(Aircrack)Yet another WEP cracking tool for Linux - Page 4

devine · 08-19-2004

Quote:

Originally Posted by aminal

Ok nevermind zipping them up, I forgot how big those files get. I'm not sure what you mean by the first 1M of the files...

Erm actually I meant the 1st megabytes

like in "dd if=pcap of=pcap-small count=2048"

aminal · 08-20-2004

Gotcha. I wasn't sure if you meant the first meg, or the first million packets, or what. Anyway, I PMed you the info.

thanks.

devine · 08-20-2004

Quote:

Originally Posted by aminal

Gotcha. I wasn't sure if you meant the first meg, or the first million packets, or what. Anyway, I PMed you the info.

Thanks. I could not reproduce the behaviour you've seen (it says KEY FOUND using -d), but nevertheless wrote a patch that makes check_wepkey more fault-tolerant, it should still report key found even if four of the 8 check packets are corrupted. Available at: (removed), let me know if this fixes your problem.

post-edit: patch obsolete thus removed.

sylvain · 08-20-2004

which version of libpcap do you use ?

devine · 08-20-2004

Quote:

Originally Posted by sylvain

which version of libpcap do you use ?

aircrack doesn't rely on libpcap; however, it is compatible with the pcap file format.

sylvain · 08-20-2004

and airodump ?

devine · 08-20-2004

Quote:

Originally Posted by sylvain

and airodump ?

Read the source

Neither airodump, aireplay nor 802ether need the libpcap library. By the way, I've started working (still during my free time) on a Windows port of aircrack; unfortunately my Prism2 cards can't be used with the drivers from AiroPeek. Just to say that I'm open for hardware donations

post-edit: more specifically, orinoco or atheros-based pcmcia cards

aminal · 08-20-2004

Quote:

Originally Posted by devine

Thanks. I could not reproduce the behaviour you've seen (it says KEY FOUND using -d), but nevertheless wrote a patch that makes check_wepkey more fault-tolerant, it should still report key found even if four of the 8 check packets are corrupted. Available at: http://www.cr0.net:8040/code/network...k_wepkey.patch , let me know if this fixes your problem.

I used ./aircrack -d 85 /files.pcap - and it did the same, again. I'm patching now...Yep, same results with the patch. Just over 2 million usable IV's, finished in 8 seconds, correct key, "no luck, sorry". I got this with -d 85 and fudge 1 separately and together.

devine · 08-21-2004

Quote:

Originally Posted by aminal

I used ./aircrack -d 85 /files.pcap - and it did the same, again. I'm patching now...Yep, same results with the patch. Just over 2 million usable IV's, finished in 8 seconds, correct key, "no luck, sorry". I got this with -d 85 and fudge 1 separately and together.

Ok, could you cut&paste here your terminal output with "-f 1" ? Also try "-d 85:84:ab:0a:bb:ba:94:11:66:c5:e4:b4:75"

KoreK · 08-21-2004

They already had 13% attacks in 1995. That is amusing. FMS is citing the post in their paper, so it was well known to them as well. Yet, they went for a weaker attack. Little sneaky bastards...

Post-edit: Got tangled up in my links. FMS is citing one of the post in the discussion (Roos). Still, naughty, naughty...

aminal · 08-21-2004

Quote:

Originally Posted by devine

Ok, could you cut&paste here your terminal output with "-f 1" ? Also try "-d 85:84:ab:0a:bb:ba:94:11:66:c5:e4:b4:75"

Sure. With "-f 1":

Code:

                                 aircrack 1.3
                                                                                
   * Got  2167075 unique IVs | fudge factor = 1
   * Elapsed time [00:00:08] | tried 0 keys at 0 k/m
                                                                                
   KB    depth   votes
    0    0/  1   85( 330) 0D(  43) F6(  36) FC(  36) 09(  25) 74(  22)
    1    0/  1   84( 445) 22(  66) A7(  66) 7E(  64) EC(  57) 7A(  53)
    2    0/  1   AB( 425) AE(  30) B6(  25) BB(  24) 36(  20) 37(  20)
    3    0/  1   0A( 575) AC( 156) 40(  48) 08(  42) 05(  41) 8D(  40)
    4    0/  1   BB( 520) 7B(  93) B6(  73) 74(  33) F4(  32) D7(  31)
    5    0/  1   BA( 394) B9(  91) 22(  62) B1(  46) 73(  43) 21(  42)
    6    0/  1   94( 821) 95(  42) 09(  33) F6(  30) 1C(  29) 0E(  28)
    7    0/  1   11( 616) 12( 263) D3(  98) 0F(  60) BE(  42) D2(  36)
    8    0/  1   66( 386) 36(  63) 5F(  51) 54(  49) B3(  48) B6(  34)
    9    0/  1   C5( 257) 41(  65) 69(  57) 48(  44) EA(  38) 3F(  36)
   10    0/  1   E4( 321) 6F(  62) 73(  56) D8(  45) 9D(  38) 07(  35)
   11    0/  1   B4( 465) 7D( 115) 80(  49) 84(  42) 22(  38) 67(  38)
   12    0/  1   75( 455) BA( 130) E9(  50) EF(  44) 23(  43) BD(  37)
                                                                                
   No luck, sorry.

with "-d 85:84:ab:0a:bb:ba:94:11:66:c5:e4:b4:75":

Code:

                                 aircrack 1.3
                                                                                
   * Got  2167075 unique IVs | fudge factor = 2
   * Elapsed time [00:00:07] | tried 0 keys at 0 k/m
                                                                                
   KB    depth   votes
    0    0/  1   85( 999) 0D(  43) F6(  36) FC(  36) 09(  25) 74(  22)
    1    0/  1   84( 999) 22(  66) A7(  66) 7E(  64) EC(  57) 7A(  53)
    2    0/  1   AB( 999) AE(  30) B6(  25) BB(  24) 36(  20) 37(  20)
    3    0/  1   0A( 999) AC( 156) 40(  48) 08(  42) 05(  41) 8D(  40)
    4    0/  1   BB( 999) 7B(  93) B6(  73) 74(  33) F4(  32) D7(  31)
    5    0/  1   BA( 999) B9(  91) 22(  62) B1(  46) 73(  43) 21(  42)
    6    0/  1   94( 999) 95(  42) 09(  33) F6(  30) 1C(  29) 0E(  28)
    7    0/  1   11( 999) 12( 263) D3(  98) 0F(  60) BE(  42) D2(  36)
    8    0/  1   66( 999) 36(  63) 5F(  51) 54(  49) B3(  48) B6(  34)
    9    0/  1   C5( 999) 41(  65) 69(  57) 48(  44) EA(  38) 3F(  36)
   10    0/  1   E4( 999) 6F(  62) 73(  56) D8(  45) 9D(  38) 07(  35)
   11    0/  1   B4( 999) 7D( 115) 80(  49) 84(  42) 22(  38) 67(  38)
   12    0/  1   75( 999) BA( 130) E9(  50) EF(  44) 23(  43) BD(  37)
                                                                                
   No luck, sorry.

With "-f 1 -d 85:84:ab:0a:bb:ba:94:11:66:c5:e4:b4:75":

Code:

                                 aircrack 1.3
                                                                                
   * Got  2167075 unique IVs | fudge factor = 1
   * Elapsed time [00:00:07] | tried 0 keys at 0 k/m
                                                                                
   KB    depth   votes
    0    0/  1   85( 999) 0D(  43) F6(  36) FC(  36) 09(  25) 74(  22)
    1    0/  1   84( 999) 22(  66) A7(  66) 7E(  64) EC(  57) 7A(  53)
    2    0/  1   AB( 999) AE(  30) B6(  25) BB(  24) 36(  20) 37(  20)
    3    0/  1   0A( 999) AC( 156) 40(  48) 08(  42) 05(  41) 8D(  40)
    4    0/  1   BB( 999) 7B(  93) B6(  73) 74(  33) F4(  32) D7(  31)
    5    0/  1   BA( 999) B9(  91) 22(  62) B1(  46) 73(  43) 21(  42)
    6    0/  1   94( 999) 95(  42) 09(  33) F6(  30) 1C(  29) 0E(  28)
    7    0/  1   11( 999) 12( 263) D3(  98) 0F(  60) BE(  42) D2(  36)
    8    0/  1   66( 999) 36(  63) 5F(  51) 54(  49) B3(  48) B6(  34)
    9    0/  1   C5( 999) 41(  65) 69(  57) 48(  44) EA(  38) 3F(  36)
   10    0/  1   E4( 999) 6F(  62) 73(  56) D8(  45) 9D(  38) 07(  35)
   11    0/  1   B4( 999) 7D( 115) 80(  49) 84(  42) 22(  38) 67(  38)
   12    0/  1   75( 999) BA( 130) E9(  50) EF(  44) 23(  43) BD(  37)
                                                                                
   No luck, sorry.

devine · 08-21-2004

Quote:

Originally Posted by aminal

Sure. With "-f 1":

Code:

   No luck, sorry.

There's definitely something fishy going on with the check_wepkey function; to help resolving this problem I've written a small patch (to be applied against stock 1.3) that prints some debugging info when a potential key is checked: http://www.cr0.net:8040/code/network...ey-debug.patch . Please run aircrack -f 1 again with this patch and paste here the debug output.

aminal · 08-21-2004

The display got messed up a bit for some reason in the results (as you'll see) but here's what came back with fudge one:

Code:

                                 aircrack 1.3
                                                                                
   * Got  2167075 unique IVs | fudge factor = 1
   * Elapsed time [00:00:02] | tried 0 keys at 0 k/m
                                                                                
   KB    depth   votes
    0    0/  1   85( 330) 0D(  43) F6(  36) FC(  36) 09(  25) 74(  22)
    1    0/  1   84( 445) 22(  66aircrack 1.3E(  64) EC(  57) 7A(  53)
    2    0/  1   AB( 425) AE(  30) B6(  25) BB(  24) 36(  20) 37(  20)
   * Got  2167075 unique IVs | fudge factor = 1  42) 05(  41) 8D(  40)
   * Elapsed time [00:00:07] | tried 0 keys at 0 k/m F4(  32) D7(  31)
                                                                                
   KB    depth   votesn = 5, wepkey = 85:84:AB:0A:BB
    0    0/  1   85( 330) 0D(  43) F6(  36) FC(  36) 09(  25) 74(  22)
    1    0/  1   84( 445) 22(  66) A7(  66) 7E(  64) EC(  57) 7A(  53)
    2    0/  1   AB( 425) AE(  30) B6(  25) BB(  24) 36(  20) 37(  20)
    3    0/  1   0A( 575) AC( 156) 40(  48) 08(  42) 05(  41) 8D(  40)
    4    0/  1   BB( 520) 7B(  93) B6(  73) 74(  33) F4(  32) D7(  31)
    5    0/  1   BA( 394) B9(  91) 22(  62) B1(  46) 73(  43) 21(  42)
    6    0/  1   94( 821) 95(  42) 09(  33) F6(  30) 1C(  29) 0E(  28)
    7    0/  1   11( 616) 12( 263) D3(  98) 0F(  60) BE(  42) D2(  36)
    8    0/  1   66( 386) 36(  63) 5F(  51) 54(  49) B3(  48) B6(  34)
    9    0/  1   C5( 257) 41(  65) 69(  57) 48(  44) EA(  38) 3F(  36)
   10    0/  1   E4( 321) 6F(  62) 73(  56) D8(  45) 9D(  38) 07(  35)
   11    0/  1   B4( 465) 7D( 115) 80(  49) 84(  42) 22(  38) 67(  38)
   12    0/  1   75( 455) BA( 130) E9(  50) EF(  44) 23(  43) BD(  37)
                                                                                
in check_wepkey: weplen = 13, wepkey = 85:84:AB:0A:BB:BA:94:11:66:C5:E4:B4:75
test 0 started, kcheck = 67,A4,01,00,21,04,FE,09,13,C6
test 0 done, result = 1
test 1 started, kcheck = EE,F1,14,00,86,BF,FB,50,F2,43
test 1 done, result = 1
test 2 started, kcheck = 68,A4,01,00,A5,8C,A0,DE,93,31
test 2 done, result = 1
test 3 started, kcheck = EF,F1,14,00,B7,DE,12,6A,82,6E
test 3 done, result = 1
test 4 started, kcheck = F1,F1,14,00,B1,BA,B6,D6,6F,B1
test 4 done, result = 7
test 5 started, kcheck = F2,F1,14,00,46,52,E4,27,DE,DA
test 5 done, result = 4
test 6 started, kcheck = F3,F1,14,00,EB,99,AD,57,E1,76
test 6 done, result = 7
test 7 started, kcheck = F4,F1,14,00,12,A7,A4,03,33,E3
test 7 done, result = 4
   No luck, sorry.

devine · 08-21-2004

Quote:

Originally Posted by aminal

The display got messed up a bit for some reason in the results (as you'll see) but here's what came back with fudge one:

Code:

in check_wepkey: weplen = 13, wepkey = 85:84:AB:0A:BB:BA:94:11:66:C5:E4:B4:75
test 0 started, kcheck = 67,A4,01,00,21,04,FE,09,13,C6
test 0 done, result = 1
test 1 started, kcheck = EE,F1,14,00,86,BF,FB,50,F2,43
test 1 done, result = 1
test 2 started, kcheck = 68,A4,01,00,A5,8C,A0,DE,93,31
test 2 done, result = 1
test 3 started, kcheck = EF,F1,14,00,B7,DE,12,6A,82,6E
test 3 done, result = 1
test 4 started, kcheck = F1,F1,14,00,B1,BA,B6,D6,6F,B1
test 4 done, result = 7
test 5 started, kcheck = F2,F1,14,00,46,52,E4,27,DE,DA
test 5 done, result = 4
test 6 started, kcheck = F3,F1,14,00,EB,99,AD,57,E1,76
test 6 done, result = 7
test 7 started, kcheck = F4,F1,14,00,12,A7,A4,03,33,E3
test 7 done, result = 4

Thanks very much. After deciphering the data above, it appeared that the first four packets are actually 802.2 IPX/TokenRing? encapsulated in 802.3 (SNAP = E0 E0 03 FF FF 00), two others are Appletalk (SNAP = AA AA 03 08 00 07) and the rest is regular Ethernet (SNAP = AA AA 03 00 00 00). The simplest way to fix this bug is to take case of the E0 case and only verify each ciphertext's first two bytes in check_wepkey. These changes will be included in aircrack 1.4, as well as a couple of other bugfixes mainly aimed at enhancing portability on other unices. Again, thanks a lot for your diligent help on this matter

aminal · 08-21-2004

No problem at all, man. It's a great tool - glad I could help.

08-21-2004	#55 (permalink)
KoreK Banned in DC Join Date: Jul 2004 Posts: 102	They already had 13% attacks in 1995. That is amusing. FMS is citing the post in their paper, so it was well known to them as well. Yet, they went for a weaker attack. Little sneaky bastards... Post-edit: Got tangled up in my links. FMS is citing one of the post in the discussion (Roos). Still, naughty, naughty... Last edited by KoreK : 08-21-2004 at 04:55 AM.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

08-20-2004	#47 (permalink)
aminal Registered Member Join Date: May 2004 Posts: 12	Gotcha. I wasn't sure if you meant the first meg, or the first million packets, or what. Anyway, I PMed you the info. thanks.

08-20-2004	#49 (permalink)
sylvain Wireless Auditor Join Date: Jun 2004 Location: Paris, France Posts: 175	which version of libpcap do you use ?

08-20-2004	#51 (permalink)
sylvain Wireless Auditor Join Date: Jun 2004 Location: Paris, France Posts: 175	and airodump ?

08-21-2004	#60 (permalink)
aminal Registered Member Join Date: May 2004 Posts: 12	No problem at all, man. It's a great tool - glad I could help.