chopchop (Experimental WEP attacks) - Page 4

KoreK · 03-07-2005

It's a bit incorrect. Basic formula is (1-k/n)^n ~ exp(-k) when n is sufficiently large (mathly speaking lim of the left term when n grows to infinity is exp(-k)). In the papers, you get quantities like (253/256)^(256-p-1) (probability the (256-p-1) bytes of the KSA are different from 3 given values), with p=3,... First you approximate the exponent with 256, and you rewrite (1-3/256)^256, which then you approximate with the limit exp(-3).

cf http://mathworld.wolfram.com/ExponentialFunction.html

Madory · 03-07-2005

This makes sense, thanks.

Perhaps it is a case of 6 and one-half-dozen. I got my explanation from "Attacks On RC4 and WEP" by FMS:

"The probability that three locations will not be pointed to by a pseudo random index during the
remaining N - 1 - x rounds is better than ((1-1/N)^N)^3 ~ e^-3 ~ 5%."

((1-1/N)^N)^3
can be reduced to
(e^-1)^3
and finally
e^-3

-OR-

(1-3/N)^N
reduced directly to
e^-3

Anyway, thanks for the general formula - crystal clear now.

noise_gaining · 03-15-2005

It's the same. Let M = 3N, then

((1-1/N)^N)^3 = (1-3/M)^M

Quote:

Originally Posted by Madory

This makes sense, thanks.

Perhaps it is a case of 6 and one-half-dozen. I got my explanation from "Attacks On RC4 and WEP" by FMS:

"The probability that three locations will not be pointed to by a pseudo random index during the
remaining N - 1 - x rounds is better than ((1-1/N)^N)^3 ~ e^-3 ~ 5%."

((1-1/N)^N)^3
can be reduced to
(e^-1)^3
and finally
e^-3

-OR-

(1-3/N)^N
reduced directly to
e^-3

Anyway, thanks for the general formula - crystal clear now.

Beep · 03-17-2005

Quote:

Originally Posted by KoreK

He has to use the wlan-ng patch. I didn't manage to make hostap work.

mfenetre, just a reminder: You need an AP, an associated card, and an injection card using the wlan-ng patched module (Or just associate the wlan-ng card, yank it out, back in, inject, and hope the it hasn't been disassociated). If you don't know where to begin, have a look at the auditor CD, chopchop is included:
http://new.remote-exploit.org/index.php/Auditor_main

Hi KoreK

I use the new Auditor (120305-01) on my HP OmniBook XE2 Laptop. I also use the Orinoco Silver WiFi card.
Is the necessary chopchop patch already installed on the Auditor CD? Must i apply any patches?

I've got the same problem like mfenetre few posts over me.

Thanks

-Beep

PS: Please dont flame me for my (maybe stupid) question... I searched a answer in google, readme's and this forum several hours/days.

PPS: R.E.S.P.E.C.T. to Korek and Devine for her great tools!

sylvain · 03-17-2005

drivers are already patched in new auditor version..and there is an auditor forum...maybe it's a better place to ask...not sure you really search...probably too lazy

G8tK33per · 03-17-2005

Quote:

Originally Posted by Beep

Hi KoreK

I use the new Auditor (120305-01) on my HP OmniBook XE2 Laptop. I also use the Orinoco Silver WiFi card.
Is the necessary chopchop patch already installed on the Auditor CD? Must i apply any patches?

I've got the same problem like mfenetre few posts over me.

Thanks

-Beep

PS: Please dont flame me for my (maybe stupid) question... I searched a answer in google, readme's and this forum several hours/days.

PPS: R.E.S.P.E.C.T. to Korek and Devine for her great tools!

OK, which one of you is the chick?

sylvain · 03-17-2005

I can say it is not Devine, I already met him

KoreK · 03-17-2005

Quote:

Originally Posted by G8tK33per

OK, which one of you is the chick?

You need a new pair of stockings , cabin boy?

As for Beep, if you bothered reading my previous posts... And while I am at it, noise_gaining why don't you take a math class...

Grant · 12-30-2005

Anyone know why my version won't compile even though the header file it says is missing isn't?

Thorn · 12-30-2005

Probably the header file isn't in the path. Most often this type of thing occurs because the code's author assumes one particular path, and your system is slightly different.

Try using an explicit path, for example, change:

#include stdio.h

to:

#include /usr/src/stdio.h
(of course the path preceding the header file name would be the required one for your system.)

bigbadbo · 03-21-2007

Hi all

This is my first Post on this site so hang in their with me !.

OK ...

KOREK chopchop theory obtains the Keystream of a particular packet, Idealy from an ARP packet from the AP.

And then we can forge an ARP Packet with packetforge-ng and some other stuff !

However, if we inject our new forge ARP packet, were still only generating as much traffic, according to the size of that ARP (68bits)

How about if you apply that keystream to a much larger packet, for instance ...
a GET packets, thats 400+ bits, this will generate much more traffic leading to a quicker attack

I know packetforge-ng has a custom packet capability, but im unsure how to use it

regards
Kai

Starpoint · 03-21-2007

Quote:

Originally Posted by bigbadbo

Hi all

This is my first Post on this site so hang in their with me !.

OK ...

KOREK chopchop theory obtains the Keystream of a particular packet, Idealy from an ARP packet from the AP.

And then we can forge an ARP Packet with packetforge-ng and some other stuff !

However, if we inject our new forge ARP packet, were still only generating as much traffic, according to the size of that ARP (68bits)

How about if you apply that keystream to a much larger packet, for instance ...
a GET packets, thats 400+ bits, this will generate much more traffic leading to a quicker attack

I know packetforge-ng has a custom packet capability, but im unsure how to use it

regards
Kai

And your goal in all this is WHAT?

streaker69 · 03-21-2007

Quote:

Originally Posted by Starpoint

And your goal in all this is WHAT?

Zombie Revival? Discuss the blasé practice of cracking wep?

Where is Devine anyway?

Dutch · 03-21-2007

Quote:

Originally Posted by streaker69

Zombie Revival? Discuss the blasé practice of cracking wep?

Where is Devine anyway?

Last I saw him, he was jamming with Elvis at the truckstop orbiting Betelgeuse.

Dutch

ccie4526 · 03-21-2007

Quote:

Originally Posted by streaker69

Zombie Revival? Discuss the blasé practice of cracking wep?

Well, Dutch has weighed in on the topic, so I'm guessing it's up to G8t for the two week vacation.

03-07-2005	#47 (permalink)
Madory Registered Member Join Date: Jan 2005 Posts: 3	Origin of 5% This makes sense, thanks. Perhaps it is a case of 6 and one-half-dozen. I got my explanation from "Attacks On RC4 and WEP" by FMS: "The probability that three locations will not be pointed to by a pseudo random index during the remaining N - 1 - x rounds is better than ((1-1/N)^N)^3 ~ e^-3 ~ 5%." ((1-1/N)^N)^3 can be reduced to (e^-1)^3 and finally e^-3 -OR- (1-3/N)^N reduced directly to e^-3 Anyway, thanks for the general formula - crystal clear now.

12-30-2005	#55 (permalink)
Thorn Did you do the math? Join Date: Apr 2002 Location: Villa Straylight Posts: 9,980	Probably the header file isn't in the path. Most often this type of thing occurs because the code's author assumes one particular path, and your system is slightly different. Try using an explicit path, for example, change: #include stdio.h to: #include /usr/src/stdio.h (of course the path preceding the header file name would be the required one for your system.) __________________ Thorn "You guys'll be chalk outlines without me."

03-21-2007	#56 (permalink)
bigbadbo Registered Member Join Date: Mar 2007 Posts: 3	idea to crack WEP with chopchop Hi all This is my first Post on this site so hang in their with me !. OK ... KOREK chopchop theory obtains the Keystream of a particular packet, Idealy from an ARP packet from the AP. And then we can forge an ARP Packet with packetforge-ng and some other stuff ! However, if we inject our new forge ARP packet, were still only generating as much traffic, according to the size of that ARP (68bits) How about if you apply that keystream to a much larger packet, for instance ... a GET packets, thats 400+ bits, this will generate much more traffic leading to a quicker attack I know packetforge-ng has a custom packet capability, but im unsure how to use it regards Kai

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

03-07-2005	#46 (permalink)
KoreK Banned in DC Join Date: Jul 2004 Posts: 102	It's a bit incorrect. Basic formula is (1-k/n)^n ~ exp(-k) when n is sufficiently large (mathly speaking lim of the left term when n grows to infinity is exp(-k)). In the papers, you get quantities like (253/256)^(256-p-1) (probability the (256-p-1) bytes of the KSA are different from 3 given values), with p=3,... First you approximate the exponent with 256, and you rewrite (1-3/256)^256, which then you approximate with the limit exp(-3). cf http://mathworld.wolfram.com/ExponentialFunction.html

03-17-2005	#50 (permalink)
sylvain Wireless Auditor Join Date: Jun 2004 Location: Paris, France Posts: 175	drivers are already patched in new auditor version..and there is an auditor forum...maybe it's a better place to ask...not sure you really search...probably too lazy

03-17-2005	#52 (permalink)
sylvain Wireless Auditor Join Date: Jun 2004 Location: Paris, France Posts: 175	I can say it is not Devine, I already met him

12-30-2005	#54 (permalink)
Grant Registered Member Join Date: Dec 2005 Posts: 1	Anyone know why my version won't compile even though the header file it says is missing isn't?