Results 1 to 6 of 6

Thread: Aircrack-ng Fudge Factor Question

  1. #1
    Just burned his ISO
    Join Date
    Jan 2008
    Posts
    13

    Default Aircrack-ng Fudge Factor Question

    Sorry if this is the wrong area, It is the only place it will let me post..


    Anyways, Through my research it says that aircrack works by comparing IVS of many files thus getting an idea what the key might be. Brute force is then used to finish the job.

    Going by this understanding, IT should be posible to crack WEP with only 1 IVS and either alot of time OR alot of CPU power.


    I want to attempt to crack WEP with 1 IVS.

    I assume that the smaller WEP key has the possible combinations of 16^10 or
    1,099,511,627,776 posibilities. Currently I have been running aircrack with a fudge factor of 199 for 27 minutes and have alreay tried 856,800,000 Keys. It looks like it shouldnt take my computer that long hopefully.

    I guess my question then Lies in two areas..
    1) Will this approach work?
    2) If not, What program can you recommend to Purely Brute force a WEP key

    Thanks Deathdefyer!

  2. #2

    Default

    Quote Originally Posted by deathdefyer2002 View Post
    Sorry if this is the wrong area, It is the only place it will let me post..


    Anyways, Through my research it says that aircrack works by comparing IVS of many files thus getting an idea what the key might be. Brute force is then used to finish the job.

    Going by this understanding, IT should be posible to crack WEP with only 1 IVS and either alot of time OR alot of CPU power.


    I want to attempt to crack WEP with 1 IVS.

    I assume that the smaller WEP key has the possible combinations of 16^10 or
    1,099,511,627,776 posibilities. Currently I have been running aircrack with a fudge factor of 199 for 27 minutes and have alreay tried 856,800,000 Keys. It looks like it shouldnt take my computer that long hopefully.

    I guess my question then Lies in two areas..
    1) Will this approach work?
    2) If not, What program can you recommend to Purely Brute force a WEP key

    Thanks Deathdefyer!
    I think your well off here in the wrong direction, where did you read this?

    If i'm not mistaken & I'm pretty sure I'm not, you need at LEAST 300K IVS to crack WEP, so your 299,999 short

    As for brute force crack a wep key, you shouldn't need to do this as long as you have anough IVS

    Quote Originally Posted by deathdefyer2002 View Post
    I guess my question then Lies in two areas..
    1) Will this approach work? HELL NO
    2) If not, What program can you recommend to Purely Brute force a WEP key You should not need to brute force wep

  3. #3
    Just burned his ISO
    Join Date
    Jan 2008
    Posts
    13

    Default

    ok, Having more IVS will do what? Aircrack Website does say that it does bruteforce the key a little bit. The more IVS then the smaller the range of numbers will be that need to be bruteforced. THe more IVS, the Less Brute forcing.

    Im trying to learn how WEP Open Authentication works. None of my injection methods seem to work. I have tried aireplay-ng attacks 3 through 5 with no success. The Injection works but the packets dont increase. The only way I can seem to make the packets increase is doing a temp authentication. Even then they only increase at the most 20 packets for every attempt.

  4. #4

    Default

    Quote Originally Posted by deathdefyer2002 View Post
    ok, Having more IVS will do what? Aircrack Website does say that it does bruteforce the key a little bit. The more IVS then the smaller the range of numbers will be that need to be bruteforced. THe more IVS, the Less Brute forcing.

    Im trying to learn how WEP Open Authentication works. None of my injection methods seem to work. I have tried aireplay-ng attacks 3 through 5 with no success. The Injection works but the packets dont increase. The only way I can seem to make the packets increase is doing a temp authentication. Even then they only increase at the most 20 packets for every attempt.
    well I wasn't going to answer this, sometimes a little search can give you the answers, I hope below clears things up for you a bit?

    Q. What is Open Authentication?

    A. Open Authentication is basically a null authentication algorithm, which means that there is no verification of the user or machine. Open Authentication allows any device that places an authentication request to the access point (AP). Open Authentication uses clear-text transmission to allow a client to associate to an AP. If no encryption is enabled, any device that knows the SSID of the WLAN can gain access into the network. If Wired Equivalent Privacy (WEP) is enabled on the AP, the WEP key becomes a means of access control. A device that does not have the correct WEP key cannot transmit data through the AP even if authentication is successful. Neither can such a device decrypt data that the AP sends.
    taken from the cisco website


    I'd like to see your commands your using so feel free to post them for all of us to see exactly what your doing, & If I can't figure out what's going on, somebody else may & help you as well

  5. #5
    Just burned his ISO
    Join Date
    Jan 2008
    Posts
    13

    Default

    I found a website that says that bruteforcing WEP is posible.

    hxxp://cisco.iphelp.ru/doc/3/Cisco.Press,.Cisco.Wireless.LAN.Security.(2004).DD U/1587051540/ch06lev1sec6.html

    Newsham also noticed that the algorithm for 40-bit key generation allows only 221 possible WEP keys, no matter how long or complex the passphrase is. This limits you to only 2 million keys, which an attacker can search exhaustively (called a brute force attack) in a matter of minutes on modern hardware. Newsham also wrote a simple tool called wep_decrypt, which decrypts a file of packets after you have the WEP key. The tool works independent of the manner in which you obtained the WEP key.

    Here is how I am trying to create traffic on the AP

    1) Put my card into Monitor Mode
    I can do this of 2 different ways
    a) wlan ath0 destroy
    wlanconfig ath1 create wlandev wifi0 wlanmode monitor

    b) airmon-ng start wifi0

    2) Start up airodump-ng to collect IVS
    airodump-ng --ivs -c 11 --bssid xx:xx:xx:xx:xx:xx -w Capture wifi0

    3) Start up a Fake Authentication
    airreplay-ng -1 30 -e _____ -a xx:xx:xx:xx:xx:xx -h xx:xx:xx:xx:xx:xx wifi0

    4) This is where I have tried several different approaches

    (Arp Request Replay Attack)
    A) aireplay-ng -3 -b xx:xx:xx:xx:xx -h xx:xx:xx:xx:xx wifi0

    (Korek's Chop Chop)
    B) aireplay-ng -4 -h xx:xx:xx:xx:xx:xx -b xx:xx:xx:xx:xx:xx wifi0
    Then press Y to accept Packet

    Packetforge-ng -0 -a xx:xx:xx:xx:xx:xx -h xx:xx:xx:xx:xx:xx -k 255.255.255.255 -l 255.255.255.255 -y _____________.xor -w arp-request

    aireplay-ng -2 -r arp-request wifi0

    (Fragmentation Attack)
    C) Aireplay-ng -5 -b xx:xx:xx:xx:xx -h xx:xx:xx:xx:xx wifi0

    packetforge-ng -0 -a xx:xx:xx:xx:xx:xx -h xx:xx:xx:xx:xx:xx -l 255.255.255.255 -l 255.255.255.255 -y ________.xor -w arp-request

    aireplay-ng -2 -r arp-request wifio

    (Modified Packet Replay)
    D) aireplay-ng -2 -b xx:xx:xx:xx:xx:xx -t 1 -c ff:ff:ff:ff:ff:ff -p 0841

    (Manually replay Wep-encrypted Arp Request Packet)
    e) aireplay-ng -2 -b xx:xx:xx:xx:xx:xx -d ff:ff:ff:ff:ff:ff -m 68 -n 86 -p 0841 -h xx:xx:xx:xx:xx:xx wifi0

    5) Then the most common method is to take the IVS and use aircrack-ng

    aircrack-ng caoture-01.ivs

    Now using aircrack, I have tried many different approaches

    I tried the fudge factor all the way from 1 to 19999 which is the highest it can go.


    Using each of the above approaches causes many packets to be injected into the AP but it doesnt make the AP create any IVS or data packets.

    Any help would be greatly appreciated!

  6. #6

    Default

    Quote Originally Posted by deathdefyer2002 View Post
    I found a website that says that bruteforcing WEP is posible.

    hxxp://cisco.iphelp.ru/doc/3/Cisco.Press,.Cisco.Wireless.LAN.Security.(2004).DD U/1587051540/ch06lev1sec6.html
    mmmmm I can't seem to load that link, anyways thanks for posting your commands, what I was meaning tho was your actual session commands as in a live session, that way we can see how long its running, what's what etc.., u follow?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •