New tool to crack WEP keys under GNU/Linux

Postby topolb » Tue Aug 24, 2004 6:50 am

sylvain wrote:if we had to compare weplab and aircrack which one is the best ? aircrack with the attacks included in chopper ?


Best way to answer this question is making a test :) Someone interested?

BTW aircrack implements the "replay attack", while weplab only uses passive attacks (bruteforce, statistical, dictionary).

"Replay attack" is great to speed the process of gathering different IVs, and as far as I know aircrack is the first tool on Linux that implements it.
The lack of an standard way to create raw wlan packets is a big hole that I hope will be filled soon.

devine: I will include the other attacks on next release together with dictionary based attack. But... are the other attacks relevant and stable with non-uniform IV distributions?

And the future... what about WPA? ;)
topolb
Mini Stumbler
 
Posts: 67
Joined: Tue Jun 08, 2004 2:51 am

Postby sylvain » Tue Aug 24, 2004 7:23 am

the problem is that creation of raw wlan packets depends on the cards and drivers used I think.

Note : I think aircrack is not the first to implement a replay attack...I think there is one tool specific to BSD which does the same thing.

Concerning WPA I haven't heard of any weaknesses..except againt WPA-PSK (dictionnary base attacks..) what kind of attacks do you plan to implement ?


Last thing I can perform a test between both tools but without the airreplay function of aircrack as I don't own a prism2 card,.
sylvain
 
Posts: 175
Joined: Mon Jun 21, 2004 5:57 am
Location: Paris, France

Postby sylvain » Tue Aug 24, 2004 7:25 am

sylvain wrote:the problem is that creation of raw wlan packets depends on the cards and drivers used I think.

Note : I think aircrack is not the first to implement a replay attack...I think there is one tool specific to BSD which does the same thing.

Concerning WPA I haven't heard of any weaknesses..except againt WPA-PSK (dictionnary base attacks..) what kind of attacks do you plan to implement ?


Last thing I can perform a test between both tools but without the airreplay function of aircrack as I don't own a prism2 card,.



For the comparative test :
which commands do you want me do use for both tools ?
sylvain
 
Posts: 175
Joined: Mon Jun 21, 2004 5:57 am
Location: Paris, France

Postby devine » Tue Aug 24, 2004 7:45 am

topolb wrote:devine: I will include the other attacks on next release together with dictionary based attack. But... are the other attacks relevant and stable with non-uniform IV distributions?


All attacks, except the unstable 5% ones, work quite well with linearly distributed IVs. They perform even better when the IVs are randomly distributed (like, you can sometimes crack a 104-bit key with 200k IVs).

[quote="topolb"]And the future... what about WPA? ]

Maybe in aircrack 2.0, together with Windows support ;-)
devine
 
Posts: 389
Joined: Thu Jul 29, 2004 10:09 am
Location: Paris

Other Korek's attacks

Postby topolb » Tue Aug 24, 2004 12:22 pm

Trying to understand Korek's attacks (all those that appear in chopper and aircrack) is a pain!

I would be glad if someone could help me to implement the other Korek's attacks (those not yet implemented) on weplab (attack.c) O:-)

At the moment weplab seems to be able to crack the key over 600k packets using only standard FMS, attack to second byte, enhaced 13%, and inversed (reject) attack.
Advanced Korek 24% gives me lot of false possitives and attacks 5/6 10% seems not to be working at all.
topolb
Mini Stumbler
 
Posts: 67
Joined: Tue Jun 08, 2004 2:51 am

Postby devine » Wed Aug 25, 2004 1:37 am

topolb wrote:Trying to understand Korek's attacks (all those that appear in chopper and aircrack) is a pain!


Yeah, a little bit of documentation about them wouldn't hurt ]At the moment weplab seems to be able to crack the key over 600k packets using only standard FMS, attack to second byte, enhaced 13%, and inversed (reject) attack.[/QUOTE]

Cool results :)
devine
 
Posts: 389
Joined: Thu Jul 29, 2004 10:09 am
Location: Paris

Postby KoreK » Wed Aug 25, 2004 7:55 am

topolb wrote:Trying to understand Korek's attacks (all those that appear in chopper and aircrack) is a pain!

[quote="devine"]Yeah, a little bit of documentation about them wouldn't hurt ]
I don't have time at the moment. I posted a link to a News post in the other thread which explains pretty well the strong 13% (the one from Warner, cited by FMS). The attacks should be more like ingredients. There is more than one way to mix them, and you probably got quite a few recipes. You should not focus on 1 cracker, but make a few one, each optimized for some cases. Of course, that's easier to say when I am not developping my cracker anymore:D But I spent quite a bit of time looking for the constants in chopper: Is 0.6 better than 0.5 there? Nope. Let's try 0.4 then. Doesn't change anything? What were my original constant? Can't remember. Well let's try something else...
User avatar
KoreK
 
Posts: 102
Joined: Wed Jul 21, 2004 5:25 pm

Windows port of weplab-0.0.8

Postby topolb » Wed Aug 25, 2004 11:41 pm

On http://www.sourceforge.net/projects/weplab there is available a windows port of latest weplab version 0.0.8

It requires cygwin1.dll (included in the .zip) and some winpcap dlls (also included).

Everything seems to be working fine. Packet capture is not tested yet.

Enjoy
topolb
Mini Stumbler
 
Posts: 67
Joined: Tue Jun 08, 2004 2:51 am

Postby sylvain » Wed Aug 25, 2004 11:51 pm

I will try it also and tell you if everything is ok.
sylvain
 
Posts: 175
Joined: Mon Jun 21, 2004 5:57 am
Location: Paris, France

Postby sylvain » Fri Aug 27, 2004 4:12 am

So here is my first comparative test between aircrack-1.4-1 and weplab0.0.8 :

I got two captured files : one with airodump and one with kismet. For each I have about 500 000 unique IV's. aircrack was able to crack both files (but I had to use the -s 2 option for one)

in 35 s for 516 106 unique IV's : aircrack found the key
in 95s for 516 106 unique IV's : weplab found the key

I even managed to find the key quite fast with aircrack for a file with 450 000 unique IV's. For weplab, I had to change a bit the code to make the attack #6 byte reinjection dynamic and then it worked well.
sylvain
 
Posts: 175
Joined: Mon Jun 21, 2004 5:57 am
Location: Paris, France

Postby topolb » Sun Aug 29, 2004 6:50 am

sylvain wrote:So here is my first comparative test between aircrack-1.4-1 and weplab0.0.8 :

I got two captured files : one with airodump and one with kismet. For each I have about 500 000 unique IV's. aircrack was able to crack both files (but I had to use the -s 2 option for one)

in 35 s for 516 106 unique IV's : aircrack found the key
in 95s for 516 106 unique IV's : weplab found the key

I even managed to find the key quite fast with aircrack for a file with 450 000 unique IV's. For weplab, I had to change a bit the code to make the attack #6 byte reinjection dynamic and then it worked well.



Ok aircrack wins (at least this time ) :)

New version 0.0.9 of weplab is out. It implements full Korek's attacks (among other things). What about another comparative test? }:-)
topolb
Mini Stumbler
 
Posts: 67
Joined: Tue Jun 08, 2004 2:51 am

Postby sylvain » Sun Aug 29, 2004 9:22 am

topolb wrote:Ok aircrack wins (at least this time ) :)

New version 0.0.9 of weplab is out. It implements full Korek's attacks (among other things). What about another comparative test? }:-)



let's go ;-)

weplab 0.0.0 did not find my key :-(
sylvain
 
Posts: 175
Joined: Mon Jun 21, 2004 5:57 am
Location: Paris, France

Postby sylvain » Sun Aug 29, 2004 12:31 pm

ok so after some tuning.. I had to use the --perc 50 and -s 3 option to find the key...so I think topolb you should make an optimization guide (which commands to use and in which order to find the key).

so results for the same file (516 106 unique IV's)
35s for aircrack-1.4.1 (with -s 2 option)
37s for weplab0.0.9 (with --perc 50 and -s 3 options)

:D
sylvain
 
Posts: 175
Joined: Mon Jun 21, 2004 5:57 am
Location: Paris, France

Postby sylvain » Sat Sep 04, 2004 9:09 am

Topolb : do you plan to implement two new attacks :
1/ the WEP dictionnary attack : wepattack style with integration of john the ripper
2/ the WPA-PSK dictionnary attack

thank you
sylvain
 
Posts: 175
Joined: Mon Jun 21, 2004 5:57 am
Location: Paris, France

Todo

Postby topolb » Sat Sep 04, 2004 10:01 am

sylvain wrote:Topolb : do you plan to implement two new attacks :
1/ the WEP dictionnary attack : wepattack style with integration of john the ripper
2/ the WPA-PSK dictionnary attack

thank you


Well, a patch for the first issue (dictionary with john) is already integrated on last version weplab-0.1.0, but not fully tested though.

I think there is a problem on weplab-john comunication. The developer who submitted me the patch is on holidays now, and as I am busy with other features, I prefer to wait for him.
Anyway any feedback (and patches) will be usefull.

Weplab is opensource. You can contribute to it! ;)

As regards the WPA, I also have it on my TODO list together with WPA2 and AES.
topolb
Mini Stumbler
 
Posts: 67
Joined: Tue Jun 08, 2004 2:51 am

PreviousNext

Return to Unix/Linux

Who is online

Users browsing this forum: No registered users and 6 guests

cron