New tool to crack WEP keys under GNU/Linux

Postby chesh » Tue Oct 12, 2004 11:30 am

One other thing I'd like to mention, when I do a weplab -a on my Kismet.dump file it says that there are XXXXX number of uniquie IVs which when I check Kismet seems to be the same number of data packets collected from my network. Does this seem right? The other number that Kismet shows is XXXX number of crypted packets collected, but that number doesn't seem to be referenced within weplab what-so-ever. So, are uniquie IV's crypted packets, or just uniquie data packets?

chesh
chesh
Mini Stumbler
 
Posts: 10
Joined: Tue Feb 10, 2004 4:56 pm

Postby chesh » Wed Oct 13, 2004 7:26 am

chesh wrote:My second question is, how does one generate more packets in order to crack? I've heard talk of doing an arping or something to that extent to generate packets. Would someone post the info on how this is done, if you need two wireless adapters, or what? Thanks guys.

chesh


Ok, I jumped the gun a little bit on a couple of these questions. I tried aircrack last night for the first time with airodump and aireplay. I got myself a 770mb dump file with 880k of unique IV packets. My new question is, when I load this into aircrack it says there is 880k worth of unique packets, but when I load it into weplab it says there is only 88k worth of packets. Why the difference? Also, airodump says that the network is a 54mb WPA encrypted network, when I know it's a BEFW11S4 using 128-bit WEP. I further this knowing that aircrack is supposed to deny WPA packets when loading the dump file and it loads all the packets just fine and starts away on it's little cracking adventure. I have to say, if I didn't know it was 128-bit WEP and started a 64-bit crack on it, it finished and told me that a key didn't exist in about 34secs. This was with aircrack fudge factor of 2. When I ran weplab on the other hand, it took an hour to two do discover that it wasn't a 64-bit key. Anyways, just thought I'd post my findings, any comments, flames are more then welcome.

chesh
chesh
Mini Stumbler
 
Posts: 10
Joined: Tue Feb 10, 2004 4:56 pm

Postby chesh » Fri Oct 15, 2004 7:33 am

joswr1ght wrote:I'm not much for UI design (love those Unix tools though), but here goes. I'm going to release this tool in the first teaching of the SANS Wireless Auditing class in New Orleans in November (I am the author of this material), and will make it publicly available after that.

screen shot

This tool is an implementation of Robert Moskowitz's paper "Weakness in Passphrase Choice in WPA Interface" at http://wifinetnews.com/archives/002452.html. It kind of sucks, since it's pretty slow. I've done everything to optimize it that I believe can be done, but 4096 hmac-sha1 passes take quite a bit of time to derive the PMK from a dictionary word. I'm looking forward to comments after releasing publicly.

Thanks,

-Josh



I saw in the latest version of Auditor (auditor-081004-01) you've already released this tool to them. Since it's already in the public, when are you planning on releasing a source download to the masses?

chesh
chesh
Mini Stumbler
 
Posts: 10
Joined: Tue Feb 10, 2004 4:56 pm

Postby joswr1ght » Fri Oct 15, 2004 9:21 am

chesh wrote:I saw in the latest version of Auditor (auditor-081004-01) you've already released this tool to them. Since it's already in the public, when are you planning on releasing a source download to the masses?

chesh


11/3, right after the SANS WLAN Auditing course runs in New Orleans.

If anyone wants the source early and is willing to provide some feedback/testing, drop me a note at jwright@hasborg.com.

Thanks,

-Josh
-Joshua Wright
jwright@hasborg.com
http://home.jwu.edu/jwright/

Today I stumbled across the world's largest hotspot. The SSID is "linksys".


Check out the SANS advanced wireless auditing and assessment course:
Los Angeles
joswr1ght
Mini Stumbler
 
Posts: 90
Joined: Wed Sep 01, 2004 4:18 am

Postby devine » Fri Oct 15, 2004 9:59 am

When I load this into aircrack it says there is 880k worth of unique packets, but when I load it into weplab it says there is only 88k worth of packets. Why the difference?

Hard to tell. Post the first meg of your pcap file somewhere, this would help me and TopoLB to track down the problem.

Also, airodump says that the network is a 54mb WPA encrypted network, when I know it's a BEFW11S4 using 128-bit WEP.

That's a known bug in airodump 2.1. Will be fixed in the next release.

it finished and told me that a key didn't exist in about 34secs. This was with aircrack fudge factor of 2.

Maybe try increasing the fudge factor. Also if it's 802.1X aircrack will very likely fail.

post-edit: messed up with the version number
devine
 
Posts: 389
Joined: Thu Jul 29, 2004 10:09 am
Location: Paris

Postby chesh » Fri Oct 15, 2004 10:01 am

What's the easiest way to cut down my 770mb pcap file to 1mb?

chesh
chesh
Mini Stumbler
 
Posts: 10
Joined: Tue Feb 10, 2004 4:56 pm

Postby joswr1ght » Fri Oct 15, 2004 10:41 am

chesh wrote:What's the easiest way to cut down my 770mb pcap file to 1mb?

chesh


Sample the first few thousand files with tcpdump:

$ tcpdump -r bigfile.dump -w smallfile.dump -c 2000

Repeat until the "-c" number gives you what you want.

Note: This will not work with tethereal, the "-c" behavior does not work when reading from a stored capture file.

-Josh
-Joshua Wright
jwright@hasborg.com
http://home.jwu.edu/jwright/

Today I stumbled across the world's largest hotspot. The SSID is "linksys".


Check out the SANS advanced wireless auditing and assessment course:
Los Angeles
joswr1ght
Mini Stumbler
 
Posts: 90
Joined: Wed Sep 01, 2004 4:18 am

Speeding Up WPA PSK Attack

Postby Kronk » Sat Oct 16, 2004 4:26 am

Joshua,

The KisMAC tool implements the WPA PSK attack using G4 Altivec acceleration to improve performance significantly. Maybe you can do something similar with MMX with your WPA code.

The KisMAC source code is located at http://binaervarianz.de/projekte/programmieren/kismac/download.php and may be helpful.

Kronk
Kronk
Mini Stumbler
 
Posts: 13
Joined: Tue Jul 06, 2004 11:44 am

Postby devine » Sat Oct 16, 2004 4:31 am

Kronk wrote:The KisMAC tool implements the WPA PSK attack using G4 Altivec acceleration to improve performance significantly. Maybe you can do something similar with MMX with your WPA code.


Indeed. Also, I was thinking about distributed WPA-PSK cracking. Could speed up things quite a bit, especially if you have a few spare machines :)
devine
 
Posts: 389
Joined: Thu Jul 29, 2004 10:09 am
Location: Paris

Postby grcore » Tue Jan 04, 2005 9:49 am

chesh wrote:What's the easiest way to cut down my 770mb pcap file to 1mb?

chesh


Are you trying to filter out the IV packets?

Use ethereal to and run a filter and save the output.

g
User avatar
grcore
 
Posts: 121
Joined: Wed Aug 11, 2004 4:55 pm

Working with wrt54g ?

Postby net-titi » Sun Feb 20, 2005 5:40 am

Would it work with Linksys WRT54G router, like Kismet does ?
net-titi
Mini Stumbler
 
Posts: 1
Joined: Sun Feb 20, 2005 5:36 am

Postby devine » Wed Feb 23, 2005 12:24 pm

chesh wrote:What's the easiest way to cut down my 770mb pcap file to 1mb?


Not many options right now, but that's a planned feature of airodump 2.2, which will make it possible to only save the IVs from a live capture session, or extract then save them from a pcap file. Each IV will use about 6 bytes: bssid_index(1) + IV_itself(3) + ciphertext_start(2). However, this new file format will only be understood by aircrack 2.2.
devine
 
Posts: 389
Joined: Thu Jul 29, 2004 10:09 am
Location: Paris

Postby kleptophobiac » Thu Apr 21, 2005 2:49 pm

Wow, this is a massively long thread, and I will admit that I ceased reading about page 11.

1) Would you care to post the win32 source code somewhere? I'm interested in taking a peek at it, even though I'm terrible with C (I do java... need to work on C)

2) I popped wzcook into a hex editor and did the proper edits, and it works great. I figured I'd post the fixed binary, just so others wouldn't have to go download a hex editor. :) here

3) Thanks for the work!
kleptophobiac
Mini Stumbler
 
Posts: 310
Joined: Sun Sep 01, 2002 8:32 am

Previous

Return to Unix/Linux

Who is online

Users browsing this forum: No registered users and 6 guests