Anyone able to inject (aireplay or otherwise) against a 2Wire HomePortal?

ninjamonkey · 02-17-2006

All this time I thought I was doing something wrong or that I had a bad driver because I couldn't get aireplay (Auditor CD) to do any ARP-reply packet injection against my brand-new 2Wire HomePortal 1701HG. After a week of frustration, I pulled my old-ass Linksys BEFW11S4 out of the basement, set it up with the extra laptop for wireless, and was able to crack it in less time it took for me to set it up.

Is there something inherently more safe about the 2Wire? Is one router being more/less picky about well-formed, non-repeating ARP packets? Or am I supposed to do something different against different routers? I think the aireplay documentation even suggests that it won't work against all wireless routers, and maybe this is just one of those routers?

Anyone else able to use packet injections against the same 2Wire? Or maybe any 2Wire? Or should I sit comfortably in my (false) sense of security, as long as I have low/no wireless traffic?

streaker69 · 02-17-2006

Quote:

Originally Posted by ninjamonkey

All this time I thought I was doing something wrong or that I had a bad driver because I couldn't get aireplay (Auditor CD) to do any ARP-reply packet injection against my brand-new 2Wire HomePortal 1701HG. After a week of frustration, I pulled my old-ass Linksys BEFW11S4 out of the basement, set it up with the extra laptop for wireless, and was able to crack it in less time it took for me to set it up.

Is there something inherently more safe about the 2Wire? Is one router being more/less picky about well-formed, non-repeating ARP packets? Or am I supposed to do something different against different routers? I think the aireplay documentation even suggests that it won't work against all wireless routers, and maybe this is just one of those routers?

Anyone else able to use packet injections against the same 2Wire? Or maybe any 2Wire? Or should I sit comfortably in my (false) sense of security, as long as I have low/no wireless traffic?

2Wire's webpage says.

http://support.2wire.com/cgi-bin/two...Z2U9MQ**&p_li=

02-21-2006

Yup, I did it last night actually. No problems.. can't give you router information because I don't have it (yes, you know what I mean).

streaker69 · 02-21-2006

Quote:

Originally Posted by xtzz

Yup, I did it last night actually. No problems.. can't give you router information because I don't have it (yes, you know what I mean).

No, what do you mean?

Airstreamer · 02-21-2006

Quote:

Originally Posted by streaker69

No, what do you mean?

You really expect an answer to that?

Dutch · 02-22-2006

Quote:

Originally Posted by xtzz

Yup, I did it last night actually. No problems.. can't give you router information because I don't have it (yes, you know what I mean).

We can only guess based upon your information. So as a SWAG you cracked and broke the wep key on somebody elses network, then connected to it to check if the key for that network was found, a network you weren't authorized to use.

In the words of René from 'Allo, 'Allo.. : "You stupid (wo)man....." Posting such things on a network security issue related website, a website run by former LEO's and InfoSec personnel just shows what a brain you haven't got.

Say bye bye now, and hopefully say hello to Bubba soon.

E-mail : psxl@syntechsoftware.com
IP-Address : 68.52.202.60 : c-68-52-202-60.hsd1.tn.comcast.net

Dutch

Gerbil333 · 03-30-2006

I've observed the same thing. AiReplay works perfectly against my Linksys WRT54G (using HyperWRT + tofo 11 firmware), but fails against our 2Wire 1800HG.

Driving around my block, I've found that about half of the 29 APs are using the default "2WIRE###" SSID (SBC Yahoo DSL is the main source of broadband here). I bet those same people are using entirely default settings as well, meaning they're using the default 64 bit WEP key printed on their routers' sticker. Therefore, 2Wire has sort of defeated the purpose of blocking packet injection unless the end user is knowledgeable enough to change their router's security level to WPA (avoiding dictionary entries), or at minimum, 128 bit WEP since that would greatly increase the time required for a cracker to gather the needed number of packets.

theprez98 · 03-30-2006

Quote:

Originally Posted by Gerbil333

I've observed the same thing. AiReplay works perfectly against my Linksys WRT54G (using HyperWRT + tofo 11 firmware), but fails against our 2Wire 1800HG.

Driving around my block, I've found that about half of the 29 APs are using the default "2WIRE###" SSID (SBC Yahoo DSL is the main source of broadband here). I bet those same people are using entirely default settings as well, meaning they're using the default 64 bit WEP key printed on their routers' sticker. Therefore, 2Wire has sort of defeated the purpose of blocking packet injection unless the end user is knowledgeable enough to change their router's security level to WPA (avoiding dictionary entries), or at minimum, 128 bit WEP since that would greatly increase the time required for a cracker to gather the needed number of packets.

Actually, 128-bit WEP won't increase the time all that much. Depending on the setup, I've seen as few as four minutes.

Gerbil333 · 03-30-2006

Is that still possible with with little traffic and no packet injection? As far as I'm aware, it is not.

wham · 03-31-2006

Somewhat interestingly, the difficulty of cracking WEP doesn't increase exponentially with the length of the key, rather it is a linear increase. This is probably because the FMS attack doesn't actually attack the encryption, it just exploits a flaw in the key scheduling algorithm, where cleartext IVs leak info about the key. That's why 128 bit WEP protected networks can be penetrated in as little as three minutes; it would take much longer if the RC4 encryption was attacked directly. With WPA, it would take an exponentially greater amount of time to discover a 30 character key than it would a 15 character PSK.

<off topic> Why did IEEE want the Initialization Vectors in cleartext? Was it really that much slower with the IVs encrypted?

</off topic>

02-17-2006	#1 (permalink)
ninjamonkey Registered Member Join Date: Feb 2006 Posts: 1	Anyone able to inject (aireplay or otherwise) against a 2Wire HomePortal? All this time I thought I was doing something wrong or that I had a bad driver because I couldn't get aireplay (Auditor CD) to do any ARP-reply packet injection against my brand-new 2Wire HomePortal 1701HG. After a week of frustration, I pulled my old-ass Linksys BEFW11S4 out of the basement, set it up with the extra laptop for wireless, and was able to crack it in less time it took for me to set it up. Is there something inherently more safe about the 2Wire? Is one router being more/less picky about well-formed, non-repeating ARP packets? Or am I supposed to do something different against different routers? I think the aireplay documentation even suggests that it won't work against all wireless routers, and maybe this is just one of those routers? Anyone else able to use packet injections against the same 2Wire? Or maybe any 2Wire? Or should I sit comfortably in my (false) sense of security, as long as I have low/no wireless traffic?

03-30-2006	#7 (permalink)
Gerbil333 Registered Member Join Date: Feb 2006 Posts: 17	I've observed the same thing. AiReplay works perfectly against my Linksys WRT54G (using HyperWRT + tofo 11 firmware), but fails against our 2Wire 1800HG. Driving around my block, I've found that about half of the 29 APs are using the default "2WIRE###" SSID (SBC Yahoo DSL is the main source of broadband here). I bet those same people are using entirely default settings as well, meaning they're using the default 64 bit WEP key printed on their routers' sticker. Therefore, 2Wire has sort of defeated the purpose of blocking packet injection unless the end user is knowledgeable enough to change their router's security level to WPA (avoiding dictionary entries), or at minimum, 128 bit WEP since that would greatly increase the time required for a cracker to gather the needed number of packets. Last edited by Gerbil333 : 03-30-2006 at 02:30 AM.

03-31-2006	#10 (permalink)
wham Registered Member Join Date: Feb 2005 Location: /dev/urandom Posts: 305	Somewhat interestingly, the difficulty of cracking WEP doesn't increase exponentially with the length of the key, rather it is a linear increase. This is probably because the FMS attack doesn't actually attack the encryption, it just exploits a flaw in the key scheduling algorithm, where cleartext IVs leak info about the key. That's why 128 bit WEP protected networks can be penetrated in as little as three minutes; it would take much longer if the RC4 encryption was attacked directly. With WPA, it would take an exponentially greater amount of time to discover a 30 character key than it would a 15 character PSK. <off topic> Why did IEEE want the Initialization Vectors in cleartext? Was it really that much slower with the IVs encrypted? </off topic> Last edited by wham : 03-31-2006 at 05:16 PM.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

02-21-2006	#3 (permalink)
xtzz Posts: n/a	Yup, I did it last night actually. No problems.. can't give you router information because I don't have it (yes, you know what I mean).

03-30-2006	#9 (permalink)
Gerbil333 Registered Member Join Date: Feb 2006 Posts: 17	Is that still possible with with little traffic and no packet injection? As far as I'm aware, it is not.