NetStumbler.org Forums

Go Back   NetStumbler.org Forums > Software > Unix/Linux
Reload this Page (Aircrack)Yet another WEP cracking tool for Linux
Register Search Today's Posts Mark Forums Read

Closed Thread
Page 6 of 22 « First < 45 6 7816 > Last »
 
LinkBack Thread Tools Display Modes
Old 08-25-2004   #76 (permalink)
sylvain
Wireless Auditor
 
Join Date: Jun 2004
Location: Paris, France
Posts: 175
thanks b0nk. it is very interesting. I would be glad to test the code you've done.
sylvain is offline  
Old 08-25-2004   #77 (permalink)
devine
Emergence
 
Join Date: Jul 2004
Location: Paris
Posts: 389
Quote:
Originally Posted by b0nk
Hello,

I'm just playing with arp-request reinjection with aireplay.
I had an original ~90MB (~260K unique IVs) capture file, and aireplay finds about 500 possible ARP packets.
After reinjecting about 2M packets to the traffic & launching aircrack, it only finds about 4000 unique IVs.
Reading aireplay.c source :

if( pkh.len + ( h80211[27] & 0x3F ) != 0x44 )
continue;

0x44 = 68 decimal.
The calculated packet length must be 68 bytes length exactly if I understand well (and match every post conditions before this line).
I believe some false positive are possible.
There's 50% false positives, which are the arp-replies. But we can't tell if an encrypted packet is a request or a reply, so aireplay sends both.

Quote:
Originally Posted by b0nk
What about improving the predictable packet filtering mechanism ?
ARP packets are not the only predictable ones, SYN/ACK/RST/FIN TCP packets are also predictable.
Yep, that's in my TODO list.
devine is offline  
Old 08-25-2004   #78 (permalink)
devine
Emergence
 
Join Date: Jul 2004
Location: Paris
Posts: 389
Quote:
Originally Posted by b0nk
I analysed manually my capture file with ethereal (which is far more useful to analyse packets than tcpdump ), to search for some recurrent patterns.
I had a look at broadcasted queries. I found many packets of 118 & 368 bytes (raw) length.
Which kind of packets are those ? NetBIOS UDP broadcast ?

Quote:
Originally Posted by b0nk
I found that the usual 68 bytes check (original aireplay source) had a tendency to give non optimal results.

Explanation :

At first, usable IVs received with traffic injection are quite good, but after 50K packets, usable IVs are more and more rare, reaching its limit after some time.
By replaying 118 & 368 bytes packets, this behavior seems to be more tolerent. I think it's certainly has a limit, but possible usable IVs reduces slower than the 68 bytes filter.

I also added 3 features I found useful for aireplay :
- Hexadecimal dump of selected packets
- Possibility to repeat a specific packet
- Set length check manually

More testing is needed, if someone want to try the code, let me know !
I'd be very glad to test your code Thanks very much for all the testing you've done.

-- Christophe
devine is offline  
Old 08-25-2004   #79 (permalink)
sylvain
Wireless Auditor
 
Join Date: Jun 2004
Location: Paris, France
Posts: 175
I have a question about traffic generation :
How can I generate traffic when I don't have an IP address for my wireless card and can not use aireplay ?

is there any option in the ping command to specify the broacast ping from a wireless interface ? ping -b but how to precise I want to use my eth1 interface.
Moreover if I can send ping over the air without having any IP address , will the replies be encrypted ?

I'm a bit confused about the generation of traffic when we just know the SSID.
sylvain is offline  
Old 08-25-2004   #80 (permalink)
JSchroe
Registered Member
 
Join Date: Aug 2004
Posts: 6
Where would i go to find out more about wireless encryption/decryption?

Thanks
JSchroe is offline  
Old 08-25-2004   #81 (permalink)
G8tK33per
Asshole Emeritus
 
G8tK33per's Avatar
 
Join Date: May 2003
Location: S.E. VA.
Posts: 5,913
Quote:
Originally Posted by JSchroe
Where would i go to find out more about wireless encryption/decryption?

Thanks
Try HERE .
__________________
"Benjamin is nobody's friend. If Benjamin were an ice cream flavor, he'd be pralines and dick."

Sons of Confederate Veterans
G8tK33per is offline  
Old 08-25-2004   #82 (permalink)
JSchroe
Registered Member
 
Join Date: Aug 2004
Posts: 6
lol thanks
JSchroe is offline  
Old 08-25-2004   #83 (permalink)
topolb
Registered Member
 
Join Date: Jun 2004
Posts: 67
Quote:
Originally Posted by sylvain
I have a question about traffic generation :
How can I generate traffic when I don't have an IP address for my wireless card and can not use aireplay ?

is there any option in the ping command to specify the broacast ping from a wireless interface ? ping -b but how to precise I want to use my eth1 interface.
Moreover if I can send ping over the air without having any IP address , will the replies be encrypted ?

I'm a bit confused about the generation of traffic when we just know the SSID.
Well... you can't.

I mean, if the wlan is wep-protected, then the packets you send must be encrypted in order to be accepted by the other hosts.
So you cannot use tools like ping because as your wlan card driver does not know the wep key, the ICMP won't be encrypted and therefore will be ignored by other hosts.

It's clear that without the wep key you cannot create custom packets, but you can REINJECT logged ones. You can sniff the network and get an encrypted packet. You do not know what kind of packet is, it's headers or it's payload as it is encrypted, but you can reinject it in the network.

So, if you can capture a packet, for example an arp-request, and reinject it in the network, destination host will believe that is was sent by the original sender and will produce a response. That happens with arp, tcp-SYN, icmp, and so on.

Finally as you do not know which packets are usefull (arp, icmp) because they are encrypted, the only way to guess them is using their size. As far as I know that's what aireplay uses.

But I have one question... Is there any way to know if a specific packets have been replayed... in other words... can an IDS manage to detect the attack?
topolb is offline  
Old 08-25-2004   #84 (permalink)
devine
Emergence
 
Join Date: Jul 2004
Location: Paris
Posts: 389
Quote:
Originally Posted by topolb
But I have one question... Is there any way to know if a specific packets have been replayed... in other words... can an IDS manage to detect the attack?
As the IVs of the packets we resend are always the same, it can be very easily detected by an IDS. Could be fun adding aireplay attack detection in Kismet for instance
devine is offline  
Old 08-25-2004   #85 (permalink)
b0nk
Registered Member
 
b0nk's Avatar
 
Join Date: Aug 2004
Location: Paris, France
Posts: 8
Quote:
Originally Posted by devine
Which kind of packets are those ? NetBIOS UDP broadcast ?
I don't know, I don't have access to any AP right now.
Maybe someone could make some tests for me ?

Quote:
Originally Posted by devine
I'd be very glad to test your code Thanks very much for all the testing you've done.

-- Christophe
No problem, see attachement
By the way, I think the graphs depends on how IVs are distribued.

PS : Most of added features were done quickly as I wanted to test as soon as possible.
PS2 : This forum only support zip attachement, so I've zipped the tarball.
Attached Files
File Type: zip aircrack-1.3+b0nk.zip (16.5 KB, 54 views)
Last edited by b0nk : 08-25-2004 at 05:03 AM.
b0nk is offline  
Old 08-25-2004   #86 (permalink)
KoreK
Banned in DC
 
KoreK's Avatar
 
Join Date: Jul 2004
Posts: 102
Quote:
Originally Posted by topolb
Well... you can't.

... It's clear that without the wep key you cannot create custom packets, ...
Well in theory, you can. Working on it Packet reinjection is quite laborious. Let's see if reality sticks to theory...

PS: b0nk, read the forum rules/FAQ before posting.
KoreK is offline  
Old 08-25-2004   #87 (permalink)
devine
Emergence
 
Join Date: Jul 2004
Location: Paris
Posts: 389
Quote:
Originally Posted by b0nk
By the way, I think the graphs depends on how IVs are distribued.
Possibly. Also, there's a bug in airodump 1.3: the "usable" IVs it selects (with -w) are only those specific to the standard FMS attack, so your graph doesn't show the many more IVs that the KoreK attacks use. This behaviour has been fixed in airodump 1.4
devine is offline  
Old 08-25-2004   #88 (permalink)
b0nk
Registered Member
 
b0nk's Avatar
 
Join Date: Aug 2004
Location: Paris, France
Posts: 8
Quote:
Originally Posted by devine
Possibly. Also, there's a bug in airodump 1.3: the "usable" IVs it selects (with -w) are only those specific to the standard FMS attack, so your graph doesn't show the many more IVs that the KoreK attacks use. This behaviour has been fixed in airodump 1.4
Ok. I'll regenerate some graphs today. I have to test on a 1 hour time basis as I mentioned in my previous post.
Can you create a 1.3-1.4 diff patch ? Would be easier for me to merge my code to the new aircrack
b0nk is offline  
Old 08-25-2004   #89 (permalink)
sylvain
Wireless Auditor
 
Join Date: Jun 2004
Location: Paris, France
Posts: 175
Quote:
Originally Posted by devine
Possibly. Also, there's a bug in airodump 1.3: the "usable" IVs it selects (with -w) are only those specific to the standard FMS attack, so your graph doesn't show the many more IVs that the KoreK attacks use. This behaviour has been fixed in airodump 1.4
Did you release aircrack-1.4 ?
sylvain is offline  
Old 08-25-2004   #90 (permalink)
devine
Emergence
 
Join Date: Jul 2004
Location: Paris
Posts: 389
Quote:
Originally Posted by sylvain
Did you release aircrack-1.4 ?
Coming soon I had fun rewriting airodump, Kismet-style:
Attached Images
File Type: png airodump-1.4.png (8.2 KB, 353 views)
devine is offline  
Closed Thread
Page 6 of 22 « First < 45 6 7816 > Last »

« Remote-exploit is down so in your infinite Linux wisdom help me with initrd | Problems with Void11 (From Auditor CD) »

Thread Tools
Display Modes
Linear Mode Linear Mode

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



Google
 
Web NetStumbler.org

All times are GMT -7. The time now is 10:53 PM.

Contact Us - NetStumbler.org - NetStumbler.com - Online Backup - Archive - Top

Powered by vBulletin® Version 3.6.8
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO 3.0.0 ©2007, Crawlability, Inc.


All messages express the views of the author and are for entertainment purposes only. Netstumbler.org cannot be held responsible for the authenticity of the content or the actions of its members. By using this site and its services, you warrant that you will not post any messages that are discriminating, obscene, hateful, threatening, or otherwise violates any laws and you release Netstumbler.org from any future claims of any kind whatsoever including, but not limited to, addiction and loss of productivity. All forum messages, private messages and any other content are properties of Netstumbler.org. Even if publicly available, personal or copyrighted information are not to be posted without the consent of the owner. Distribution of licensed and copyrighted materials in any way not endorsed by the copyright owner is strictly prohibited. You may not use this site and its resources to spam other sites or individuals or perform any action that violates any law. Items sold or bought in the For Sale forum are sold as is and no warranty or insurance of any kind is provided. Netstumbler.org cannot be held responsible for the outcome of any transactions and no warranty of any kind is provided, either express or implied. Vulgar words are not allowed in the subject lines ; they may be used in the message body in any forum. The Administrator, Super Moderators and Moderators of Netstumbler.org have the right to remove, edit, move or close any thread for any reason and to reveal your identity and other known information in the event of a complaint or legal action arising from any message posted by you.