Nemesis

syst0lic · 02-08-2005

Anyone thought of a way or figured out a way to use nemesis to create custom packets designed to produce weak IVs?

I ask because I was using Cain & Abel over wireless while connected on my desktop and while monitoring using my laptop I discovered that using Cain to search MACs on the subnet that it created an ENORMOUS flood of new weak IVs and interesting packets.

Now I'm assuming its an ARP request of some sort... instead of hitting the Search button over and over, I'd rather run a script that incorporates nemesis.

I also heard TCP SYN packets do the job...

joswr1ght · 02-08-2005

Quote:

Originally Posted by syst0lic

Anyone thought of a way or figured out a way to use nemesis to create custom packets designed to produce weak IVs?

I ask because I was using Cain & Abel over wireless while connected on my desktop and while monitoring using my laptop I discovered that using Cain to search MACs on the subnet that it created an ENORMOUS flood of new weak IVs and interesting packets.

The selection of the IV has nothing to do with the upper-layer protocols, so a tool like nemesis is unable to differentiate a weak IV from any other IV. I suspect you just got lucky with Cain & Abel.

Note that classic "weak" IV's (e.g. B+3:FF:n) are of little value anymore, since KoreK's attacks in Aircrack/WepLab/Airsnort make use of a much broader range of IV's. Any packets you produce on the network will generate suitable IV's for these tools.

-Josh

Dr3D1zzl3 · 02-08-2005

good to see some oldtimers still lurking about.

wasnt it a nice day today in dc?

syst0lic · 02-08-2005

Confused... help me understand this.

Network traffic aka packets going back and forth over the wireless network are encrypted and contain weak IVs (correct?)

So whats the difference between a person who is downloading a couple huge movies or just submitting a bunch of packets through nemesis from within the network? I find it hard to believe theres no way to simulate a crap load of traffic.

I am missing something? Am I not clear? This makes perfect sense in my head.

The more traffic, the more encrypted packets, the more weak IVs. Cain and Abel (when using the search function) shoots a crap load of ARP packets everywhere... can't I just replicate the packet its sending?

joswr1ght · 02-09-2005

Quote:

Originally Posted by Dr3D1zzl3

good to see some oldtimers still lurking about.

wasnt it a nice day today in dc?

Who are you calling *old timer*?

-Josh

joswr1ght · 02-09-2005

Quote:

Originally Posted by syst0lic

Network traffic aka packets going back and forth over the wireless network are encrypted and contain weak IVs (correct?)

I think the disconnect here is the term "weak IV's". Each WEP-encrypted packet includes an IV that is prepended to the shared secret for use with the RC4 cipher. Whether that IV is considered "weak" or not depends on the IV value. There is no way to influence the selection of an IV (e.g. selecting an IV that is weak, compared to an IV that is, umm, not weak).

Quote:

Originally Posted by syst0lic

So whats the difference between a person who is downloading a couple huge movies or just submitting a bunch of packets through nemesis from within the network? I find it hard to believe theres no way to simulate a crap load of traffic.
The more traffic, the more encrypted packets, the more weak IVs. Cain and Abel (when using the search function) shoots a crap load of ARP packets everywhere... can't I just replicate the packet its sending?

OK, this is a different question now. You want to generate more IV's on the network, not just generate more weak IV's. By generating more IV's, statistically you will get more weak IV's as well. You can use any traffic to do this, from downloading a large file (slow, large packets), or initiating a ping flood (faster, small packets) or any other technique.

Of course, you have to already be associated to the network to make this happen, which makes it less valuable as a pen-test technique against WEP networks.

I hope that clears this up.

-Josh

nashr · 02-09-2005

Quote:

Originally Posted by Dr3D1zzl3

good to see some oldtimers still lurking about.

wasnt it a nice day today in dc?

Weather was scary nice... spring in February, now that's a new one on me.

Where you @ Dr3D1zzl3? I work downtown near Archives/Navy Memorial Metro.

syst0lic · 02-09-2005

Yea that was the mess up.. the word weak.. using it when I shouldn't have.

I am associated to the network, because it is mine. I want to generate a crap load of IVs so I can crack my WEP key and use it as an example in a presentation I have to do at school on network security.

Although you did clear something up for me and that is there is no way to MAKE a certain weak IV appear. Would be nice wouldn't it

What tools are available for bruteforcing WEP? Not dictionary cracking....

sylvain · 02-10-2005

Quote:

Originally Posted by syst0lic

Yea that was the mess up.. the word weak.. using it when I shouldn't have.

I am associated to the network, because it is mine. I want to generate a crap load of IVs so I can crack my WEP key and use it as an example in a presentation I have to do at school on network security.

Although you did clear something up for me and that is there is no way to MAKE a certain weak IV appear. Would be nice wouldn't it

What tools are available for bruteforcing WEP? Not dictionary cracking....

try weplab for brute force

sparafina · 02-10-2005

Try the Auditor cd from http://new.remote-exploit.org/

I've been playing with it and it has many tools nicely organized with documentation.

syst0lic · 02-10-2005

um... yea... so I just let airsnort run and ran cain and abel's MAC search a hundred times and when I got home today it had already cracked my key.

140 something interesting packets, 200k encrypted packets and a breadth of 2... it didnt decrypt the ascii pw correctly, but the HEX pw was perfect.

the strange thing is, it used the packets coming from broadcast (FF:FF:FF:FF:FF:FF) instead of the mac of the AP to crack the key.

either way, took less than 24 hours on a simple wireless network with only one computer associated.

INFO ABOUT CARD:

wlan0 IEEE 802.11-DS ESSID:"linksys" Nickname:"linksys"
Mode:Auto Frequency:2.412GHz Access Point: 00:00:00:00:00:00
Bit Rate:2Mb/s Tx-Power:2346 dBm
Retry min limit:8 RTS thr

ff Fragment thr

ff
Encryption key

ff
Link Quality:0/92 Signal level:-69 dBm Noise level:-90 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0

DWL-650 REV P on slackware 2.4.26 w/ wlan-ng drivers

sparafina · 02-11-2005

Quote:

Originally Posted by syst0lic

um... yea... so I just let airsnort run and ran cain and abel's MAC search a hundred times and when I got home today it had already cracked my key.

Just trying to help - the auditor cd has a bunch of wep cracking tools. Thanks for the info on the card. Can you tell us about the ap - especially the firmware version?

syst0lic · 02-11-2005

Linksys BEFW11S4

ver 1.50.14
---

Next step is turning over to WPA and trying to crack that.

02-08-2005	#1 (permalink)
syst0lic Registered Member Join Date: Jan 2005 Posts: 18	Nemesis Anyone thought of a way or figured out a way to use nemesis to create custom packets designed to produce weak IVs? I ask because I was using Cain & Abel over wireless while connected on my desktop and while monitoring using my laptop I discovered that using Cain to search MACs on the subnet that it created an ENORMOUS flood of new weak IVs and interesting packets. Now I'm assuming its an ARP request of some sort... instead of hitting the Search button over and over, I'd rather run a script that incorporates nemesis. I also heard TCP SYN packets do the job...

02-08-2005	#3 (permalink)
Dr3D1zzl3 Mental Penis Fencer Join Date: Apr 2002 Posts: 371	good to see some oldtimers still lurking about. wasnt it a nice day today in dc? __________________ O praeclarum custodem ovium lupum!

02-08-2005	#4 (permalink)
syst0lic Registered Member Join Date: Jan 2005 Posts: 18	Confused... help me understand this. Network traffic aka packets going back and forth over the wireless network are encrypted and contain weak IVs (correct?) So whats the difference between a person who is downloading a couple huge movies or just submitting a bunch of packets through nemesis from within the network? I find it hard to believe theres no way to simulate a crap load of traffic. I am missing something? Am I not clear? This makes perfect sense in my head. The more traffic, the more encrypted packets, the more weak IVs. Cain and Abel (when using the search function) shoots a crap load of ARP packets everywhere... can't I just replicate the packet its sending? Last edited by syst0lic : 02-09-2005 at 12:00 AM.

02-10-2005	#11 (permalink)
syst0lic Registered Member Join Date: Jan 2005 Posts: 18	um... yea... so I just let airsnort run and ran cain and abel's MAC search a hundred times and when I got home today it had already cracked my key. 140 something interesting packets, 200k encrypted packets and a breadth of 2... it didnt decrypt the ascii pw correctly, but the HEX pw was perfect. the strange thing is, it used the packets coming from broadcast (FF:FF:FF:FF:FF:FF) instead of the mac of the AP to crack the key. either way, took less than 24 hours on a simple wireless network with only one computer associated. INFO ABOUT CARD: wlan0 IEEE 802.11-DS ESSID:"linksys" Nickname:"linksys" Mode:Auto Frequency:2.412GHz Access Point: 00:00:00:00:00:00 Bit Rate:2Mb/s Tx-Power:2346 dBm Retry min limit:8 RTS thrff Fragment thrff Encryption keyff Link Quality:0/92 Signal level:-69 dBm Noise level:-90 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 DWL-650 REV P on slackware 2.4.26 w/ wlan-ng drivers Last edited by syst0lic : 02-10-2005 at 10:43 PM.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

02-09-2005	#8 (permalink)
syst0lic Registered Member Join Date: Jan 2005 Posts: 18	Yea that was the mess up.. the word weak.. using it when I shouldn't have. I am associated to the network, because it is mine. I want to generate a crap load of IVs so I can crack my WEP key and use it as an example in a presentation I have to do at school on network security. Although you did clear something up for me and that is there is no way to MAKE a certain weak IV appear. Would be nice wouldn't it What tools are available for bruteforcing WEP? Not dictionary cracking....

02-10-2005	#10 (permalink)
sparafina Registered Member Join Date: May 2002 Location: Julie Speed Posts: 1,430	Try the Auditor cd from http://new.remote-exploit.org/ I've been playing with it and it has many tools nicely organized with documentation.

02-11-2005	#13 (permalink)
syst0lic Registered Member Join Date: Jan 2005 Posts: 18	Linksys BEFW11S4 ver 1.50.14 --- Next step is turning over to WPA and trying to crack that.