cybergibbons

I'm currently doing some penetration testing on a large wireless network. I already know the WEP key, it is 64-bit. The system used to use another WEP key, some of the APs and some of the clients do not know the new key (although this number is small).

I can see over 30 APs, which each have a low amount of traffic, but when you observe all of them, there is enough to make the collection of IVs using airodump OK without any aireplay attack (or the like). This traffic consists mainly of ARP requests, and some Windows networking stuff (seen using airdecap and the known key).

I captured about 1 million IVs as reported with aircrack, but I couldn't crack the key. I tried differing fudge factors and hinting the first few bytes, to no avail.

Because the traffic is over multiple BSSIDs, but with the same ESSID, I use the -e option with aircrack. I guessed that the data might have been poisoned by the APs and clients using the old key. I used airdecap with the old and new key, and found that a small but significant amount of the packets used the old key.

I then used tethereal to filter the captured data into data only (removing beacons and probes and non-encrypted data). Then I filtered out any traffic using the old key, using the BSSID and source addresses of clients. Because aircrack uses the unencrypted beacons with the ESSID, I then made a custom cap file with just beacons of the APs using the new key. Using the filtered data and beacon cap file, I then ran aircrack again.

Still the votes all look very similar, and it doesn't get any result, no matter the fudge factor or filter.

The wireless card and set-up works fine with single ESSID systems. Is this a problem with the -e option, or is all my mucking around ruining it?

At some point I will try using one AP and an attack to generate more traffic.

wrzwaldo

And how does this fit into the mix?

Some of the APs don't know the new key?

cybergibbons

They are old 802.11b APs which have been "lost" and need reconfiguring.

The clients are PCs locked in offices which aren't accessible and can't be remotely administered/updated.

streaker69

I'm confused, what exactly are you trying to accomplish?

__________________
"One of these days, I'm going to cut you to pieces."

If you're offended by this post, please feel free to report it to one of the many helpful moderators of this forum.

Thank you.

cybergibbons

I'm trying to see if it would be possible to obtain the WEP key as an external party. I don't know if the problem is extra data, the fact I have played with the cap files, or if aircrack doesn't actually work with multiple APs with the same ESSID.

Thorn

Are you sure that the APs' are using same key?

If they are in locked offices and aren't remotely configurable, what good is knowing the older key? If you can't configure it remotely, you probably can't configure them wirelessly.

__________________
Thorn
"I'm The Doctor. I'm a Time Lord. I am from the planet Gallifrey in the constellation Kasterborous. I'm 903 years old and I am the man who is going to save your lives and all 6 billion people on the planet below... You got a problem with that?"

cybergibbons

Not all the APs are using the same key. However, I have filtered the cap file from airodump using tethereal so that it only contains the traffic from APs and clients using the new key. I can be sure of this because when I use airdecap with the old key, no packets are decrypted, and when I used it with the new key, all packets are decrypted.

I didn't make it clear - the locked up computers are only using the old key because they can't be accessed to be changed. They will at a point in the future be changed. But at the moment they are polluting the traffic.

Dutch

My left middletoe is itching under the nail.. That normally means something fishy is afoot (Pun intended).

Why can't those computers locations be accessed, if you are doing a Pen-test/WiFi survey for the company owning those computers?

When doing such a auditing project, it is normally in order to check and identify problems, and fix them. Are you telling me that there aren't anybody in the company you are doing the auditing for, that have access to all the locations where they have computers and AP's located ?

Dutch

__________________
All your answers are belong to Google. SEARCH DAMMIT!
Warning. Warning.
Low C8H10N4O2 level detected. Operator halted....

cybergibbons

The offices have physical locks on them installed by the person in the office, and we do not have the keys. There are also PCs in offices which are personal PCs, so we do not have admin rights on them. Everyone is on holiday at the moment apart from support staff.

I already have both the old and new WEP key, but I am unable to crack the new one using traffic I can gather. How would I have the key, and why would I care, if I was doing this illegally?

Nonetheless, is all that is needed to cause WEP cracking to fail is to inject a few packets here and there with the wrong key?

wrzwaldo

You do realize that WEP cracking is not absolute? There is a certain margin of uncertainty, or like I have seen mentioned "bad luck".

cybergibbons

I do realize that, but I would have thought with approx 800,000 IVs, a 64-bit key, and hinting at the first three bytes, I would have got it.

With 64-bit keys, I have seen as low as 50,000 but never more than 400,000 needed. But I have never tried using the ESSID before.

Huzzy

Left field suggestion:

1) There may be a 3rd WEP key in use? though you would have noticed when filtering with ethereal.

2) What hardware are you using?
others will know better than me, but certain hardware/firmware that corrupts captured data is floating around.

cybergibbons

1. Yes, there was another WEP key in fact. This is from a wireless network installed by another company who chose to use the same channel and SSID without permission. We solved this by turning off their network, and asking them to change it.

2. For capture, initially I was using an Orinoco Gold Classic, with the Wildpeek drivers under Windows XP, and using the drivers that come as standard with the Auditor Linux Live CD. I captured traffic using both OS, and cracking using both versions of aircrack to see if it was one causing the problem.

Note, I got the source for the latest aircrack and compiled it under Auditor as the standard one is quite old.

I now have a D-link DWL-G650 Hardware Rev C3 Card (Atheros chipset). It seems to work well for capturing and injection in my own test set-ups, but again, the captures from the large multiple AP network don't result in a key being found.

Huzzy

Elaborate on how that 3rd wep key/network is "shut down"?

cybergibbons

Breaker panel, chose ring main, switch off.