(Aircrack)Yet another WEP cracking tool for Linux - Page 3

devine · 08-17-2004

Ok, I think I got it. My implementation of KoreK's attacks works pretty well when the IVs are randomly distributed, but it somewhat fails when the IVs are linearly distributed. I'll see how to improve the code and make it work in such cases.

post-edit: looks like chopper fails too when the IVs are linearly distributed.

Kronk · 08-17-2004

I've not had success using chopper on any of my packet captures. Aircrack gets the key, but chopper fails with every dump. Could be because I am using Linux on a Powerbook and there may be endian issues with chopper on the PowerPC.

KoreK · 08-17-2004

Well, I know some of the code is big-endian. Change line 795 of chopper.c to
v=0x00010203
The rest should work ok, unless I remember some other smart-ass "optimizations"...

devine · 08-17-2004

Quote:

Originally Posted by Kronk

I've not had success using chopper on any of my packet captures. Aircrack gets the key, but chopper fails with every dump. Could be because I am using Linux on a Powerbook and there may be endian issues with chopper on the PowerPC.

Yeah, could be. Anyway, I found a bug in chopper that may very well have caused the behaviour you've seen.

Line 796 in aircrack.c, replace:

Code:

            else if( o2 == ( 2 - S2 ) )

with:

Code:

            else if( o2 == ( ( 2 - S2 ) & 0xFF ) )

Let me know if the code works better with the 500k IVs you've got.

Kronk · 08-17-2004

Still getting different results with aircrack 1.1-patched and aircrack 1.2. Seems that didn't fix the problem. Older version finds the key in 6 secs, v1.2 still trying after 5 minutes.

Also, chopper still fails to find key with any of the dump files even after trying the endian fix.

devine · 08-17-2004

Quote:

Originally Posted by Kronk

Still getting different results with aircrack 1.1-patched and aircrack 1.2. Seems that didn't fix the problem. Older version finds the key in 6 secs, v1.2 still trying after 5 minutes.

Also, chopper still fails to find key with any of the dump files even after trying the endian fix.

I did some more testing, looks like both aircrack 1.2 and chopper fail to find the key when the IVs gets incremented linearly and stored in a little-endian way in the 802.11 header. Could you post here a little part of your pcap file, like the first 100 Kb from dd ?

devine · 08-18-2004

Quote:

Originally Posted by Kronk

Still getting different results with aircrack 1.1-patched and aircrack 1.2. Seems that didn't fix the problem. Older version finds the key in 6 secs, v1.2 still trying after 5 minutes.

I had a look at your pcap dump file, and it corresponds to the worst case scenario: the IVs are incremented sequentially and stored little-endian in the header; I'm tweaking KoreK's attacks to overcome this problem.

devine · 08-18-2004

Quote:

Originally Posted by devine

I had a look at your pcap dump file, and it corresponds to the worst case scenario: the IVs are incremented sequentially and stored little-endian in the header; I'm tweaking KoreK's attacks to overcome this problem.

The root cause of the problem lies in the new attacks implemented in aircrack 1.2: they are quite unstable and generate false positives that sometimes don't get rejected. After turning off those attacks I get much better results; this problem will be fixed in the upcoming version of aircrack. Therefore, it sadly appears that the number of 300k required IVs only stands if the IVs are randomly distributed. When this is not the case, around 750k IVs are needed

aminal · 08-19-2004

Just ran it, with just over 2 million IV's, it got all but 2 on a 104 bit key. I'm working with the fudge factor now to see if I can get it to crack the whole thing. Still, very impressive.

aminal · 08-19-2004

update, I moved the fudge factor down to 1, and it got it. The only issue is, it still said "no luck, sorry." How come?

Great, great job.

devine · 08-19-2004

Quote:

Originally Posted by aminal

update, I moved the fudge factor down to 1, and it got it. The only issue is, it still said "no luck, sorry." How come?

Great, great job.

Thanks

Please try again with version 1.3 that just got released (http://www.cr0.net:8040/code/network/aircrack-1.3.tgz), a few bugs in the cracking code have been fixed.

aminal · 08-19-2004

Same thing. Used fudgefactor of 1, it got it right, but still says "no luck, sorry."

devine · 08-19-2004

Quote:

Originally Posted by aminal

Same thing. Used fudgefactor of 1, it got it right, but still says "no luck, sorry."

Yeah that's wierd. Seems like a bug in check_wepkey, could you post your key and the first 1M of your pcap file somewhere ?

aminal · 08-19-2004

I'm actually using 4 pcap files, that I've collected over the past view days. I can zip them up for you, or something else if you like. Don't know if it will help, but I just added another pcap file, this time it was able to guess at fudge factor 2, but still said "no luck."

The key is:

8584ab0abbba941166c5e4b475

aminal · 08-19-2004

Ok nevermind zipping them up, I forgot how big those files get. I'm not sure what you mean by the first 1M of the files...

08-17-2004	#31 (permalink)
devine Emergence Join Date: Jul 2004 Location: Paris Posts: 389	Ok, I think I got it. My implementation of KoreK's attacks works pretty well when the IVs are randomly distributed, but it somewhat fails when the IVs are linearly distributed. I'll see how to improve the code and make it work in such cases. post-edit: looks like chopper fails too when the IVs are linearly distributed. Last edited by devine : 08-19-2004 at 01:41 PM.

08-19-2004	#44 (permalink)
aminal Registered Member Join Date: May 2004 Posts: 12	I'm actually using 4 pcap files, that I've collected over the past view days. I can zip them up for you, or something else if you like. Don't know if it will help, but I just added another pcap file, this time it was able to guess at fudge factor 2, but still said "no luck." The key is: 8584ab0abbba941166c5e4b475 Last edited by aminal : 08-19-2004 at 04:28 PM.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

08-17-2004	#32 (permalink)
Kronk Registered Member Join Date: Jul 2004 Posts: 13	I've not had success using chopper on any of my packet captures. Aircrack gets the key, but chopper fails with every dump. Could be because I am using Linux on a Powerbook and there may be endian issues with chopper on the PowerPC.

08-17-2004	#33 (permalink)
KoreK Banned in DC Join Date: Jul 2004 Posts: 102	Well, I know some of the code is big-endian. Change line 795 of chopper.c to v=0x00010203 The rest should work ok, unless I remember some other smart-ass "optimizations"...

08-17-2004	#35 (permalink)
Kronk Registered Member Join Date: Jul 2004 Posts: 13	Still getting different results with aircrack 1.1-patched and aircrack 1.2. Seems that didn't fix the problem. Older version finds the key in 6 secs, v1.2 still trying after 5 minutes. Also, chopper still fails to find key with any of the dump files even after trying the endian fix.

08-19-2004	#39 (permalink)
aminal Registered Member Join Date: May 2004 Posts: 12	Just ran it, with just over 2 million IV's, it got all but 2 on a 104 bit key. I'm working with the fudge factor now to see if I can get it to crack the whole thing. Still, very impressive.

08-19-2004	#40 (permalink)
aminal Registered Member Join Date: May 2004 Posts: 12	update, I moved the fudge factor down to 1, and it got it. The only issue is, it still said "no luck, sorry." How come? Great, great job.

08-19-2004	#42 (permalink)
aminal Registered Member Join Date: May 2004 Posts: 12	Same thing. Used fudgefactor of 1, it got it right, but still says "no luck, sorry."

08-19-2004	#45 (permalink)
aminal Registered Member Join Date: May 2004 Posts: 12	Ok nevermind zipping them up, I forgot how big those files get. I'm not sure what you mean by the first 1M of the files...