Cracking WEP - anybody done it

Configuration and operational information about stumbled AP's

Cracking WEP - anybody done it

Postby jerryshenk » Thu Apr 25, 2002 6:44 pm

I've been working all week at cracking WEP. Had a problem for the first couple days about missing traffic. Things are moving along pretty well right now but it's still taking forever.

I'd like to compare notes with somebody that's done it if possible.

I have a LinkSys AP with 40 bit encryption enabled. I'm flood pinging from my Ipaq to the AP with a size of 1 (the key issue is the number of packets, not the size). I'm collecting them with kismet on an Linux RH72 box with a Cisco 350 card using the kernal pcmcia support. I'm getting about 3 weak packets a minute and the total throughput seems to be about 250 packets/second. I'm using crack from Airsnort 1.0 to process the *.weak files that Kismet puts out.

To run crack, I cat the files together and then run crack on the larger file. My number of samples per key goes up consistently - I'm currently up to about 165 - some higher, some lower but it still hasn't given me a key. I've been trying about every 2 hours.

I think the people that say WEP is trivial to crack haven't tried!
jerryshenk
 
Posts: 29
Joined: Sat Apr 13, 2002 11:02 am

Postby Dave Joyce » Fri Apr 26, 2002 2:22 pm

You might want to try a ping with a full payload.
The WEP crack needs to look at the content of the encrypted packed too, it's possable that you do not have enough data in the packets to check for a valid key. Then again. . .


I have a Celeron 500 that been collecting weak IV's from my network for almost 2 months now. (Linksys WAP11 to NetGear MA401, 128-bit). I've done nearly 300 Gigs of data, and still nothing. I know it can be done, just don't know how long.
David Joyce, CSSA
Network Security Engineer
SafeSectors, Inc.
http://www.wirelesstalk.net/
Dave Joyce
Mini Stumbler
 
Posts: 39
Joined: Tue Apr 23, 2002 7:53 am
Location: Rancho Cucamonga California - (909)

Postby jerryshenk » Fri Apr 26, 2002 5:29 pm

Good point, Dave. I'm up to 220-230 samples per byte and I still don't have a key. Just set my ping size to 100 (was 1). It would be SO COOL to have a key by morning! ...course, I'm not sure what the big deal is....I already know the key!
jerryshenk
 
Posts: 29
Joined: Sat Apr 13, 2002 11:02 am

Postby Dave Joyce » Fri Apr 26, 2002 8:33 pm

I agree totally! I've been trying for weeks, and still nothing.

I'm working on a service to secure wireless networks. . But it's useless unless you can prove that you can get in.
David Joyce, CSSA
Network Security Engineer
SafeSectors, Inc.
http://www.wirelesstalk.net/
Dave Joyce
Mini Stumbler
 
Posts: 39
Joined: Tue Apr 23, 2002 7:53 am
Location: Rancho Cucamonga California - (909)

Postby jerryshenk » Sat Apr 27, 2002 3:37 am

Sounds like we're both doing the same thing.

What tools are you using? I want to try getting Airsnort2 on a laptop that I have here using a LinkSys card that I've borrowed. Currently I'm running Kismet to get the weak packets and airsnort 1 to crack them.

After your suggestion to use larger packets, I started again last night and got a little over 1400 weak packets but didn't get my key back when I ran crack.
jerryshenk
 
Posts: 29
Joined: Sat Apr 13, 2002 11:02 am

Postby jerryshenk » Tue Apr 30, 2002 3:35 am

Hey Dave, finally got it! Threw AirSnort on my Kismet box and borrowed a Linksys card from a friend. Cracked my WEP key in under an hour...the 2nd time took about 4 hours.

Prior to that, I'd been using Kismet to collect the weak packets and processing them with Airsnort 1. AirSnort 2 really works pretty nice. Snax is working on getting Cisco support into AirSnort in the near future.
jerryshenk
 
Posts: 29
Joined: Sat Apr 13, 2002 11:02 am

Postby Dave Joyce » Tue Apr 30, 2002 8:06 am

Are you doing 40-bit (64-Bit) ot 104-Bit (128-Bit)?

....Kismet doesn't seem to find any weak ones on my network.
David Joyce, CSSA
Network Security Engineer
SafeSectors, Inc.
http://www.wirelesstalk.net/
Dave Joyce
Mini Stumbler
 
Posts: 39
Joined: Tue Apr 23, 2002 7:53 am
Location: Rancho Cucamonga California - (909)

Postby jerryshenk » Tue Apr 30, 2002 8:13 am

40 bit

Kismet found quite a few weak packets on my LinkSys network but I don't think it found any on my Cisco Network.
jerryshenk
 
Posts: 29
Joined: Sat Apr 13, 2002 11:02 am


Return to AP Information

Who is online

Users browsing this forum: No registered users and 3 guests