weplab/aircrack

opr__ · 01-16-2005

Hi all,

here is my problem:
I have a wifi protected with WEP 128 bits key for testing. I first dumped about 300k packets with Kismet using regular traffic (ftp-data). Here is the output of the statistics with weplab:

# ./weplab -a ../Kismet-Jan-15-2005-1.dump
weplab - Wep Key Cracker Wep Key Cracker (v0.1.3).
Jose Ignacio Sanchez Martin - Topo[LB] <topolb@users.sourceforge.net>

Statistics for packets that belong to [00:05:5D:5C:21:9A]
- Total valid packets read: 321344
- Total packets read: 321344
- Total unique IV read: 321344
- Total truncated packets read: 0
- Total non-data packets read: 0
- Total FF checksum packets read: 0

The next day, I again dumped traffic but now using 'ping -f' to generate as much traffic as fast as possible on the wireless. The statistics output of weplab:

# ./weplab -a ../Kismet-Jan-16-2005-1.dump
weplab - Wep Key Cracker Wep Key Cracker (v0.1.3).
Jose Ignacio Sanchez Martin - Topo[LB] <topolb@users.sourceforge.net>

Statistics for packets that belong to [00:05:5D:5C:21:9A]
- Total valid packets read: 277546
- Total packets read: 277546
- Total unique IV read: 277546
- Total truncated packets read: 0
- Total non-data packets read: 0
- Total FF checksum packets read: 0

Now, I both ran weplab and aircrack (with default fudge factor) and even after 9 hours, the key of the first dump could not be found. When I ran weplab and aircrack on the second dump, he cracked it within 5 minutes. How is this possible? The first dump has even more unique IV's than the second dump ... anyone has a reasonable explanation for this?

btw, does anyone know a tool which can replay packets on the wifi interface on BSD? Because most of the tools like aireplay and chopchop use the netpacket interface which is nonexistant on BSD. I did manage to get weplab (only the cracking, not dumping of packets) and aircrack (again, only aircrack and 802ether, not dumping) working on OpenBSD.

regards

grcore · 01-17-2005

Quote:

Originally Posted by opr__

Now, I both ran weplab and aircrack (with default fudge factor) and even after 9 hours, the key of the first dump could not be found. When I ran weplab and aircrack on the second dump, he cracked it within 5 minutes. How is this possible? The first dump has even more unique IV's than the second dump ... anyone has a reasonable explanation for this?

It's not always a matter of how many IVs you collect. There is some luck involved. Depending on the distribution of IVs, the number of keys that need to be tried can vary. In my tests, it the number of IVs collected has varied from as little as 80k and as high as 800k to discover a 64bit key. Most of the time the key is found somewhere in the 100-200krange.

g

rjdenver · 01-19-2005

Quote:

Originally Posted by grcore

It's not always a matter of how many IVs you collect. There is some luck involved. Depending on the distribution of IVs, the number of keys that need to be tried can vary. In my tests, it the number of IVs collected has varied from as little as 80k and as high as 800k to discover a 64bit key. Most of the time the key is found somewhere in the 100-200krange.

g

Just to add some stats to that, I got my first test of my 64bit key to crack with 100k IVs in about 5 seconds. I tried my 128bit key with 100k packets, and after about 5 hours gave up and made 100k more packets. With the 200k, it cracked in 3 hours.

I notice my actiontec also has a 256bit key. Maybe that's next.

Rj

01-16-2005	#1 (permalink)
opr__ Registered Member Join Date: Sep 2004 Posts: 1	weplab/aircrack Hi all, here is my problem: I have a wifi protected with WEP 128 bits key for testing. I first dumped about 300k packets with Kismet using regular traffic (ftp-data). Here is the output of the statistics with weplab: # ./weplab -a ../Kismet-Jan-15-2005-1.dump weplab - Wep Key Cracker Wep Key Cracker (v0.1.3). Jose Ignacio Sanchez Martin - Topo[LB] <topolb@users.sourceforge.net> Statistics for packets that belong to [00:05:5D:5C:21:9A] - Total valid packets read: 321344 - Total packets read: 321344 - Total unique IV read: 321344 - Total truncated packets read: 0 - Total non-data packets read: 0 - Total FF checksum packets read: 0 The next day, I again dumped traffic but now using 'ping -f' to generate as much traffic as fast as possible on the wireless. The statistics output of weplab: # ./weplab -a ../Kismet-Jan-16-2005-1.dump weplab - Wep Key Cracker Wep Key Cracker (v0.1.3). Jose Ignacio Sanchez Martin - Topo[LB] <topolb@users.sourceforge.net> Statistics for packets that belong to [00:05:5D:5C:21:9A] - Total valid packets read: 277546 - Total packets read: 277546 - Total unique IV read: 277546 - Total truncated packets read: 0 - Total non-data packets read: 0 - Total FF checksum packets read: 0 Now, I both ran weplab and aircrack (with default fudge factor) and even after 9 hours, the key of the first dump could not be found. When I ran weplab and aircrack on the second dump, he cracked it within 5 minutes. How is this possible? The first dump has even more unique IV's than the second dump ... anyone has a reasonable explanation for this? btw, does anyone know a tool which can replay packets on the wifi interface on BSD? Because most of the tools like aireplay and chopchop use the netpacket interface which is nonexistant on BSD. I did manage to get weplab (only the cracking, not dumping of packets) and aircrack (again, only aircrack and 802ether, not dumping) working on OpenBSD. regards Last edited by opr__ : 01-16-2005 at 09:59 AM.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode