aircrack only collects 256 IVs on D-Link AP, works fine on Cisco AP..??

aircrack only collects 256 IVs on D-Link AP, works fine on Cisco AP..??

Postby klaymen » Mon Aug 15, 2005 1:10 am

Hi all,

I'm using version 2.21 of the aircrack suite under SuSE Linux 9.3 (2.6.11.4-21.2), using a Netgear WG511T card (Atheros chipset). While I can perfectly crack my own WEP-key (64 and 128 bits) within a few minutes on a pretty new Cisco Aironet 1200 AP, I got a strange problem at my other, old D-Link DWL-1000AP. On the latter one, airodump never gets more than 256 IVs.

Actually, aireplay successfully injects thousands of ARP requests (I can also see them from within the WLAN using ethereal, including the replies). airodump does also collect all these packets, but the number under "IVs" (usable IVs) only climbs slower and slower and finally stops at 256 IVs. I tried it several times, using captured ARP requests as seed, as well as packets forged using arpforge (and the chopchop attack in advance, which works fine in itself). The symptom is always the same - it can never collect more than 256 IVs. I also tried collecting packets using kismet instead of airodump and then apply aircrack onto it. In this case, aircrack does report thousand of packets, but only 256 usable IVs (at most).

This is really weird because, as mentioned, it works perfectly on the much newer Cisco AP (which is supposed to be more secure than the old D-Link, isn't it?). Am I doing something wrong, or does indeed aircrack not work on some (even old-old-old) APs like the D-Link...?

Thanks in advance for any help! klaymen
klaymen
Mini Stumbler
 
Posts: 4
Joined: Wed Dec 31, 2003 6:23 am
Location: Switzerland

Postby devine » Mon Aug 15, 2005 4:08 am

klaymen wrote:airodump does also collect all these packets, but the number under "IVs" (usable IVs) only climbs slower and slower and finally stops at 256 IVs.


Hi,

Please PM me a sample .cap file, I'm interested to have a look.
devine
 
Posts: 389
Joined: Thu Jul 29, 2004 10:09 am
Location: Paris

Postby devine » Mon Aug 15, 2005 10:55 am

devine wrote:Please PM me a sample .cap file, I'm interested to have a look.


Ok, I had a long, good look at the capture file. It appears that the IV generation routine on that particular access points is quite flawed: IVs are supposed to be randomly generated, but actually are always chosen from a pool of 256 IVs -- which actually makes the AP itself immune to the statistical attack. However, as soon as one client connects you should get new IVs from that client, so the idea would be to chopchop a packet from the legitimate client, and forge an ARP request with the client's IP as destination, so as to generate traffic from that client.

(Needless to say, if there are no clients connected you are screwed).
devine
 
Posts: 389
Joined: Thu Jul 29, 2004 10:09 am
Location: Paris

Postby klaymen » Mon Aug 15, 2005 12:52 pm

devine wrote:It appears that the IV generation routine on that particular access points is quite flawed: IVs are supposed to be randomly generated, but actually are always chosen from a pool of 256 IVs -- which actually makes the AP itself immune to the statistical attack.


Yes, I already suspected something like that, this AP really is pretty old... the old and bugged implementation protects it from current attacks. Stupidity sometimes protects :-)

[QUOTe=devine]However, as soon as one client connects you should get new IVs from that client, so the idea would be to chopchop a packet from the legitimate client, and forge an ARP request with the client's IP as destination, so as to generate traffic from that client.

(Needless to say, if there are no clients connected you are screwed).[/QUOTE]

You mean subsequently "chopchopping" (great word...) several packets from the same client? I'll have a try into that... of course this would only create a few hundred IVs per regular packet.

[EDIT]: Just tried it out, doesn't work either... it seems the AP always covers the same IVs, even after getting new packets from the client as chopchop-seeds. Even resetting the APs (pulling power plug) doesn't get new ones. I guess one would only need to store these few 100 xor flows and bruteforce-try them onto packets until you get legitimate packets in order to decrypt a capture file without needing to break the key though :D
klaymen
Mini Stumbler
 
Posts: 4
Joined: Wed Dec 31, 2003 6:23 am
Location: Switzerland

Postby Dutch » Mon Aug 15, 2005 1:16 pm

Which firmware revision does the D-link run ? Any chance of you trying to older/newer firmwares, to check if this flaw exists in those ?

Dutch
All your answers are belong to Google. SEARCH DAMMIT!
Warning. Warning.
Low C8H10N4O2 level detected. Operator halted....
User avatar
Dutch
 
Posts: 6698
Joined: Fri Mar 05, 2004 12:00 pm
Location: City of Mermaids, Denmark

Postby klaymen » Mon Aug 15, 2005 9:39 pm

I think I'm having the most recent firmware 2.2 on the AP (if you can call January 2002 "recent...), see http://support.dlink.com/products/view.asp?productid=DWL%2D1000AP. I'll check that again at home. If it is of general interest, I can try to downgrade to 2.1 to check if the "feature" exists there as well.
klaymen
Mini Stumbler
 
Posts: 4
Joined: Wed Dec 31, 2003 6:23 am
Location: Switzerland

Postby 1312rene » Sun Apr 29, 2007 2:11 am

hi,

I know this is a big kick, but I am experiencing the same problem here with a certain 3Com AP. Tried it on a linksys, which worked like a charm, but the 3Com AP gives the same result.

I am using a Netgear WG111v2 (R8187 chipset), and using linux (BT2.0), and everything patched for injection and stuff...

The weird thing is that my symptons are the exact same: Exactly 256 IVs, and the IVs are all the same (I found out after reading out multiple captures with aircrack, which also said to see 256 different packages).

Have any of you found a solution after 1 and a half year?
with regards,

1312rene :)
1312rene
Mini Stumbler
 
Posts: 5
Joined: Sun Apr 29, 2007 2:06 am

Postby itsnotme » Sun Apr 29, 2007 2:25 am

Go to the welcome desk and read the threads on zombie revival. What the fuck is this, the year of Zombie revivals?

Edit: Removed the last sentence, didn't make enough grammatical sense to me. It's too early in the morning for me to properly reduce you to charbroil, so I'll do that later today if somebody else hasn't.
User avatar
itsnotme
 
Posts: 1074
Joined: Wed Sep 04, 2002 10:19 pm
Location: Somewhere below Lake Ontario

Postby 1312rene » Sun Apr 29, 2007 3:26 am

as much as I would like to join this community, I haven't read that particular thread you are talking about, and I couldn't find it either.

Besides, at most forums it is normal that people revive threads, because:
A: Usually the one that has posted the question before, could have found the answer while time passed, and can help you faster
B: You don't have to explain everything again

So I just figured to use the search, find this thread and post in it, because of the above. I'm a moderator at a well-known dutch gamer-forum (I rule the Software/hardware section), so I'm used to those standards.

Now that I have explained, what does that zombie revival in short means? Where should I post my question then, before I get yelled at?
1312rene
Mini Stumbler
 
Posts: 5
Joined: Sun Apr 29, 2007 2:06 am

Postby itsnotme » Sun Apr 29, 2007 3:35 am

1312rene wrote:as much as I would like to join this community, I haven't read that particular thread you are talking about, and I couldn't find it either.

Besides, at most forums it is normal that people revive threads, because:
A: Usually the one that has posted the question before, could have found the answer while time passed, and can help you faster
B: You don't have to explain everything again

So I just figured to use the search, find this thread and post in it, because of the above. I'm a moderator at a well-known dutch gamer-forum (I rule the Software/hardware section), so I'm used to those standards.

Now that I have explained, what does that zombie revival in short means? Where should I post my question then, before I get yelled at?


(Here's another fucking clue: the thread's been dead since 2005! This is the year of 2007, the year of fucktards reviving long dead threads.)
Jesus H Fucking Christ, you can't find the welcome desk? Go to the main page (clicky provided in case you couldn't find the main page!) and then read the forum rules (clicky provided again since you claim to be a mod at another forum but haven't been hit by the cluebat about reading the rules.) and then why don't you give us a nice detailed description of where you erred.

If that wasn't abundantly clear, (did I do enough fucking spoonfeeding yet?) I'm sure you'll let me know.
User avatar
itsnotme
 
Posts: 1074
Joined: Wed Sep 04, 2002 10:19 pm
Location: Somewhere below Lake Ontario

Postby 1312rene » Sun Apr 29, 2007 4:01 am

First of all, I don't know why you are giving me some hard time. If you read my post, you see the circumstances in my situation are the EXACT same.

Furthermore,
itsnotme wrote:(Here's another fucking clue: the thread's been dead since 2005! This is the year of 2007, the year of fucktards reviving long dead threads.)

True, but don't forget there is someone here who experienced the same problem. Maybe he found out after a while, and didn't bother to post it here? I was always learned (at forums) to post in the old threads as much as possible...
itsnotme wrote:Jesus H Fucking Christ, you can't find the welcome desk? Go to the main page (clicky provided in case you couldn't find the main page!) and then read the forum rules (clicky provided again since you claim to be a mod at another forum but haven't been hit by the cluebat about reading the rules.)

Well, maybe I'm stupid, but I don't see anything about "Zombie revival" there or something similar concerning old/dead threads. I DID found your rules, and I DID read them.

You could be a lot more polite to me. Instead of calling me a pain in the ass, you could be a little more helpful and help me with this issue, or at least don't yell at me. Like I said, I try to do my best to fit in this community, but all this yelling isn't very useful in a community.
itsnotme wrote: and then why don't you give us a nice detailed description of where you erred.

I didn't found that necessary because our situations (mine and the Topic starter's) are the exact same. If you need any extra info I forgot, just ask, but please, stay polite.
itsnotme wrote:If that wasn't abundantly clear, (did I do enough fucking spoonfeeding yet?) I'm sure you'll let me know.

Ding!
1312rene
Mini Stumbler
 
Posts: 5
Joined: Sun Apr 29, 2007 2:06 am

Postby itsnotme » Sun Apr 29, 2007 4:31 am

Ok, fucknut.

4. Spamming, Power posting, and Advertising
Only post if you have something valuable to add to the ongoing conversation. Refrain from posting only a short, meaningless sentence or only one emote/smiley. Also, avoid posting messages solely to get people to visit an external link (such as a personal website), especially if you are a new user to this forum. [color="Red"]Spamming/power posting includes bumping up old topics without adding new and substantial content to them[/color]. It also includes posting the same text multiple times in a row. [color="Red"]Power posting also covers the 'me too' posts. 'Me too' posts are when users simply reply to a message with 'me too' or 'yes' or something similarly inane[/color]. Also, instead of posting additions / corrections to a new post of yours separately, please use the edit button instead. Refrain from posting advertisement of any form (commercial or non-commercial) if it is not related to an ongoing discussion.

Edit: I also wanted to add one more thing, does this look like the aircrack forums? There's a reason why there's no new threads related to aircrack where users haven't been strongly encouraged to go over there and seek their aircrack/wep cracking/etc problems over there.
User avatar
itsnotme
 
Posts: 1074
Joined: Wed Sep 04, 2002 10:19 pm
Location: Somewhere below Lake Ontario

Postby 1312rene » Sun Apr 29, 2007 4:48 am

Ok ok, you got me. Maybe I bump this old thread without adding new and substantial content, but I was just wondering if the TS had figured out the problem, that's all. If I would start a new thread, he wouldn't read it.

I will try to contact the topicstarter then.

Sorry for the inconvinience.
1312rene
Mini Stumbler
 
Posts: 5
Joined: Sun Apr 29, 2007 2:06 am

Postby wrzwaldo » Sun Apr 29, 2007 5:26 am

1312rene wrote:First of all, I don't know why you are giving me some hard time. If you read my post, you see the circumstances in my situation are the EXACT same.

Go read the forum rules dipstick! Then you'll see why you are getting a "hard time".

Ding!
wrzwaldo
 
Posts: 8995
Joined: Sun Dec 14, 2003 12:43 pm

Postby 1312rene » Sun Apr 29, 2007 5:48 am

wrzwaldo wrote:Go read the forum rules dipstick! Then you'll see why you are getting a "hard time".

Ding!

So I should just start a new thread and copy-paste all the posts from this thread?

Yeah... very logical...

besides, according to the rules you shouldn't be giving people a hard time using bad language...
1312rene
Mini Stumbler
 
Posts: 5
Joined: Sun Apr 29, 2007 2:06 am

Next

Return to Unix/Linux

Who is online

Users browsing this forum: No registered users and 3 guests

cron