Incomplete four-way handshake

Incomplete four-way handshake

Postby wham » Tue Jan 17, 2006 8:36 pm

I disassociated and reassociated a computer on my network while capturing packets with ethereal. I found about 27 eapol packets in all. I save the capture file and try to crack the PSK in coWPAtty, but it says that the four-way handshake is incomplete. What's going on? I have tried it with the card monitoring just about every channel (iwconfig ath0 mode monitor channel *channel number*), but it doesn't find it. I am using a WRT54g with WPA2-PSK.
wham
Mini Stumbler
 
Posts: 304
Joined: Mon Feb 21, 2005 6:21 pm
Location: /dev/urandom

Postby Airstreamer » Tue Jan 17, 2006 9:39 pm

wham wrote:I disassociated and reassociated a computer on my network while capturing packets with ethereal. I found about 27 eapol packets in all. I save the capture file and try to crack the PSK in coWPAtty, but it says that the four-way handshake is incomplete. What's going on? I have tried it with the card monitoring just about every channel (iwconfig ath0 mode monitor channel *channel number*), but it doesn't find it. I am using a WRT54g with WPA2-PSK.

I'm not really sure about this, so [color="Red"]buyer beware and all other disclaimers apply![/color]
If you want to capture what is going on I think you'll probably need kismet or a similar program, that does passive monitoring by hooking directly into the hardware. (Maybe Aircrack? I'm pretty sure that Linkferret would work, as well, since it 'sees' all the control packets that kind of lay 'below the surface.')

I really don't know how winpcap is handling the interface, but I have a sneaking suspicion that it is probably not catching all the data. Kind of like you really don't see the link pulse info that tells a switch what kind of interface you can support, or the negotiation handshake that takes place still at the link pulse level, BEFORE the adapter starts passing ethernet data.(Unless you have some specialized hardware analysis tools.)

Now you've got me interested. I hope to see the answer posted as I am curious if I've guessed correctly.
"But when we disarmed They sold us and delivered us bound to our foe,
And the Gods of the Copybook Headings said: "Stick to the Devil you know.""

- Rudyard Kipling
User avatar
Airstreamer
 
Posts: 2703
Joined: Sun Nov 07, 2004 9:26 pm
Location: A little North of Reason

Postby wham » Wed Jan 18, 2006 8:59 am

Thanks for the reply, Airstreamer. I have tried monitoring it with Kismet and Airodump, but it doesn't find the right packets either. I am using Auditor with a Proxim 8470-WD if that makes a difference (so winpcap isn't being used right now). I am a bit hesitant to pay for a program like LinkFerret. Has anyone here successfully cracked WPA2-PSK on their WRT54g? What problems,if any were encountered and what hardware was used?

Thanks


Edit: I heard from someone on the remote-exploit IRC channel that if AES is used on a WPA2 network that it can't be cracked. If this is true is there any reason to set up a RADIUS server?
wham
Mini Stumbler
 
Posts: 304
Joined: Mon Feb 21, 2005 6:21 pm
Location: /dev/urandom

Postby Airstreamer » Wed Jan 18, 2006 7:46 pm

wham wrote:Thanks for the reply, Airstreamer. I have tried monitoring it with Kismet and Airodump, but it doesn't find the right packets either. I am using Auditor with a Proxim 8470-WD if that makes a difference (so winpcap isn't being used right now). I am a bit hesitant to pay for a program like LinkFerret. Has anyone here successfully cracked WPA2-PSK on their WRT54g? What problems,if any were encountered and what hardware was used?

Thanks


Edit: I heard from someone on the remote-exploit IRC channel that if AES is used on a WPA2 network that it can't be cracked. If this is true is there any reason to set up a RADIUS server?



I think you can still download a time limited demo of Linkferret.
Hope it works.
"But when we disarmed They sold us and delivered us bound to our foe,
And the Gods of the Copybook Headings said: "Stick to the Devil you know.""

- Rudyard Kipling
User avatar
Airstreamer
 
Posts: 2703
Joined: Sun Nov 07, 2004 9:26 pm
Location: A little North of Reason

Postby theprez98 » Wed Jan 18, 2006 7:48 pm

Airstreamer wrote:I think you can still download a time limited demo of Linkferret.
Hope it works.

http://www.linkferret.ws/download/download.htm

We have provided fully functional, downloadable evaluation versions for all of our LinkFerret monitoring products. The trial period is limited to thirty days, after which the product must be registered if you wish to continue to use it. Please see our End User License Agreement for more information.

Further down, it actually says this:
If you are unfamiliar with the process of downloading and installing software via the internet...

Someone who unfamiliar with the process of downloading and installing software via the internet is just plain stupid!
[font="Courier New"]"\x74\x68\x65\x70\x72\x65\x7a\x39\x38";[/font]
User avatar
theprez98
 
Posts: 3638
Joined: Tue Jan 11, 2005 8:23 pm
Location: Maryland

Postby wham » Wed Jan 18, 2006 8:52 pm

I have temporarily set my network to WPA1 and the attack works. I have downloaded the linkferret evaluation version (yes, I could figure out how to download software from the Internets) and will see if that works against wpa2 with AES. I think the underlying problem was that I was using AES instead of TKIP, not that packets weren't being collected. I wonder if it is even possible to crack WPA2-PSK with TKIP+AES. Hopefully the rainbow tables for WPA will be available soon. Heard that it got a lot of attention (even from Mitnick) at ShmooCon.
wham
Mini Stumbler
 
Posts: 304
Joined: Mon Feb 21, 2005 6:21 pm
Location: /dev/urandom

Postby renderman » Thu Jan 19, 2006 6:58 am

Cowpatty at this moment (v3.0) works on WPA-PSK v1, WPA2 support is not present. That said, just give me some time.
User avatar
renderman
 
Posts: 1867
Joined: Thu Jun 06, 2002 5:29 pm
Location: Anywhere but Utah

Postby theprez98 » Thu Jan 19, 2006 7:56 am

wham wrote:I have temporarily set my network to WPA1 and the attack works. I have downloaded the linkferret evaluation version (yes, I could figure out how to download software from the Internets) and will see if that works against wpa2 with AES. I think the underlying problem was that I was using AES instead of TKIP, not that packets weren't being collected. I wonder if it is even possible to crack WPA2-PSK with TKIP+AES. Hopefully the rainbow tables for WPA will be available soon. Heard that it got a lot of attention (even from Mitnick) at ShmooCon.

I believe "they" precomputed tables for some default SSIDs. With the target SSID, you should be able to compute the tables for the target AP. Thorn or Render should be able to steer you in the right direction.
[font="Courier New"]"\x74\x68\x65\x70\x72\x65\x7a\x39\x38";[/font]
User avatar
theprez98
 
Posts: 3638
Joined: Tue Jan 11, 2005 8:23 pm
Location: Maryland

Postby Thorn » Thu Jan 19, 2006 8:32 am

wham wrote:Hopefully the rainbow tables for WPA will be available soon. Heard that it got a lot of attention (even from Mitnick) at ShmooCon.
The shmoo have graciously offered to host the WPA rainbow tables on their Bittorrent feed. I don't know if it will be on http://rainbowtables.shmoo.com/ or it's own page. In any event when it's available, I'm sure Render or myself will announce it.

Yes, Mitnick was impressed enough to ask for a copy of the tables, as were other people. We provided the tables to Kevin and anyone else at the con who asked.

Edit: Previous offer moved here:
http://www.netstumbler.org/showthread.php?t=18789
Thorn
Stop the TSA now! Boycott the airlines.
Thorn
 
Posts: 10340
Joined: Sat Apr 13, 2002 3:00 am
Location: Villa Straylight

Postby renderman » Thu Jan 19, 2006 9:14 am

On another related note, I posted a copy of coWPAtty 3.0 on the CoWF site until Joshua gets it up somewhere else.

http://www.churchofwifi.org/FileLib/9-cowpatty-3.0.zip

If you hash out a large table, please drop either thorn, Joshua or myself a line so we can see about including it in a future release of the CoWF tables (also send the wordlist you used).

The tables are going to be up shortly. The shmoo are probobly very busy cleaning up after us at the hotel and have bills to pay. Many thanks in advance for the file distribution assistance.
User avatar
renderman
 
Posts: 1867
Joined: Thu Jun 06, 2002 5:29 pm
Location: Anywhere but Utah

Postby theprez98 » Thu Jan 19, 2006 9:24 am

My CPU cycles are dying to do something, send some work my way. If someone could talk me through the process of hashing a table, I'll get started right away. If I could only figure out BOINC for WPA...

Also, my bandwidth sits unused while I'm at work or sleeping, so I'm more than willing to seed the torrent.
[font="Courier New"]"\x74\x68\x65\x70\x72\x65\x7a\x39\x38";[/font]
User avatar
theprez98
 
Posts: 3638
Joined: Tue Jan 11, 2005 8:23 pm
Location: Maryland

Postby wham » Thu Jan 19, 2006 9:46 am

theprez98 wrote: If I could only figure out BOINC for WPA...


Maybe we could use the seti@home network for making the hashes, and claim that the aliens were seeding the torrent.
wham
Mini Stumbler
 
Posts: 304
Joined: Mon Feb 21, 2005 6:21 pm
Location: /dev/urandom

Postby theprez98 » Thu Jan 19, 2006 9:48 am

wham wrote:Maybe we could use the seti@home network for making the hashes, and claim that the aliens were seeding the torrent.

I have absolutely no coding experience so I really wouldn't know where to start. I have ideas but no way to implement them or even if its possible. But I think making tables via a BOINC-type setup would definitely speed up the process.
[font="Courier New"]"\x74\x68\x65\x70\x72\x65\x7a\x39\x38";[/font]
User avatar
theprez98
 
Posts: 3638
Joined: Tue Jan 11, 2005 8:23 pm
Location: Maryland

Postby renderman » Thu Jan 19, 2006 9:50 am

I need to take a look at the boinc project and see if it could be done, or if they might object to it's purpose.

There's alot that can/needs to be done. Just not enough time to do it in.
User avatar
renderman
 
Posts: 1867
Joined: Thu Jun 06, 2002 5:29 pm
Location: Anywhere but Utah

Postby theprez98 » Thu Jan 19, 2006 9:51 am

renderman wrote:I need to take a look at the boinc project and see if it could be done, or if they might object to it's purpose.

There's alot that can/needs to be done. Just not enough time to do it in.

Until then I know I would do whatever I could to help, I just need a little help in getting started.

Here is the BOINC page about new projects
http://boinc.berkeley.edu/create_project.php
[font="Courier New"]"\x74\x68\x65\x70\x72\x65\x7a\x39\x38";[/font]
User avatar
theprez98
 
Posts: 3638
Joined: Tue Jan 11, 2005 8:23 pm
Location: Maryland

Next

Return to Unix/Linux

Who is online

Users browsing this forum: No registered users and 2 guests

cron