New tool to crack WEP keys under GNU/Linux - Page 7

topolb · 08-24-2004

Quote:

Originally Posted by sylvain

if we had to compare weplab and aircrack which one is the best ? aircrack with the attacks included in chopper ?

Best way to answer this question is making a test

Someone interested?

BTW aircrack implements the "replay attack", while weplab only uses passive attacks (bruteforce, statistical, dictionary).

"Replay attack" is great to speed the process of gathering different IVs, and as far as I know aircrack is the first tool on Linux that implements it.
The lack of an standard way to create raw wlan packets is a big hole that I hope will be filled soon.

devine: I will include the other attacks on next release together with dictionary based attack. But... are the other attacks relevant and stable with non-uniform IV distributions?

And the future... what about WPA?

sylvain · 08-24-2004

the problem is that creation of raw wlan packets depends on the cards and drivers used I think.

Note : I think aircrack is not the first to implement a replay attack...I think there is one tool specific to BSD which does the same thing.

Concerning WPA I haven't heard of any weaknesses..except againt WPA-PSK (dictionnary base attacks..) what kind of attacks do you plan to implement ?

Last thing I can perform a test between both tools but without the airreplay function of aircrack as I don't own a prism2 card,.

sylvain · 08-24-2004

Quote:

Originally Posted by sylvain

the problem is that creation of raw wlan packets depends on the cards and drivers used I think.

Note : I think aircrack is not the first to implement a replay attack...I think there is one tool specific to BSD which does the same thing.

Concerning WPA I haven't heard of any weaknesses..except againt WPA-PSK (dictionnary base attacks..) what kind of attacks do you plan to implement ?

Last thing I can perform a test between both tools but without the airreplay function of aircrack as I don't own a prism2 card,.

For the comparative test :
which commands do you want me do use for both tools ?

devine · 08-24-2004

Quote:

Originally Posted by topolb

devine: I will include the other attacks on next release together with dictionary based attack. But... are the other attacks relevant and stable with non-uniform IV distributions?

All attacks, except the unstable 5% ones, work quite well with linearly distributed IVs. They perform even better when the IVs are randomly distributed (like, you can sometimes crack a 104-bit key with 200k IVs).

Quote:

Originally Posted by topolb

And the future... what about WPA?

Maybe in aircrack 2.0, together with Windows support ;-)

topolb · 08-24-2004

Trying to understand Korek's attacks (all those that appear in chopper and aircrack) is a pain!

I would be glad if someone could help me to implement the other Korek's attacks (those not yet implemented) on weplab (attack.c) O:-)

At the moment weplab seems to be able to crack the key over 600k packets using only standard FMS, attack to second byte, enhaced 13%, and inversed (reject) attack.
Advanced Korek 24% gives me lot of false possitives and attacks 5/6 10% seems not to be working at all.

devine · 08-25-2004

Quote:

Originally Posted by topolb

Trying to understand Korek's attacks (all those that appear in chopper and aircrack) is a pain!

Yeah, a little bit of documentation about them wouldn't hurt

Quote:

Originally Posted by topolb

At the moment weplab seems to be able to crack the key over 600k packets using only standard FMS, attack to second byte, enhaced 13%, and inversed (reject) attack.

Cool results

KoreK · 08-25-2004

Quote:

Originally Posted by topolb

Trying to understand Korek's attacks (all those that appear in chopper and aircrack) is a pain!

Quote:

Originally Posted by devine

Yeah, a little bit of documentation about them wouldn't hurt

I don't have time at the moment. I posted a link to a News post in the other thread which explains pretty well the strong 13% (the one from Warner, cited by FMS). The attacks should be more like ingredients. There is more than one way to mix them, and you probably got quite a few recipes. You should not focus on 1 cracker, but make a few one, each optimized for some cases. Of course, that's easier to say when I am not developping my cracker anymore

But I spent quite a bit of time looking for the constants in chopper: Is 0.6 better than 0.5 there? Nope. Let's try 0.4 then. Doesn't change anything? What were my original constant? Can't remember. Well let's try something else...

topolb · 08-26-2004

On http://www.sourceforge.net/projects/weplab there is available a windows port of latest weplab version 0.0.8

It requires cygwin1.dll (included in the .zip) and some winpcap dlls (also included).

Everything seems to be working fine. Packet capture is not tested yet.

Enjoy

sylvain · 08-26-2004

I will try it also and tell you if everything is ok.

sylvain · 08-27-2004

So here is my first comparative test between aircrack-1.4-1 and weplab0.0.8 :

I got two captured files : one with airodump and one with kismet. For each I have about 500 000 unique IV's. aircrack was able to crack both files (but I had to use the -s 2 option for one)

in 35 s for 516 106 unique IV's : aircrack found the key
in 95s for 516 106 unique IV's : weplab found the key

I even managed to find the key quite fast with aircrack for a file with 450 000 unique IV's. For weplab, I had to change a bit the code to make the attack #6 byte reinjection dynamic and then it worked well.

topolb · 08-29-2004

Quote:

Originally Posted by sylvain

So here is my first comparative test between aircrack-1.4-1 and weplab0.0.8 :

I got two captured files : one with airodump and one with kismet. For each I have about 500 000 unique IV's. aircrack was able to crack both files (but I had to use the -s 2 option for one)

in 35 s for 516 106 unique IV's : aircrack found the key
in 95s for 516 106 unique IV's : weplab found the key

I even managed to find the key quite fast with aircrack for a file with 450 000 unique IV's. For weplab, I had to change a bit the code to make the attack #6 byte reinjection dynamic and then it worked well.

Ok aircrack wins (at least this time )

New version 0.0.9 of weplab is out. It implements full Korek's attacks (among other things). What about another comparative test? }:-)

sylvain · 08-29-2004

Quote:

Originally Posted by topolb

Ok aircrack wins (at least this time )

New version 0.0.9 of weplab is out. It implements full Korek's attacks (among other things). What about another comparative test? }:-)

let's go ;-)

weplab 0.0.0 did not find my key :-(

sylvain · 08-29-2004

ok so after some tuning.. I had to use the --perc 50 and -s 3 option to find the key...so I think topolb you should make an optimization guide (which commands to use and in which order to find the key).

so results for the same file (516 106 unique IV's)
35s for aircrack-1.4.1 (with -s 2 option)
37s for weplab0.0.9 (with --perc 50 and -s 3 options)

sylvain · 09-04-2004

Topolb : do you plan to implement two new attacks :
1/ the WEP dictionnary attack : wepattack style with integration of john the ripper
2/ the WPA-PSK dictionnary attack

thank you

topolb · 09-04-2004

Quote:

Originally Posted by sylvain

Topolb : do you plan to implement two new attacks :
1/ the WEP dictionnary attack : wepattack style with integration of john the ripper
2/ the WPA-PSK dictionnary attack

thank you

Well, a patch for the first issue (dictionary with john) is already integrated on last version weplab-0.1.0, but not fully tested though.

I think there is a problem on weplab-john comunication. The developer who submitted me the patch is on holidays now, and as I am busy with other features, I prefer to wait for him.
Anyway any feedback (and patches) will be usefull.

Weplab is opensource. You can contribute to it!

As regards the WPA, I also have it on my TODO list together with WPA2 and AES.

08-24-2004	#95 (permalink)
topolb Registered Member Join Date: Jun 2004 Posts: 67	Other Korek's attacks Trying to understand Korek's attacks (all those that appear in chopper and aircrack) is a pain! I would be glad if someone could help me to implement the other Korek's attacks (those not yet implemented) on weplab (attack.c) O:-) At the moment weplab seems to be able to crack the key over 600k packets using only standard FMS, attack to second byte, enhaced 13%, and inversed (reject) attack. Advanced Korek 24% gives me lot of false possitives and attacks 5/6 10% seems not to be working at all.

08-26-2004	#98 (permalink)
topolb Registered Member Join Date: Jun 2004 Posts: 67	Windows port of weplab-0.0.8 On http://www.sourceforge.net/projects/weplab there is available a windows port of latest weplab version 0.0.8 It requires cygwin1.dll (included in the .zip) and some winpcap dlls (also included). Everything seems to be working fine. Packet capture is not tested yet. Enjoy

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode

08-24-2004	#92 (permalink)
sylvain Wireless Auditor Join Date: Jun 2004 Location: Paris, France Posts: 175	the problem is that creation of raw wlan packets depends on the cards and drivers used I think. Note : I think aircrack is not the first to implement a replay attack...I think there is one tool specific to BSD which does the same thing. Concerning WPA I haven't heard of any weaknesses..except againt WPA-PSK (dictionnary base attacks..) what kind of attacks do you plan to implement ? Last thing I can perform a test between both tools but without the airreplay function of aircrack as I don't own a prism2 card,.

08-26-2004	#99 (permalink)
sylvain Wireless Auditor Join Date: Jun 2004 Location: Paris, France Posts: 175	I will try it also and tell you if everything is ok.

08-27-2004	#100 (permalink)
sylvain Wireless Auditor Join Date: Jun 2004 Location: Paris, France Posts: 175	So here is my first comparative test between aircrack-1.4-1 and weplab0.0.8 : I got two captured files : one with airodump and one with kismet. For each I have about 500 000 unique IV's. aircrack was able to crack both files (but I had to use the -s 2 option for one) in 35 s for 516 106 unique IV's : aircrack found the key in 95s for 516 106 unique IV's : weplab found the key I even managed to find the key quite fast with aircrack for a file with 450 000 unique IV's. For weplab, I had to change a bit the code to make the attack #6 byte reinjection dynamic and then it worked well.

08-29-2004	#103 (permalink)
sylvain Wireless Auditor Join Date: Jun 2004 Location: Paris, France Posts: 175	ok so after some tuning.. I had to use the --perc 50 and -s 3 option to find the key...so I think topolb you should make an optimization guide (which commands to use and in which order to find the key). so results for the same file (516 106 unique IV's) 35s for aircrack-1.4.1 (with -s 2 option) 37s for weplab0.0.9 (with --perc 50 and -s 3 options)

09-04-2004	#104 (permalink)
sylvain Wireless Auditor Join Date: Jun 2004 Location: Paris, France Posts: 175	Topolb : do you plan to implement two new attacks : 1/ the WEP dictionnary attack : wepattack style with integration of john the ripper 2/ the WPA-PSK dictionnary attack thank you