEP 104 or WPA but are not, nor are they vulnerable to WEP cracking, and they also employ some kind of replay prevention. (Got this from Zero_Chaos's talk at the con)

    Hope this helps....

  7. #17
    Just burned his ISO
    Join Date
    Jan 2009
    Posts
    17

    Default

    Quote Originally Posted by cybrsnpr View Post
    fredrickyip: Talked to a couple friends at Shmoocon about this. Here are a few things that might apply:

    PTW works it's magic via ARP packets, so if you are not doing an arpreplay attack, you are going to need many many packets to crack WEP 104. Also, if I remember correctly, no need to limit PTW to just IVS, capture the entire dump.
    Indeed I am not doing (or rather I can't since fragmentation & chopchop failed) arpreplay attack. The last I mentioned was slightly over 1 million IVs via passive means. I shall try today to hit at least 1.5 - 2 million IVs. Will update you guys later if possible.

    I did not limit to just IVs. I ran the command as below (w/o the -ivs. Hope my command is right! haha):

    @ airodump-ng -c XXX --bssid XXX -w filename rausb0

    @ aircrack-ng -b XXX filename*.cap

    To counter these and other similar attacks, some wireless devices will send out bogus packets in addition to the correct ARP packet. The "legit" client will discard the bogus ones and just respond to the correctly formed packet. Most crackers will, however, try to read these packets and because of that, not be able to correctly decode the key.

    I believe that Zero_Chaos mentioned that this type of counter has been taken into account with the newer versions of aircrack, so if you are using an older version, try updating to the latest version of aircrack-ng.
    I'm currently using Backtrack 3, bootable usb. The aircrack version I see is Aircrack-ng 1.0 rc1. If I'm not mistaken, there should be an 1.0 rc2. Will try to install that.

    Perhaps there could be bogus packets in addition to the correct ARP packets. While aircrack-ng was attempting to crack the wep key (on a normal home router/AP), the usual screen u will see will be something like this:

    Edit: shucks, I can't post url yet.
    Shall type out there...


    3E(19934) 5F(12384) 72(23120) EA(18291) 20(19200) 8C(19200)
    F1(20480) F3(20224) A8(19958) .........

    However, when I tried on the client cisco AP, some of the "brackets" numbers are "0", e.g.

    3E(19934) 5F(0) 72(23120) EA(0) 20(0) 8C(19200)
    F1(20480) F3(0) A8(19958) .........

    Usually about 10-20 of them will be "0". Not sure about the significance. Anyone seen this before?


    There are some wireless authentication mechanisms (such as Symbol Keyguard, if I can read my scratchy notes correctly), that will report they are WEP 104 or WPA but are not, nor are they vulnerable to WEP cracking, and they also employ some kind of replay prevention. (Got this from Zero_Chaos's talk at the con)
    I don't think my client impose any wireless authentication mechanism. We have already interviewed them on the wireless network structures and configuration. Even from their Cisco wireless lan managment console, there isn't any, except for the usage of Radius. Even LEAP was disabled. Will do another round of check with them later.


    Hope this helps....
    Thanks cybrsnpr for your kind efforts! Appreciate it lots.

  8. #18
    Just burned his ISO
    Join Date
    Jan 2009
    Posts
    17

    Default

    This is absurd... after so many days of testing and confirmation after confirmation... the network admin told me he made a mistake. The wireless network is actually using dynamic WEP!! Pardon my limited cracking skills, but so far whatever i've done, airodump-ng, aireplay-ng, aircrack-ng, there's no where i can actually spot that the network is on dynamic.

    My apologies to all of you who have been trying hard to help out.

    Here are the details if it still interest you guys:

    Configuration
    1) WEP104, OPEN, DYNAMIC (when I run airodump on the AP, under ENC, it's WEP all the time, but under CIPHER, sometimes is WEP, sometimes its WEP40)
    2) Protected EAP (802.1x authentication)
    3) Authentication Method: EAP-MSCHAP v2)
    4) Radius Server

    Heading back to drawin board to see what approach I should attempt this time round to crack the key...

  9. #19

    Default

    If they are using dynamic WEP, I would try this: sniff packets between just a single client and the AP (a client that is generating a lot of traffic). Or use wireshark to filter out all the packets you have previously captured to just those between 1 client and the AP. In theory, that connection would not be dynamic, so it should provide a static WEP key (hopefully you picked a client connecting with 40 bit WEP).

    Good Luck...

  10. #20
    Just burned his ISO
    Join Date
    Jan 2009
    Posts
    17

    Default

    Quote Originally Posted by cybrsnpr View Post
    If they are using dynamic WEP, I would try this: sniff packets between just a single client and the AP (a client that is generating a lot of traffic). Or use wireshark to filter out all the packets you have previously captured to just those between 1 client and the AP. In theory, that connection would not be dynamic, so it should provide a static WEP key (hopefully you picked a client connecting with 40 bit WEP).

    Good Luck...
    Actually I have been doing that all these while. I'm granted a laptop by the client which has been login to the wireless network. Afterwhich, I only airodump-ng to the target AP channel... den aircrack-ng to the AP MAC address. At the same time, I opened multiple youtube videos to generate the traffic... and...

    AH! I realised a mistake as I'm typing these. The steps above doesn't capture only from 1 client. It captures any client connected to the target AP. Thats why under airodump-ng console, besides the laptop given to me (for youtube spamming), there's a couple of other clients, and aircrack-ng will just take everyone.

    I'll find out the steps to take to sniff from just one client. Thanks cybrsnpr! There could be still some hope!

    THANKS!

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •