New tool to crack WEP keys under GNU/Linux - Page 10

chesh · 10-12-2004

One other thing I'd like to mention, when I do a weplab -a on my Kismet.dump file it says that there are XXXXX number of uniquie IVs which when I check Kismet seems to be the same number of data packets collected from my network. Does this seem right? The other number that Kismet shows is XXXX number of crypted packets collected, but that number doesn't seem to be referenced within weplab what-so-ever. So, are uniquie IV's crypted packets, or just uniquie data packets?

chesh

chesh · 10-13-2004

Quote:

Originally Posted by chesh

My second question is, how does one generate more packets in order to crack? I've heard talk of doing an arping or something to that extent to generate packets. Would someone post the info on how this is done, if you need two wireless adapters, or what? Thanks guys.

chesh

Ok, I jumped the gun a little bit on a couple of these questions. I tried aircrack last night for the first time with airodump and aireplay. I got myself a 770mb dump file with 880k of unique IV packets. My new question is, when I load this into aircrack it says there is 880k worth of unique packets, but when I load it into weplab it says there is only 88k worth of packets. Why the difference? Also, airodump says that the network is a 54mb WPA encrypted network, when I know it's a BEFW11S4 using 128-bit WEP. I further this knowing that aircrack is supposed to deny WPA packets when loading the dump file and it loads all the packets just fine and starts away on it's little cracking adventure. I have to say, if I didn't know it was 128-bit WEP and started a 64-bit crack on it, it finished and told me that a key didn't exist in about 34secs. This was with aircrack fudge factor of 2. When I ran weplab on the other hand, it took an hour to two do discover that it wasn't a 64-bit key. Anyways, just thought I'd post my findings, any comments, flames are more then welcome.

chesh

chesh · 10-15-2004

Quote:

Originally Posted by joswr1ght

I'm not much for UI design (love those Unix tools though), but here goes. I'm going to release this tool in the first teaching of the SANS Wireless Auditing class in New Orleans in November (I am the author of this material), and will make it publicly available after that.

screen shot

This tool is an implementation of Robert Moskowitz's paper "Weakness in Passphrase Choice in WPA Interface" at http://wifinetnews.com/archives/002452.html. It kind of sucks, since it's pretty slow. I've done everything to optimize it that I believe can be done, but 4096 hmac-sha1 passes take quite a bit of time to derive the PMK from a dictionary word. I'm looking forward to comments after releasing publicly.

Thanks,

-Josh

I saw in the latest version of Auditor (auditor-081004-01) you've already released this tool to them. Since it's already in the public, when are you planning on releasing a source download to the masses?

chesh

joswr1ght · 10-15-2004

Quote:

Originally Posted by chesh

I saw in the latest version of Auditor (auditor-081004-01) you've already released this tool to them. Since it's already in the public, when are you planning on releasing a source download to the masses?

chesh

11/3, right after the SANS WLAN Auditing course runs in New Orleans.

If anyone wants the source early and is willing to provide some feedback/testing, drop me a note at jwright@hasborg.com.

Thanks,

-Josh

devine · 10-15-2004

When I load this into aircrack it says there is 880k worth of unique packets, but when I load it into weplab it says there is only 88k worth of packets. Why the difference?

Hard to tell. Post the first meg of your pcap file somewhere, this would help me and TopoLB to track down the problem.

Also, airodump says that the network is a 54mb WPA encrypted network, when I know it's a BEFW11S4 using 128-bit WEP.

That's a known bug in airodump 2.1. Will be fixed in the next release.

it finished and told me that a key didn't exist in about 34secs. This was with aircrack fudge factor of 2.

Maybe try increasing the fudge factor. Also if it's 802.1X aircrack will very likely fail.

post-edit: messed up with the version number

chesh · 10-15-2004

What's the easiest way to cut down my 770mb pcap file to 1mb?

chesh

joswr1ght · 10-15-2004

Quote:

Originally Posted by chesh

What's the easiest way to cut down my 770mb pcap file to 1mb?

chesh

Sample the first few thousand files with tcpdump:

$ tcpdump -r bigfile.dump -w smallfile.dump -c 2000

Repeat until the "-c" number gives you what you want.

Note: This will not work with tethereal, the "-c" behavior does not work when reading from a stored capture file.

-Josh

Kronk · 10-16-2004

Joshua,

The KisMAC tool implements the WPA PSK attack using G4 Altivec acceleration to improve performance significantly. Maybe you can do something similar with MMX with your WPA code.

The KisMAC source code is located at http://binaervarianz.de/projekte/pro...c/download.php and may be helpful.

Kronk

devine · 10-16-2004

Quote:

Originally Posted by Kronk

The KisMAC tool implements the WPA PSK attack using G4 Altivec acceleration to improve performance significantly. Maybe you can do something similar with MMX with your WPA code.

Indeed. Also, I was thinking about distributed WPA-PSK cracking. Could speed up things quite a bit, especially if you have a few spare machines

grcore · 01-04-2005

Quote:

Originally Posted by chesh

What's the easiest way to cut down my 770mb pcap file to 1mb?

chesh

Are you trying to filter out the IV packets?

Use ethereal to and run a filter and save the output.

g

net-titi · 02-20-2005

Would it work with Linksys WRT54G router, like Kismet does ?

devine · 02-23-2005

Quote:

Originally Posted by chesh

What's the easiest way to cut down my 770mb pcap file to 1mb?

Not many options right now, but that's a planned feature of airodump 2.2, which will make it possible to only save the IVs from a live capture session, or extract then save them from a pcap file. Each IV will use about 6 bytes: bssid_index(1) + IV_itself(3) + ciphertext_start(2). However, this new file format will only be understood by aircrack 2.2.

kleptophobiac · 04-21-2005

Wow, this is a massively long thread, and I will admit that I ceased reading about page 11.

1) Would you care to post the win32 source code somewhere? I'm interested in taking a peek at it, even though I'm terrible with C (I do java... need to work on C)

2) I popped wzcook into a hex editor and did the proper edits, and it works great. I figured I'd post the fixed binary, just so others wouldn't have to go download a hex editor.

here

3) Thanks for the work!

10-15-2004	#140 (permalink)
devine Emergence Join Date: Jul 2004 Location: Paris Posts: 389	When I load this into aircrack it says there is 880k worth of unique packets, but when I load it into weplab it says there is only 88k worth of packets. Why the difference? Hard to tell. Post the first meg of your pcap file somewhere, this would help me and TopoLB to track down the problem. Also, airodump says that the network is a 54mb WPA encrypted network, when I know it's a BEFW11S4 using 128-bit WEP. That's a known bug in airodump 2.1. Will be fixed in the next release. it finished and told me that a key didn't exist in about 34secs. This was with aircrack fudge factor of 2. Maybe try increasing the fudge factor. Also if it's 802.1X aircrack will very likely fail. post-edit: messed up with the version number Last edited by devine : 10-15-2004 at 12:44 PM.

10-16-2004	#143 (permalink)
Kronk Registered Member Join Date: Jul 2004 Posts: 13	Speeding Up WPA PSK Attack Joshua, The KisMAC tool implements the WPA PSK attack using G4 Altivec acceleration to improve performance significantly. Maybe you can do something similar with MMX with your WPA code. The KisMAC source code is located at http://binaervarianz.de/projekte/pro...c/download.php and may be helpful. Kronk

02-20-2005	#146 (permalink)
net-titi Registered Member Join Date: Feb 2005 Posts: 1	Working with wrt54g ? Would it work with Linksys WRT54G router, like Kismet does ?

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

10-12-2004	#136 (permalink)
chesh Registered Member Join Date: Feb 2004 Posts: 10	One other thing I'd like to mention, when I do a weplab -a on my Kismet.dump file it says that there are XXXXX number of uniquie IVs which when I check Kismet seems to be the same number of data packets collected from my network. Does this seem right? The other number that Kismet shows is XXXX number of crypted packets collected, but that number doesn't seem to be referenced within weplab what-so-ever. So, are uniquie IV's crypted packets, or just uniquie data packets? chesh

10-15-2004	#141 (permalink)
chesh Registered Member Join Date: Feb 2004 Posts: 10	What's the easiest way to cut down my 770mb pcap file to 1mb? chesh

04-21-2005	#148 (permalink)
kleptophobiac Registered Member Join Date: Sep 2002 Posts: 310	Wow, this is a massively long thread, and I will admit that I ceased reading about page 11. 1) Would you care to post the win32 source code somewhere? I'm interested in taking a peek at it, even though I'm terrible with C (I do java... need to work on C) 2) I popped wzcook into a hex editor and did the proper edits, and it works great. I figured I'd post the fixed binary, just so others wouldn't have to go download a hex editor. here 3) Thanks for the work!