Incomplete four-way handshake

wham · 01-17-2006

I disassociated and reassociated a computer on my network while capturing packets with ethereal. I found about 27 eapol packets in all. I save the capture file and try to crack the PSK in coWPAtty, but it says that the four-way handshake is incomplete. What's going on? I have tried it with the card monitoring just about every channel (iwconfig ath0 mode monitor channel *channel number*), but it doesn't find it. I am using a WRT54g with WPA2-PSK.

Airstreamer · 01-17-2006

Quote:

Originally Posted by wham

I disassociated and reassociated a computer on my network while capturing packets with ethereal. I found about 27 eapol packets in all. I save the capture file and try to crack the PSK in coWPAtty, but it says that the four-way handshake is incomplete. What's going on? I have tried it with the card monitoring just about every channel (iwconfig ath0 mode monitor channel *channel number*), but it doesn't find it. I am using a WRT54g with WPA2-PSK.

I'm not really sure about this, so buyer beware and all other disclaimers apply!
If you want to capture what is going on I think you'll probably need kismet or a similar program, that does passive monitoring by hooking directly into the hardware. (Maybe Aircrack? I'm pretty sure that Linkferret would work, as well, since it 'sees' all the control packets that kind of lay 'below the surface.')

I really don't know how winpcap is handling the interface, but I have a sneaking suspicion that it is probably not catching all the data. Kind of like you really don't see the link pulse info that tells a switch what kind of interface you can support, or the negotiation handshake that takes place still at the link pulse level, BEFORE the adapter starts passing ethernet data.(Unless you have some specialized hardware analysis tools.)

Now you've got me interested. I hope to see the answer posted as I am curious if I've guessed correctly.

wham · 01-18-2006

Thanks for the reply, Airstreamer. I have tried monitoring it with Kismet and Airodump, but it doesn't find the right packets either. I am using Auditor with a Proxim 8470-WD if that makes a difference (so winpcap isn't being used right now). I am a bit hesitant to pay for a program like LinkFerret. Has anyone here successfully cracked WPA2-PSK on their WRT54g? What problems,if any were encountered and what hardware was used?

Thanks

Edit: I heard from someone on the remote-exploit IRC channel that if AES is used on a WPA2 network that it can't be cracked. If this is true is there any reason to set up a RADIUS server?

Airstreamer · 01-18-2006

Quote:

Originally Posted by wham

Thanks for the reply, Airstreamer. I have tried monitoring it with Kismet and Airodump, but it doesn't find the right packets either. I am using Auditor with a Proxim 8470-WD if that makes a difference (so winpcap isn't being used right now). I am a bit hesitant to pay for a program like LinkFerret. Has anyone here successfully cracked WPA2-PSK on their WRT54g? What problems,if any were encountered and what hardware was used?

Thanks

Edit: I heard from someone on the remote-exploit IRC channel that if AES is used on a WPA2 network that it can't be cracked. If this is true is there any reason to set up a RADIUS server?

I think you can still download a time limited demo of Linkferret.
Hope it works.

theprez98 · 01-18-2006

Quote:

Originally Posted by Airstreamer

I think you can still download a time limited demo of Linkferret.
Hope it works.

http://www.linkferret.ws/download/download.htm

Quote:

We have provided fully functional, downloadable evaluation versions for all of our LinkFerret monitoring products. The trial period is limited to thirty days, after which the product must be registered if you wish to continue to use it. Please see our End User License Agreement for more information.

Further down, it actually says this:

Quote:

If you are unfamiliar with the process of downloading and installing software via the internet...

Someone who unfamiliar with the process of downloading and installing software via the internet is just plain stupid!

wham · 01-18-2006

I have temporarily set my network to WPA1 and the attack works. I have downloaded the linkferret evaluation version (yes, I could figure out how to download software from the Internets) and will see if that works against wpa2 with AES. I think the underlying problem was that I was using AES instead of TKIP, not that packets weren't being collected. I wonder if it is even possible to crack WPA2-PSK with TKIP+AES. Hopefully the rainbow tables for WPA will be available soon. Heard that it got a lot of attention (even from Mitnick) at ShmooCon.

renderman · 01-19-2006

Cowpatty at this moment (v3.0) works on WPA-PSK v1, WPA2 support is not present. That said, just give me some time.

theprez98 · 01-19-2006

Quote:

Originally Posted by wham

I have temporarily set my network to WPA1 and the attack works. I have downloaded the linkferret evaluation version (yes, I could figure out how to download software from the Internets) and will see if that works against wpa2 with AES. I think the underlying problem was that I was using AES instead of TKIP, not that packets weren't being collected. I wonder if it is even possible to crack WPA2-PSK with TKIP+AES. Hopefully the rainbow tables for WPA will be available soon. Heard that it got a lot of attention (even from Mitnick) at ShmooCon.

I believe "they" precomputed tables for some default SSIDs. With the target SSID, you should be able to compute the tables for the target AP. Thorn or Render should be able to steer you in the right direction.

Thorn · 01-19-2006

Quote:

Originally Posted by wham

Hopefully the rainbow tables for WPA will be available soon. Heard that it got a lot of attention (even from Mitnick) at ShmooCon.

The shmoo have graciously offered to host the WPA rainbow tables on their Bittorrent feed. I don't know if it will be on http://rainbowtables.shmoo.com/ or it's own page. In any event when it's available, I'm sure Render or myself will announce it.

Yes, Mitnick was impressed enough to ask for a copy of the tables, as were other people. We provided the tables to Kevin and anyone else at the con who asked.

Edit: Previous offer moved here:
CoWF Shmoocon release thread

renderman · 01-19-2006

On another related note, I posted a copy of coWPAtty 3.0 on the CoWF site until Joshua gets it up somewhere else.

http://www.churchofwifi.org/FileLib/9-cowpatty-3.0.zip

If you hash out a large table, please drop either thorn, Joshua or myself a line so we can see about including it in a future release of the CoWF tables (also send the wordlist you used).

The tables are going to be up shortly. The shmoo are probobly very busy cleaning up after us at the hotel and have bills to pay. Many thanks in advance for the file distribution assistance.

theprez98 · 01-19-2006

My CPU cycles are dying to do something, send some work my way. If someone could talk me through the process of hashing a table, I'll get started right away. If I could only figure out BOINC for WPA...

Also, my bandwidth sits unused while I'm at work or sleeping, so I'm more than willing to seed the torrent.

wham · 01-19-2006

Quote:

Originally Posted by theprez98

If I could only figure out BOINC for WPA...

Maybe we could use the seti@home network for making the hashes, and claim that the aliens were seeding the torrent.

theprez98 · 01-19-2006

Quote:

Originally Posted by wham

Maybe we could use the seti@home network for making the hashes, and claim that the aliens were seeding the torrent.

I have absolutely no coding experience so I really wouldn't know where to start. I have ideas but no way to implement them or even if its possible. But I think making tables via a BOINC-type setup would definitely speed up the process.

renderman · 01-19-2006

I need to take a look at the boinc project and see if it could be done, or if they might object to it's purpose.

There's alot that can/needs to be done. Just not enough time to do it in.

theprez98 · 01-19-2006

Quote:

Originally Posted by renderman

I need to take a look at the boinc project and see if it could be done, or if they might object to it's purpose.

There's alot that can/needs to be done. Just not enough time to do it in.

Until then I know I would do whatever I could to help, I just need a little help in getting started.

Here is the BOINC page about new projects
http://boinc.berkeley.edu/create_project.php

01-17-2006	#1 (permalink)
wham Registered Member Join Date: Feb 2005 Location: /dev/urandom Posts: 305	Incomplete four-way handshake I disassociated and reassociated a computer on my network while capturing packets with ethereal. I found about 27 eapol packets in all. I save the capture file and try to crack the PSK in coWPAtty, but it says that the four-way handshake is incomplete. What's going on? I have tried it with the card monitoring just about every channel (iwconfig ath0 mode monitor channel *channel number*), but it doesn't find it. I am using a WRT54g with WPA2-PSK.

01-18-2006	#3 (permalink)
wham Registered Member Join Date: Feb 2005 Location: /dev/urandom Posts: 305	Thanks for the reply, Airstreamer. I have tried monitoring it with Kismet and Airodump, but it doesn't find the right packets either. I am using Auditor with a Proxim 8470-WD if that makes a difference (so winpcap isn't being used right now). I am a bit hesitant to pay for a program like LinkFerret. Has anyone here successfully cracked WPA2-PSK on their WRT54g? What problems,if any were encountered and what hardware was used? Thanks Edit: I heard from someone on the remote-exploit IRC channel that if AES is used on a WPA2 network that it can't be cracked. If this is true is there any reason to set up a RADIUS server? Last edited by wham : 01-18-2006 at 07:06 PM.

01-19-2006	#7 (permalink)
renderman Drunken Stumbler Join Date: Jun 2002 Location: Anywhere but Utah Posts: 1,803	Cowpatty at this moment (v3.0) works on WPA-PSK v1, WPA2 support is not present. That said, just give me some time. __________________ Never drink anything larger than your head! Scaramental Wine Taster for the Church Of WiFi Buy our books! "I reject your reality, and substitute my own!" – Adam Savage CoWF WPA Hash Tables

01-19-2006	#10 (permalink)
renderman Drunken Stumbler Join Date: Jun 2002 Location: Anywhere but Utah Posts: 1,803	On another related note, I posted a copy of coWPAtty 3.0 on the CoWF site until Joshua gets it up somewhere else. http://www.churchofwifi.org/FileLib/9-cowpatty-3.0.zip If you hash out a large table, please drop either thorn, Joshua or myself a line so we can see about including it in a future release of the CoWF tables (also send the wordlist you used). The tables are going to be up shortly. The shmoo are probobly very busy cleaning up after us at the hotel and have bills to pay. Many thanks in advance for the file distribution assistance. __________________ Never drink anything larger than your head! Scaramental Wine Taster for the Church Of WiFi Buy our books! "I reject your reality, and substitute my own!" – Adam Savage CoWF WPA Hash Tables

01-19-2006	#11 (permalink)
theprez98 SpoonfeederExtraordinaire Join Date: Jan 2005 Location: Maryland Posts: 3,619	My CPU cycles are dying to do something, send some work my way. If someone could talk me through the process of hashing a table, I'll get started right away. If I could only figure out BOINC for WPA... Also, my bandwidth sits unused while I'm at work or sleeping, so I'm more than willing to seed the torrent. __________________ :00475160 0E A6 AE A0 19 E3 A3 46 .......F :00475168 0D 65 17 0C 53 70 6F 6F .e..Spoo :00475170 6E 66 65 65 64 65 72 2E nfeeder. :00475178 45 78 74 72 61 6F 72 64 Extraord :00475180 69 6E 61 69 72 65 5D 3B inaire]; :00475188 8B 9E 92 5A FF 5D A6 F0 ...Z.].. Last edited by theprez98 : 01-19-2006 at 10:27 AM.

01-18-2006	#6 (permalink)
wham Registered Member Join Date: Feb 2005 Location: /dev/urandom Posts: 305	I have temporarily set my network to WPA1 and the attack works. I have downloaded the linkferret evaluation version (yes, I could figure out how to download software from the Internets) and will see if that works against wpa2 with AES. I think the underlying problem was that I was using AES instead of TKIP, not that packets weren't being collected. I wonder if it is even possible to crack WPA2-PSK with TKIP+AES. Hopefully the rainbow tables for WPA will be available soon. Heard that it got a lot of attention (even from Mitnick) at ShmooCon.

01-19-2006	#14 (permalink)
renderman Drunken Stumbler Join Date: Jun 2002 Location: Anywhere but Utah Posts: 1,803	I need to take a look at the boinc project and see if it could be done, or if they might object to it's purpose. There's alot that can/needs to be done. Just not enough time to do it in. __________________ Never drink anything larger than your head! Scaramental Wine Taster for the Church Of WiFi Buy our books! "I reject your reality, and substitute my own!" – Adam Savage CoWF WPA Hash Tables

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode