Results 1 to 2 of 2

Thread: WEP Cracking Challenge Scenario5 (uncrackable?)

  1. #1
    Just burned his ISO
    Join Date
    Apr 2010

    Question WEP Cracking Challenge Scenario5 (uncrackable?)

    hi all!
    I am trying to learn all about wireless security. A friend of mine is quite an expert at this, so he has set up this challenging scenario, for me to solve.
    I have been trying for weeks now to crack this AP's WEP key, he has set up for me to crack. We thought this might be an interesting subject for y'all too.
    If we can't figger it out, my friend promised to enlighten us all and explain his supposably uncrackable setup here.
    (and no, this is not my neighbour's network :P)

    Here's the scenario... o_O

    My friend has set up:
    -A real AP called "S5" on channel 7 (Scenario5)
    -And a fake AP with a hidden SSID on channel 138 (802.11a)

    Given info:
    -Both AP's have WEP encryption and cipher (according to airodump-ng)
    -The fake AP is also shown as a client and is contstantly sending packets to AP "S5" (A lot of these packets seem to get "lost")
    -So, data is flowing like crazy, with like 200#/s
    -He sais the key(s) consist of 10 numeric digits

    Here's what I did trying to get the WEP key:
    -I fired up airodump-ng and started capturing
    -When I try to fakeauth I get deauth packets, but airodump-ng tells me AUTH is OPN
    -I also tried to get a valid keystream by fragmenting, but the deauth packets and lack of ACK's seem to keep me from getting it (no answer)
    -So I can't authenticate yet, but what I can do is arpreplay using the mac address of the fake AP which is already contstantly associated with "S5" (I can't associate manually using that mac by the way)
    -Anyway, I captured like 4.000.000 IV's, some of em generated using arpreplay and some of them captured from what's flying around already
    -So I got a HD full of IV's, but I still can't crack AP "S5" or the fake AP

    What may also be interesting:
    -One time, AP "S5"'s encryption all of a sudden changed in airodump-ng from WEP to WPA (only the enc, not the cipher). I don't know if this was an error in airodump-ng or if it might be possible that this AP has WPA encryption but is sending WEP beacons as a decoy..?
    -When I deauthed the fake AP from "S5", i didn't see a WPA handshake when it reassociated.

    I wonder:
    -Might "S5" be WPA encrypted masquerading as a WEP?
    -The fake AP is on an 802.11a channel, so how can it interact with AP "S5" which is on channel 7 at the same time with the same mac address?
    -If the fake AP is really associated with "S5", how can it's SSID remain hidden?

    I think:
    -The fake AP is generating fake IV's just to piss me off. (if yes, how would I filter these out and only cap the arp's generated by my own arpreplay?)

    I would upload a cap file, but I'm afraid this might endanger someones privacy, because when capturing, my airodump-ng is focussed on whole channel 7, not just the "S5" AP.

    Challenging ain't it?
    suggestions anyone?

  2. #2
    Super Moderator Archangel-Amael's Avatar
    Join Date
    Jan 2010

    Default Re: WEP Cracking Challenge Scenario5 (uncrackable?)

    Ask your friend to help you with the problem then.
    We do not care nor condone nor really believe the whole "it's my friends network/ap" story.
    Furthermore all repeat all wep is broken and insecure.

Similar Threads

  1. Penetration Challenge
    By vityav in forum OLD Pentesting
    Replies: 9
    Last Post: 03-06-2010, 07:12 PM
  2. uncrackable wep protected AP
    By Boyette in forum OLD Newbie Area
    Replies: 4
    Last Post: 01-20-2010, 08:14 PM
  3. The Challenge
    By Cann0n in forum OLD Newbie Area
    Replies: 9
    Last Post: 08-29-2009, 01:18 AM
  4. uncrackable?? wireless isolation
    By -tGoM- in forum OLD Newbie Area
    Replies: 0
    Last Post: 03-14-2007, 10:52 PM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts