lastlonewolf

Hi all.
Here's my own "success story" in cracking my own WEP key with Airsnort.
I have not seen any statistics/data out there, so here are mine:

268k packets, 580 IVs, 8 minutes to key
269k packets, 579 IVs, 9 minutes.
280k packets 74 IVs, 7 minutes*
539k packets, 1020 IVs, 16 minutes.
543k packets, 1191 IVs, 14 minutes.
280k packets 74 IVs, 7 minutes*
280k packets 74 IVs, 7 minutes*
268k packets, 580 IVs, 9 minutes.
269k packets, 582 IVs, 8 minutes.
280k packets 74 IVs, 7 minutes*
269k packets, 581 IVs, 6 minutes
and so on...

As you can see, there are repeated and interesting figures:
Either 270k or 540 packets to obtain either 74, 580 or 1160 IVs,
and either 7 or 14 minutes to obtain the key. Pretty mathematic.
Is this strange ? or significant ? (I am not programmer...)
Is it related to the WEP key that stayed identical for all the tests ?

Another observation based on * :
Repeatedly, the first 37 IVs were obtained between 76k and 84k packets,
and the next 37 IVs were obtained between 210k and 218 k packets,
for a total of 74 IVs. Then nothing happens, until Airsnort has collected
a total of 268k packets to provide the key.
Those numbers are pretty "coherent" (as there were regular "waves" of IVs)
but I can't interprete them...

Conclusions or Guru-guessing anyone on that?

Airsnort station Setup:
-----------------------
Laptop: Fujitsu-Siemens T3010 Centrino 1.4GHz WinXP Pro TabletPC
integrated and enabled IntelPro2100b3 WiFi miniPCI adapter
WiFi PC-Card adapter: D-Link DWL-G650 v.C2 firmware v3.1.6 with
Airopeek's Atheros3.0 "ar5211.sys" (11/8/04) drivers
Airsnort 027e, ICMP Ping Flood to target AP IP#

Target:
-------
USR2249 AP on AMD@2.7GHz, 64 bits WEP on

sylvain

could be the implementation of the WEP management in the firmware

whoisvince

I didn't know you could crack a wep key with that few IVs--Aircrack requires ~200K IVs before it will crack a 64 bit key. Is there something I'm not understanding here?

Starpoint

overall thats not too bad, however, if you step up your WEP to 128 bit... you will grow old and gray long before you crack it

__________________
Against the run of the mill, static as it seems

We break the surface tension with our wild kinetic dreams
Curves and lines -- of grand designs...

Tonight's movie "Soylent Green" has been brought to you by our sponsor - Waste Management

My mind is like a Steel trap - Rusty and Illegal in most states

lastlonewolf

whoisvince said : "That few IVs to crack the key ?"...
Don't know either. I read somewhere that Airsnort requires (at best) 256K packets (not 256k IVs) to find a key... Would anybody comment this ?

My test key was EEDDCCBBAA. I know, it's a silly key, but this redundancy should not influence the speed at which Airsnort finds the key... am I wrong ?

As for a 128 bits key, I didn't even test, for the reason you mentioned.
And I won't test it, coz I'm already 48 and gray !!

Groover

Did a 128 bit wep in 2 sec with 500000 IV's. Luck involved?

Natrually the time for collecting the keys where alot more than 2 sec.

Starpoint

the more IV's you have to play with the better your odds, but how long did it take you to get those 500,000? In the real world someone trying to snag that many would have to camp out a long time outside a place that was serving up secure wifi.

one of the big mistakes alot of people make with WEP keys is its a word/phrase or a series of numbers like 1234567890 etc...

__________________
Against the run of the mill, static as it seems

We break the surface tension with our wild kinetic dreams
Curves and lines -- of grand designs...

Tonight's movie "Soylent Green" has been brought to you by our sponsor - Waste Management

My mind is like a Steel trap - Rusty and Illegal in most states

lastlonewolf

... to Groover:
solving a 128 bit WEP in 2 secs with 500k IV's is irrelevant.
Resolving the key with that amount of IVs is not a question of luck.

The point is : when you get enough IVs, you might compute the corresponding WEP key. That takes 1 sec on a powerful machine, or more.

Only the time for collecting those IVs is a question of luck : i.e. the more traffic you can listen to, the fastest you might get the key. As it depends on what the AP is "doing", you have absolutely no control on that, unless you have its IP#.

... Now to Starpoint:
What has a key structure like "1234567890" (like mine, EEDDBBCCAA) to do with the easiness Airsnort/Aircrack discovers it ?

Human guessing would possibly be successful at it, but as far as I know, neither of these software is based on such a "silly key" guessing algorithm, or even on a wordlist (dictionary) check ...

Groover

Thanks, I think I'm starting to learn more about this. Well, collecting 500K was about 24 hours. She must be running som heavy downloading or something. Only AP and one user. At least only one user that I know of, there could be some someone else using the same AP but not that I know of.

Just in case someone wants to know. It's a girl nextdoor and she knows and have given her premission for me to play around (with her AP ).

lastlonewolf

well, Access Point, G Point, lots of boy toy's to play with ...
err.... sry

Starpoint

actually you would be suprised.. some try the normal dictionary trick.. and some even try the same character it got before.. aka it gets a hit on E, it tries E again... ergo a "repetative" pattern is not the best way..

do what I do.. open wordpad, get cat to dance on keyboard, add or subtract characters to get the proper character count.. then cut and paste

__________________
Against the run of the mill, static as it seems

We break the surface tension with our wild kinetic dreams
Curves and lines -- of grand designs...

Tonight's movie "Soylent Green" has been brought to you by our sponsor - Waste Management

My mind is like a Steel trap - Rusty and Illegal in most states

lastlonewolf

to Starpoint: sorry, you still don't get it. What you wrote is common sense.
Human guessing or dictionary attacks are other, well-known subjects.
Please don't be offended, but I am just trying to dig into this technical aspect:

- Why was Airsnort able to get the WEP out of only 74 IVs ?
Obviously not the "sillyness" of the typed key, nor the fact that it's 64 bits only. Am I wrong ?
- Sylvain proposed a "poor" implementation of the WEP within the AP fimware. (US Robotics 2249) Possible, but I'm not convinced ...

- The other point was this strange pattern in my test results:
280k packets, 580 IVs, 8 minutes, or
280k packets 74 IVs, 7' or
540k packets, 1020 IVs, 16'.
Those values varied slightly, but they occured repeatedly.
Is this pattern related to the structure of the typed key, i.e. EEDDCCBBAA ?

Starpoint

gee, you can lead a horse to water, even stick its snout in the water, but it still does not understand to DRINK...
the more common or repetitive the key the easier it is to figure out.

a 128 bit key is 26 characters... hmmm 26 letters in the alphabet, figure upper and lower case, you only have so many combinations... you do not think these "crackers" do not try the most obvious first?

try this... your key is EEDDCCBBAA and it took what... 10-15 minutes? try a more random scrambled key of same length... see if it takes longer or shorter

keep switching the key from a very random, to a very common (aka number pattern or word) key..... see which side of the fence is guessed quicker?

I use 128 bit crypto at work... using a 3 gig Xeon with a gig of ram it took WELL over 30 minutes to crack my key... (the cat types some GOOD keys)

__________________
Against the run of the mill, static as it seems

We break the surface tension with our wild kinetic dreams
Curves and lines -- of grand designs...

Tonight's movie "Soylent Green" has been brought to you by our sponsor - Waste Management

My mind is like a Steel trap - Rusty and Illegal in most states

lastlonewolf

You're right, Starpoint, I'll compare lesser/better scrambled keys to determine Airsnort's ability on that point.
But AGAIN, this is not about "crackers trying the most obvious" as you said.
This is about Airsnort which is, as far as I know, not coded to do that.

Ok, I'll stop arguing about Airsnort, this is a NetStumbler forum...

And about a 128 bits key, I won't even try feeding Airsnort with it.
As said before, i am already too old for that !

lastlonewolf

As promised, here are info about "lesser/better" selected WEP key, and Airsnort.

I tried "0000000000" (damn stupid against human guessing), then "BCD4F93A7D":
I repeated the tests several times. All the results were almost identical:
280k packets, 580 IVs, 8 minutes, or
280k packets 74 IVs, 7' or
540k packets, 1020 IVs, 16'.

These results are the same as with my previous key "EEDDCCBBAA".

Conclusion
The complexity/sillyness of a key is not related to the amount of IVs required by Airsnort to find the key. Airsnort does not care about sillyness.

(and yes, human hackers do but that's another subject !)