NetStumbler.org Forums - View Single Post - aireplay

devine · 12-15-2004

2h., 7000000 IVs found, 6900000 usable "unique" IVs in aircrack -> we don't get the key..

Well. As Michael Ossmann pointed out in a recent article on SecurityFocus (http://www.securityfocus.com/infocus/1814), aircrack has problems with very large sets of unique IVs, above 5M approximately. In that case, raising the fudge factor to 4 gets rid of most false positives.

if aircrack shows xxxxxxxxxx (in our case 7000000) "unique IVs", are all of them really usable for cracking?

AFAIK KoreK's attacks depend each on different IVs (that's what make them so efficient). But you'd have to ask him for more precise details

what kind of arp-packets are needed to make the ap reply really interesting IV's? how can we generate them?

The IV generated by the AP doesn't depend on the packet contents, so any arp-request that generates a reply should do. In general, IVs near 0 are more useful than IVs near ffffff. So if the AP starts at 0 and increments the IVs, you can reset it and you'll get "higher quality IVs".

last but not least how many potential-arp-packets would you inject? would you take exactly 1, or maybe 30 or 130 or 3000? maybe there's our mistake.

One is enough, as long as it generates a reply.

anyways thanks for reading and sunny greetings from snowy germany

No problem - and greetings from Paris

Christophe

12-15-2004	#8 (permalink)
devine Emergence Join Date: Jul 2004 Location: Paris Posts: 389	2h., 7000000 IVs found, 6900000 usable "unique" IVs in aircrack -> we don't get the key.. Well. As Michael Ossmann pointed out in a recent article on SecurityFocus (http://www.securityfocus.com/infocus/1814), aircrack has problems with very large sets of unique IVs, above 5M approximately. In that case, raising the fudge factor to 4 gets rid of most false positives. if aircrack shows xxxxxxxxxx (in our case 7000000) "unique IVs", are all of them really usable for cracking? AFAIK KoreK's attacks depend each on different IVs (that's what make them so efficient). But you'd have to ask him for more precise details what kind of arp-packets are needed to make the ap reply really interesting IV's? how can we generate them? The IV generated by the AP doesn't depend on the packet contents, so any arp-request that generates a reply should do. In general, IVs near 0 are more useful than IVs near ffffff. So if the AP starts at 0 and increments the IVs, you can reset it and you'll get "higher quality IVs". last but not least how many potential-arp-packets would you inject? would you take exactly 1, or maybe 30 or 130 or 3000? maybe there's our mistake. One is enough, as long as it generates a reply. anyways thanks for reading and sunny greetings from snowy germany No problem - and greetings from Paris Christophe