better ways to audit WEP?

[locovagra]

Ok I am wondering are there better ways to audit WEP than Aireplay, aircrack, and airodump? I mean these do the trick but on first attempt I noticed that traffic almost HAD to happening or it wasn't collecting enough #DATA.

Is it possible to audit a WEP network without traffic? and if so what would I use? Also for kicks and giggles I added MAC filtering to my network and noticed by current means I wasn't getting in, even though it was just WEP encyption. Is that always the case? Or are there ways around that?

**thinking aloud** I guess if I did a scan in airmon and pulled a mac from say my print server (already in my router) I might be able to get in, if I cloned it's mac. ...hmm or is my thinking WAY off? and by cloning a mac like this and just injecting will this still allow me to audit my network?

[lupin]

Did you do any research about auditing WEP without traffic being sent over the wireless network? If so what did that tell you? Perhaps reading about how the attacks against WEP work might enlighten you....

What about MAC filtering? Did you read up on how that works?

[locovagra]

just after I posted this I wanted to take it back. I pulled a dumb newbie move and asked a question here on the board before I tried looking for myself. I swear I pushed send and wished there was a way to take it back. I researched it and found at least 1 way around the traffic issue with an aireplay command. I appologize for asking for help before I tried to even help myself, but that part...for now I have at least some answer to. the command being

aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b (bssid) -h 00:11:22:33:44:55 wlan0

next I think I am going to try and figure out how to use other scripts like wiffy, wepbuster, etc... and see how they do compared to what I've been working with so far.

[gunrunr]

learning is good, but don't concentrate on WEP too much its going the way of the dinosaurs, extinction is on the horizon for WEP. Pretty much any real network penetration that your going to be paid to do, will have to be WPA/WPA2, or you will just have to gain access to a vulnerable computer another way such as SE. Soon the only people with WEP will be mom and pop, and that will get you either some time in the clink or just disowned by this community.

WEP is a lie

[opreat0r]

just use wepbuster or spoonwep

[brtw2003]

WIFITE - try this - great wrapper around necessary aircrack-ng commands!
watch & learn...

Code:

mkdir /pentest/wireless/wifite && cd /pentest/wireless/wifite && wget -q http://wifite.googlecode.com/svn/trunk/wifite.py

WEP Attack:

Code:

python wifite.py -keepmac -console -nowpa -wepw 5 -pps 600 -i wlan0

WPA/WPA2 Attack:

Code:

python wifite.py -keepmac -console -nowep -wpaw 3 -d /pentest/password/wordlists/{your-l33t-dict}

Also update the python script on a regular base:

Code:

python wifite.py -upgrade

/brtw2003

[skor78]

To crack WEP with/without clients, i simply use Gerix wifi cracker, that's already included in BT4 R1, it's quite easy and user friendly.. I also use gerix to get the WPA/WPA2 handshakes, and aircrack them, but to use cowpatty or pyrit, i prefer to do it by hand on Konsole..

To crack WEP SKA (Shared key auth.) i use grimwepa. Don't know why, but in gerix i can't get IV's auditing WEP SKA. But in Grimwepa i just attack using the arp-replay attack, and with the client selected, and in 2 min. i have 30,000 IV's and the key cracked..

Wifite is cool, but fully automated, meaning, it will attack all available networks, even if the WPA router has no client attached..
I need to experiment a bit more before i can say more, but for now, i'm only using Gerix except on WEP SKA..

Hope it helps, cheers.