Shockwave

Hello,

I tried aircrack on my own wlan with a 64 bit key (just for this session ). After I moved some GB through my wireless network, I got ~500.000 IV's and tried aircrack. Well, I had to wait for about 0 seconds to see my key there :>

Then I tried aireplay and it creates about 1000 packets (and IV's) per second! It just took a few seconds to get another ~500.000 IV's, but aircrack didn't find a key (I waited for about 30 minutes).

Any ideas?

The Others

You either got lucky the first time, or, unlucky the second. If you read the documentation for aircrack (you have read the readme, right?), you will see the role luck has to play within the mathematics of WEP cracking.

__________________
all good ends all

Shockwave

Of course I read it :>
Maybe I try again later...

joswr1ght

The number of IV's collected as reported by airodump can be misleading when using aireplay. Remember that aireplay takes the same WEP frame and retransmits it over and over again without modifying the frame. Each retransmitted ARP will cause the IV count to increment, but since it is the same IV each time, the ARP frame isn't useful for recovering the key. You want to make sure you are getting responses to your ARP requests, maybe using Ethereal partway through the capture to identify the number of non-ARP request data frames you have collected.

-Josh

__________________
-Joshua Wright
jwright@hasborg.com
http://home.jwu.edu/jwright/

Today I stumbled across the world's largest hotspot. The SSID is "linksys".


Check out the SANS advanced wireless auditing and assessment course:
Los Angeles

devine

Could be extreme bad luck. Sometimes aircrack just doesn't find the key, no matter what.

Shockwave

@joswr1ght: It works fine for my WRT54GS but i have no chance with my D-Link AP :-|

bad luck.. huh...

rytox

we have somehow a similar problem.
here's some little description, maybe it helps, maybe you've got some ideas for us :-)

software used: (thanks to devine :-) aireplay, aircrack, airodump
operating system: auditor linux embedded
wlan devices: two prism 2.5 running hostap (for capture and inject), HP iPAQ 4150 to generate potential arp-packets, netgear 108mbit wlan card for generating ordinary traffic



first scenario:

one ap gets pingflooded from the first notebook
the second notebook captures with airodump

-> 45 min., 600000 IVs found, 500000 usable "unique" IVs in aircrack -> we get the correct key..


second scenario:

same accesspoint not getting pingflooded this time
same "second notebook" tries to inject the dumpfile from above (the one with 500000 uniques) with aireplay and can only find 1 (!) usable potential arp-packet. -> okay, we thought, let's try it anyways
third notebook captures with airodump

-> 45 min., 600000 IVs found, 500000 usable "unique" IVs in aircrack -> we get the correct key..


third scenario:

same accesspoint not getting pingflooded
my HP iPAQ 4150 tries to connect to the ap without knowing the wep-key
"second notebook" captures 300 IVs (about 5-10 min.) and tries to inject resulting 32 arp-packets
third notebook captures with airodump

-> 2h., 2000000 IVs found, 1800000 usable "unique" IVs in aircrack -> we don't get the key..
-> we keep on injecting and capturing and switch the ap off in between -> the amount of IVs still raises and we give up (useless try)


fourth scenario:

same accesspoint not getting pingflooded
"first notebook" just surfes the net to generate some little traffic (no download!)
"second notebook" captures 300 IVs (about 3 min.) and tries to inject resulting 130 arp-packets
third notebook captures with airodump

-> 2h., 7000000 IVs found, 6900000 usable "unique" IVs in aircrack -> we don't get the key..
-> we guess it's just another useless try


can someone explain that to us? no matter how often we repeat scenario 1 and 2 we always get the key round about at the same amount of IVs.

if aircrack shows xxxxxxxxxx (in our case 7000000) "unique IVs", are all of them really usable for cracking?
it seems for us, that we always only capture our own re-injected files and almost none of the ap's replies. these files are shown as uniques but don't help for cracking (thats at least what we think)

what kind of arp-packets are needed to make the ap reply really interesting IV's? how can we generate them?

last but not least how many potential-arp-packets would you inject? would you take exactly 1, or maybe 30 or 130 or 3000? maybe there's our mistake.

anyways thanks for reading and sunny greetings from snowy germany

-rytox

devine

2h., 7000000 IVs found, 6900000 usable "unique" IVs in aircrack -> we don't get the key..

Well. As Michael Ossmann pointed out in a recent article on SecurityFocus (http://www.securityfocus.com/infocus/1814), aircrack has problems with very large sets of unique IVs, above 5M approximately. In that case, raising the fudge factor to 4 gets rid of most false positives.

if aircrack shows xxxxxxxxxx (in our case 7000000) "unique IVs", are all of them really usable for cracking?

AFAIK KoreK's attacks depend each on different IVs (that's what make them so efficient). But you'd have to ask him for more precise details

what kind of arp-packets are needed to make the ap reply really interesting IV's? how can we generate them?

The IV generated by the AP doesn't depend on the packet contents, so any arp-request that generates a reply should do. In general, IVs near 0 are more useful than IVs near ffffff. So if the AP starts at 0 and increments the IVs, you can reset it and you'll get "higher quality IVs".

last but not least how many potential-arp-packets would you inject? would you take exactly 1, or maybe 30 or 130 or 3000? maybe there's our mistake.

One is enough, as long as it generates a reply.

anyways thanks for reading and sunny greetings from snowy germany

No problem - and greetings from Paris

Christophe

Shockwave

I have another Question: Soon I'll have to give back one of the two notebooks I have here. Now I'm wondering how important this is:

These cards' antennas must be at least 50cm away from each other!

You mean I can't use a Prism PCMCIA Card for injecting and an build in Atheros chip for sniffing ? I guess these antennas are 15 cmaway from each other

greets,

Shockwave

Thorn

Ignore the warning at a risk of physically damaging the radios.

__________________
Thorn
"I'm The Doctor. I'm a Time Lord. I am from the planet Gallifrey in the constellation Kasterborous. I'm 903 years old and I am the man who is going to save your lives and all 6 billion people on the planet below... You got a problem with that?"

Shockwave

WTF... ? You're kidding, aren't you ? :-O

Thorn

No, I'm quite serious. Why do think that there's a warning?

<sarcasm>
They aren't there to just put important looking words in the manual.
</sarcasm>

Let me make this perfectly clear: You can PHYSICALLY cause DAMAGE to radios when you place a receiver too close to a transmitter.

Follow the instructions. If the manual says that the antennae should be 50cm appart, then they should be at least 50cm apart.

__________________
Thorn
"I'm The Doctor. I'm a Time Lord. I am from the planet Gallifrey in the constellation Kasterborous. I'm 903 years old and I am the man who is going to save your lives and all 6 billion people on the planet below... You got a problem with that?"

G8tK33per

Really....you SURE about that?

__________________
"Benjamin is nobody's friend. If Benjamin were an ice cream flavor, he'd be pralines and dick."

Sons of Confederate Veterans

Thorn

<sarcasm>
OK, you got me. It's a conspiracy between me and the guys who wrote the manual to put important sounding warnings in there for the hell of it. People can safely ignore this. The safety warnings on microwave ovens was another one we came up with. People can actually microwave a wet cat will no ill effects to the cat.

(Which, of course, is actually a conspiracy to rid the world of cats. Wheels within wheels, people. Machavelli has got nothing on me.)
</sarcasm>

__________________
Thorn
"I'm The Doctor. I'm a Time Lord. I am from the planet Gallifrey in the constellation Kasterborous. I'm 903 years old and I am the man who is going to save your lives and all 6 billion people on the planet below... You got a problem with that?"

nashr

Yep, works great on cats! Now, hamsters... that's a different matter entirely

__________________
Help! I've been Simpsonized!