chopchop (Experimental WEP attacks)

wep attacks

Postby topolb » Tue Oct 12, 2004 3:28 am

I nearly became mad when I made research on statistical attacks. Actually many of them are still too "dark" for me.
A good paper explaining them will be great for all :)

Those implemented on weplab can be found at http://cvs.sourceforge.net/viewcvs.py/weplab/weplab/attack.c?rev=1.16&view=markup
with Korek's original comments.
topolb
Mini Stumbler
 
Posts: 67
Joined: Tue Jun 08, 2004 2:51 am

Postby Avatar » Sat Nov 13, 2004 9:15 am

Hiho,

does aireplay work with PrismGT/Duette Cards ?!
Avatar
Mini Stumbler
 
Posts: 1
Joined: Sat Nov 13, 2004 9:13 am

chopchop documentation

Postby sknikam » Mon Dec 06, 2004 3:04 am

Hi,
Can you post more information on how chopchop decrypts the packets. I am newbie to this field so a formal :-) document describing the method how you assume the last byte and the necessary corrections required for each assumption would be very helpful
Regards
sknikam
Mini Stumbler
 
Posts: 1
Joined: Mon Dec 06, 2004 2:57 am

Applying the patch

Postby prompt » Tue Dec 07, 2004 6:48 pm

Hi,
Im a bit of a newbie so i was wondering could someone help
me with the required commands to patch the wlan-ng driver
so i can get chopchop working.
Thanks in advance.
prompt
prompt
Mini Stumbler
 
Posts: 2
Joined: Wed Nov 17, 2004 12:50 pm

Help getting chopchop running?

Postby prompt » Thu Dec 09, 2004 11:24 pm

Hi All,

Ive just been trying to get chopchop working and have done the following.
Ive applied the patches that came with it for wlan-ng.Rebuilt and installed
the wlan-ng drivers (with the wlan-ng and wlan-ng.conf files provided) and placed it in monitor mode also with the script provided and started kismet but when i try to run chopchop against a packet file i had collected i get this error

./chopchop -b 00:0F:3D:FC:2B:xx -m 00:04:23:6C:2B:xx
-p /home/siouxchief/Kismet-Dec-09-2004-5.dump -burst 13

00:0F:3D:FC:2B:xx 6
0
00:04:23:6C:2B:xx 6
Cannot open the wlan device wlan0

Anybody help?
prompt
Mini Stumbler
 
Posts: 2
Joined: Wed Nov 17, 2004 12:50 pm

chopchop error

Postby prompt » Fri Dec 10, 2004 6:25 am

Hi,
Just wondering if anyone came across this error
and do they know the reason for it.I have already done everything
in the chopchop readme including patching.I have replaced the mac addresses below.

./chopchop -b macaddress -m macaddress -p /home/siouxchief/Kismet-Dec-09-2004-5.dump -burst 13

macaddress 6
0
macaddress 6
Cannot open the wlan device wlan0

cheers
prompt
prompt
Mini Stumbler
 
Posts: 2
Joined: Wed Nov 17, 2004 12:50 pm

Postby RedSector » Fri Dec 10, 2004 6:31 am

You probably shouldn't double post. (http://netstumbler.org/showpost.php?p=100356&postcount=31) A mod will come layeth the smack down.
RedSector
Mini Stumbler
 
Posts: 673
Joined: Sat Nov 27, 2004 12:06 am
Location: Illinois

Smackdown

Postby Thorn » Fri Dec 10, 2004 6:43 am

prompt,
Please do not crosspost. If you haven't already done so, please read the rules. Doing so will prevent a lot of grief.
Thorn
Stop the TSA now! Boycott the airlines.
Thorn
 
Posts: 10340
Joined: Sat Apr 13, 2002 3:00 am
Location: Villa Straylight

Postby KoreK » Fri Dec 10, 2004 8:26 am

Stupid noobs can't even properly read the thread before posting. Never mind acknowledging the PM's I sent them (that applies to sknikam as well). Anyway prompt is a fucktard (apart from the double-post reason, not reading my post, not reading my PM) because
1) He wasn't root.
2) He didn't properly configure the pcmcia, so wlan-ng isn't properly loaded.
3) (And in the remote case this is some bug) The little shit doesn't even have the intelligence of posting his configuration/kernel version.
User avatar
KoreK
 
Posts: 102
Joined: Wed Jul 21, 2004 5:25 pm

?

Postby prompt » Fri Dec 10, 2004 9:57 am

First of all.I posted a new thread thinking it would be a thread on its
own and never thought that it would be placed in

"chopchop (Experimental WEP attacks) thread "

so when i went to check for replies and saw that the post wasnt in the
main posting list i thought that i might have forgot to post it cos i have
been under a lot of pressure due to a death of a close relative yesterday so i reposted again which also got placed into this thread

"chopchop (Experimental WEP attacks) "

so it was an honest mistake and i admit silly mistake.Sorry if this upset anyone.I didnt think people were that serious about mistakes.I thank Thorn and RedSector for being somewhat understanding.Maybe ye could help me with that error?
Apart from that i applied the patch and installed everything as root and ran it as root.Just because i didnt read you were Pre-Menstrual (PM) Korek is no excuse to get annoyed.


regards
prompt
prompt
Mini Stumbler
 
Posts: 2
Joined: Wed Nov 17, 2004 12:50 pm

Postby Thorn » Fri Dec 10, 2004 10:39 am

prompt wrote:First of all.I posted a new thread thinking it would be a thread on its
own and never thought that it would be placed in

"chopchop (Experimental WEP attacks) thread "

so when i went to check for replies and saw that the post wasnt in the
main posting list i thought that i might have forgot to post it cos i have
been under a lot of pressure due to a death of a close relative yesterday so i reposted again which also got placed into this thread

"chopchop (Experimental WEP attacks) "

so it was an honest mistake and i admit silly mistake.Sorry if this upset anyone.I didnt think people were that serious about mistakes.I thank Thorn and RedSector for being somewhat understanding.Maybe ye could help me with that error?
Apart from that i applied the patch and installed everything as root and ran it as root.Just because i didnt read you were Pre-Menstrual (PM) Korek is no excuse to get annoyed.


regards
prompt

It's unfortunate about the death in the family. You have my sympathies.

In the future, if a post doesn't appear where you expect it to be, search under your name. You can get a current list of all your posts anytime. If you've posted in error, you may delete your own posts.

Also before posting a new thread, search to see if the subject is covered. If a prior thread is on the same subject, we reserve the right to merge the threads. (It says so right at the bottom of each page.)

If a thread is over one year or more, then it will probably be safe to start a new thread.
Thorn
Stop the TSA now! Boycott the airlines.
Thorn
 
Posts: 10340
Joined: Sat Apr 13, 2002 3:00 am
Location: Villa Straylight

Postby joconnor » Wed Dec 15, 2004 9:48 pm

Hi,

Ive been reading with interest throughout this thread about chopchop so i installed everything required to use it.I just have a few queries.

First i was wondering what packets should i be filtering for with ethereal that would be able to be decoded with chopchop? and produce a prga?

Secondly i have a 100Mb file which i filtered for arp requests with ethereal
but it doesnt find a single one! is this a common thing on wireless networks and can you force arp requests with the aj0 driver to force dis-associations which might produce at least one arp request maybe?

There just a few thought to see if ye can shed light on them.Be gentle im just trying to get my head around these injection ideas.

regards
joconnor
joconnor
Mini Stumbler
 
Posts: 4
Joined: Sat Dec 11, 2004 3:24 am

Postby KoreK » Thu Dec 16, 2004 9:56 pm

joconnor wrote:First i was wondering what packets should i be filtering for with ethereal that would be able to be decoded with chopchop? and produce a prga?

Any IP/ARP packet should work. You will have problem with Netbios/netware/appletalk packets. In that case the first five-eight bytes will remain encrypted, IIRC. You get a prga file for each iv, though the format is specific to chopchop. Look up the source. And you get the decrypted pcap file.

Secondly i have a 100Mb file which i filtered for arp requests with ethereal
but it doesnt find a single one! is this a common thing on wireless networks and can you force arp requests with the aj0 driver to force dis-associations which might produce at least one arp request maybe?

I mentionned ARP packets at the beginning of the thread, but it doesn't matter. It's just they are just very fast to decrypt, since they are short, and full of 0's (0 being the first guess made by chopchop). Just take a short encrypted packet and try it. If you want to see ARP packets in your pcap file, you need to enter your wep key in ethereal preferences/protocols/ieee80211. They are encrypted, and unless you are using static arp tables, there should be quite a few.

ARP packets are used by devine's aireplay to generate traffic (which can be used to recover a key, with aircrack). chopchop doesn't care much about the traffic it generates, the goal is to decrypt a given packet (without the key).
User avatar
KoreK
 
Posts: 102
Joined: Wed Jul 21, 2004 5:25 pm

Chopchop problem

Postby mfenetre » Tue Feb 15, 2005 4:49 pm

Hi all,

I was just wondering if someone ever met this problem with Chopchop.

when I launch chopchop, this happens :

[root@localhost chopchop]./chopchop -i eth1 -m 00:60:1D:1F:11:ED -b 00:40:96:33:33:33 -p capture.cap
00:60:1D:1F:11:ED 6
00:40:96:33:33:33 6
0
first pass
---------------
packet number 001
base src mac: 00 60 1d 1f 11 ed
base dst mac: ff 2a f7 d1 d8 ec

Then nothing happens during a long time. Furthermore, I'm scanning the network with another laptop and I sniff no packets from the laptop running chopchop...

I use a red Hat 8.0 with a 2.4.18-14 kernel. I have a Lucent Orinoco silver pcmcia card, and I use orinoco_cs driver (0.13e patched). I've followed the 4 steps descibed in Korek's readme...

I'm quite sure my wireless card is working fine, I'm able to sniff some traffic in monitor mode (using airodump & aircrack for example).

Any ideas ?

Thanks in advance,
mfenetre
mfenetre
Mini Stumbler
 
Posts: 2
Joined: Tue Feb 08, 2005 12:15 pm

Postby sylvain » Wed Feb 16, 2005 12:17 am

mfenetre wrote:Hi all,

I was just wondering if someone ever met this problem with Chopchop.

when I launch chopchop, this happens :

[root@localhost chopchop]./chopchop -i eth1 -m 00:60:1D:1F:11:ED -b 00:40:96:33:33:33 -p capture.cap
00:60:1D:1F:11:ED 6
00:40:96:33:33:33 6
0
first pass
---------------
packet number 001
base src mac: 00 60 1d 1f 11 ed
base dst mac: ff 2a f7 d1 d8 ec

Then nothing happens during a long time. Furthermore, I'm scanning the network with another laptop and I sniff no packets from the laptop running chopchop...

I use a red Hat 8.0 with a 2.4.18-14 kernel. I have a Lucent Orinoco silver pcmcia card, and I use orinoco_cs driver (0.13e patched). I've followed the 4 steps descibed in Korek's readme...

I'm quite sure my wireless card is working fine, I'm able to sniff some traffic in monitor mode (using airodump & aircrack for example).

Any ideas ?

Thanks in advance,
mfenetre


If I remember well you should patch your driver with a patch done by Korek for reinjecting packets.
Otherwise chopchop works better with Prism2 card
sylvain
 
Posts: 175
Joined: Mon Jun 21, 2004 5:57 am
Location: Paris, France

PreviousNext

Return to Unix/Linux

Who is online

Users browsing this forum: No registered users and 5 guests