Results 1 to 10 of 10

Thread: Newbie WEP Wordlist attack questions

  1. #1
    Junior Member default's Avatar
    Join Date
    Nov 2007
    Posts
    87

    Default Newbie WEP Wordlist attack questions

    As I have been Having problems getting my Senao NL-2511CD EXT2 (E100) to inject, I have given up trying, please don't try and convince me to try again, I'm running 1.7.4 with hostap_cs can get it running on wlan0 and monitor but it won't inject no matter what I've tried, screw it, and screw prism2. I'll try an Atheros chipset next.

    So because of this, i have been running word lists on what little iv's i can grab and I have a few questions:


    Q1. When trying to crack wep using a wordlist should i restrict my words to 5 ascii characters for 64Bits and 13ascii characters for 128Bit? I have been using one rather large 22 Million word file that contains an assortment of alpha numeric words of various lengths from 1 to 20 characters long

    Q2. Does the number of iv's matter when doing a wordlist attack, the only requirement aircrack-ng asks for is 4 iv's. I assume each iv has the same algorithm and password so it wouldn't improve my chances by having more iv's, also 4 ivs would be a lot faster than 10k iv's

    Q3. Is there a command line option to convince Aircrack-ng to run a 64 scan then a 128 scan? I tried "-n 64,128" and it just ran 128, I guess i will need to script something


    That's it, Thankyou in advance for anyone who has the time to answer my newbie questions and thankyou to the team who made BT2 possible.

    disclaimer (No attempt to access any AP was made by me without the full permission of the AP's owner)

  2. #2
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    Well your first problem is that WEP is a mathematical algorithm which does not require a word list to crack. So depending on the version of aircrack you are using you will need 20,000+ ivs (which are unique to your ap).

    On the other hand WPA DOES require a word list and the 4 ivs your talking about is a four way hand shake captured by airodump when a client connects.

    But since at the end your talking about 64 and 128 bit encryption then you should probably watch one of my friend -=xploitz=-(name right wings and all ) excellent videos on the subject.

    Just try -n 64 for a 64 bit key. I believe 124 is the default

    Furthermore that disclaimer is worthless. You will be shocked to know that people often misrepresent them selves on the internet.

  3. #3
    Senior Member streaker69's Avatar
    Join Date
    Jan 2010
    Location
    Virginville, BlueBall, Bird In Hand, Intercourse, Paradise, PA
    Posts
    3,535

    Default

    Quote Originally Posted by purehate View Post

    Furthermore that disclaimer is worthless. You will be shocked to know that people often misrepresent them selves on the internet.
    Next you'll be telling people that I'm not really Amish.
    A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

  4. #4
    Member
    Join Date
    Jun 2007
    Posts
    218

    Default

    If you want to crack wep with a wordlist, this tutorial will show you how:

    http://aircrack-ng.org/doku.php?id=aircrack-ng

    Near the middle of the page, it will tell you how crack wep with a dictionary.

  5. #5
    Junior Member default's Avatar
    Join Date
    Nov 2007
    Posts
    87

    Default

    Quote Originally Posted by purehate View Post
    Well your first problem is that WEP is a mathematical algorithm which does not require a word list to crack. So depending on the version of aircrack you are using you will need 20,000+ ivs (which are unique to your ap).
    .
    I have been successful at cracking 64Bit WEP with just 4 IV's using a wordlist, I'm thinking once you start a wordlist attack Aircrack is just checks an encrypted key against a word and sees if it comes out un-encrypted, it doesn't need anymore iv's than 4 because they would all be encrypted the same. I guess 4 are used either because it checks the result against all 4 keys to see if the results are the same and/or there's 4 threads running.
    It's kind of difficult to generate 250,000+ iv's for a basic crack or even 40,000+ iv's for a ptw attack when you can't get this card to inject, that's why I'm stuck wordlisting until my Atheros chipset gets here.

    Quote Originally Posted by purehate View Post
    On the other hand WPA DOES require a word list and the 4 ivs your talking about is a four way hand shake captured by airodump when a client connects.
    .
    I know WPA needs a wordlist and a 4 way handshake, I'm not confused between wep's 4 iv requirement when wordlist attacking and wpa's 4 way handshake. I prefer not to talk about wpa as getting a handshake with this card is beyond my and or it's capabilities, I think i aged a year in the last few days trying to get a handshake.

    Quote Originally Posted by purehate View Post
    But since at the end your talking about 64 and 128 bit encryption then you should probably watch one of my friend -=xploitz=-(name right wings and all ) excellent videos on the subject.

    Just try -n 64 for a 64 bit key. I believe 124 is the default
    .
    I was asking if there was a command line option to First run a 64 and then a 128 on the same set of iv's with the same wordlist, but thanks anyway. Nevermind, I'll work something out, was just curious if someone knew that's all.

    Quote Originally Posted by purehate View Post
    Furthermore that disclaimer is worthless. You will be shocked to know that people often misrepresent them selves on the internet.

    The disclaimers was put there so i didn't have to explain everything i was doing was legal, I never knew I'd have to explain the damn disclaimer Anyway, thanks for your help

  6. #6
    Junior Member default's Avatar
    Join Date
    Nov 2007
    Posts
    87

    Default

    Quote Originally Posted by level View Post
    If you want to crack wep with a wordlist, this tutorial will show you how:

    -> I'm too new to post url's lol <-

    Near the middle of the page, it will tell you how crack wep with a dictionary.

    Yep, that's probably the first thing i ever read on cracking wep, That and the winxp aircrack tutorial. I've read a bunch of tutorials and watched -=xploitz=- excellent videos in slow motion cause he types too fast. I even made a couple of Howto's for myself that i could follow step by step each time I ran the live cd. I then got a bit braver and installed Backtrack2 onto my lappy, trying different drivers and firmware, screwing with hostap_cs and blacklisting orinoco and hermes drivers to get my card into monitor mode. I searched and read a bit more about linux and download a list of different commands that helped me feel my way around. It's still annoying trying to do simple things when linux has a totally different name for everything, but I'm getting there. I still havent been able to do any injecting or de-authorizing with this card, I'm convinced people who claim NL-2511Cd EXT2 card to be great are delusional

  7. #7
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default

    Quote Originally Posted by purehate View Post

    But since at the end your talking about 64 and 128 bit encryption then you should probably watch one of my friend -=xploitz=-(name right wings and all ) excellent videos on the subject.
    you forgot the Capital X!!!!
    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

  8. #8
    Senior Member
    Join Date
    Apr 2007
    Posts
    3,385

    Default

    You know what...this whole time I never knew you could crack WEP with a freaking hex or ascii dictionary!!



    From the aircrack-ng site.....

    http://aircrack-ng.org/doku.php?id=aircrack-ng

    Next, we look at cracking WEP with a dictionary. In order to do this, we need dictionary files with ascii or hexadecimal keys to try. Remember, a single file can only have ascii or hexadecimal keys in it, not both.
    WEP keys can be entered in hexadecimal or ascii. The following table describes how many characters of each type is required in your files.
    WEP key length
    in bits Hexadecimal
    Characters Ascii
    Characters 64105 1282613 1523216 2565829 Example 64 bit ascii key: “ABCDE”
    Example 64 bit hexadecimal key: “12:34:56:78:90” (Note the ”:” between each two characters.)
    Example 128 bit ascii key: “ABCDEABCDEABC”
    Example 128 bit hexadecimal key: “12:34:56:78:90:12:34:56:78:90:12:34:56”

    To WEP dictionary crack a 64 bit key:
    aircrack-ng -w h:hex.txt,ascii.txt -a 1 -n 64 -e teddy wep10-01.cap
    Where:
    • -w h:hex.txt,ascii.txt is the list of files to use. For files containing hexadecimal values, you must put a “h:” in front of the file name.
    • -a 1 says that it is WEP
    • -n 64 says it is 64 bits. Change this to the key length that matches your dictionary files.
    • -e teddy is to optionally select the access point. Your could also use the ”-b” option to select based on MAC address
    • wep10-01.cap is the name of the file containing the data. It can be the full packet or an IVs only file. It must contain be a minimum of four IVs.
    Here is a sample of the output:
    Aircrack-ng 0.7 r247


    [00:00:00] Tested 2 keys (got 13 IVs)

    KB depth byte(vote)
    0 0/ 0 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0)
    1 0/ 0 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0)
    2 0/ 0 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0)
    3 0/ 0 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0)
    4 0/ 0 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0) 00( 0)

    KEY FOUND! [ 12:34:56:78:90 ]
    Probability: 100%
    Looks like I just got myself a theme for a new video tutorial!!!

    Thanks for pointing this out guys!!

    See..you CAN teach an old dog new tricks!!!
    [CENTER][FONT=Book Antiqua][SIZE=5][B][COLOR=blue][FONT=Courier New][COLOR=red]--=[/COLOR][/FONT]Xploitz[FONT=Courier New][COLOR=red]=--[/COLOR][/FONT][/COLOR][/B][/SIZE][/FONT][FONT=Courier New][COLOR=Black][SIZE=6][B] ®[/B][/SIZE][/COLOR][/FONT][/CENTER]
    [CENTER][SIZE=4][B]Remote-Exploit.orgs Master Tutorialist.[/B][/SIZE][SIZE=6][B]™
    [/B][/SIZE]
    [URL="http://forums.remote-exploit.org/showthread.php?t=9063"][B]VIDEO: Volume #1 "E-Z No Client WEP Cracking Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=7872"][B]VIDEO: Volume #2 "E-Z No Client Korek Chopchop Attack Tutorial"[/B]
    [/URL]
    [URL="http://forums.remote-exploit.org/showthread.php?t=8230"][B]VIDEO: Volume #3 "E-Z WPA/WPA2 Cracking Tutorial"[/B][/URL]

    [URL="http://forums.remote-exploit.org/showthread.php?t=8041"][B]VIDEO: Volume #4 "E-Z Cracking WPA/WPA2 With Airolib-ng Databases"[/B][/URL]
    [/CENTER]

  9. #9
    Junior Member default's Avatar
    Join Date
    Nov 2007
    Posts
    87

    Default

    Quote Originally Posted by -=Xploitz=- View Post
    You know what...this whole time I never knew you could crack WEP with a freaking hex or ascii dictionary!!


    Looks like I just got myself a theme for a new video tutorial!!!

    Thanks for pointing this out guys!!

    See..........
    I kind of assumed you guys already knew everything, but I'm glad this thread helped you learn something else



    So, aircrack defaults to ascii, if you don't put in a h: it'll think it's a bunch of alpha-numeric ascii characters.
    Well the first thing I'm going to do is find a program that can read my ascii wordlists and strip out only the 5, and 13 length ascii words for 64 and 128 bit attacks.

    asciiset dot com

    I have no idea if ascii characters from DEC 00-32 are included or the extended ascii character set from DEC 128-255? is either. The characters between DEC 0-32 are stuff like null, cancel, escape and wouldn't be something someone would type on a keypad, except for space which may or may not be used but wouldn't hurt to throw it in.

  10. #10
    Developer
    Join Date
    Mar 2007
    Posts
    6,124

    Default

    I stand corrected as well.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •