Page 3 of 6

wep attacks

PostPosted: Tue Oct 12, 2004 3:28 am
by topolb
I nearly became mad when I made research on statistical attacks. Actually many of them are still too "dark" for me.
A good paper explaining them will be great for all :)

Those implemented on weplab can be found at http://cvs.sourceforge.net/viewcvs.py/weplab/weplab/attack.c?rev=1.16&view=markup
with Korek's original comments.

PostPosted: Sat Nov 13, 2004 9:15 am
by Avatar
Hiho,

does aireplay work with PrismGT/Duette Cards ?!

chopchop documentation

PostPosted: Mon Dec 06, 2004 3:04 am
by sknikam
Hi,
Can you post more information on how chopchop decrypts the packets. I am newbie to this field so a formal :-) document describing the method how you assume the last byte and the necessary corrections required for each assumption would be very helpful
Regards

Applying the patch

PostPosted: Tue Dec 07, 2004 6:48 pm
by prompt
Hi,
Im a bit of a newbie so i was wondering could someone help
me with the required commands to patch the wlan-ng driver
so i can get chopchop working.
Thanks in advance.
prompt

Help getting chopchop running?

PostPosted: Thu Dec 09, 2004 11:24 pm
by prompt
Hi All,

Ive just been trying to get chopchop working and have done the following.
Ive applied the patches that came with it for wlan-ng.Rebuilt and installed
the wlan-ng drivers (with the wlan-ng and wlan-ng.conf files provided) and placed it in monitor mode also with the script provided and started kismet but when i try to run chopchop against a packet file i had collected i get this error

./chopchop -b 00:0F:3D:FC:2B:xx -m 00:04:23:6C:2B:xx
-p /home/siouxchief/Kismet-Dec-09-2004-5.dump -burst 13

00:0F:3D:FC:2B:xx 6
0
00:04:23:6C:2B:xx 6
Cannot open the wlan device wlan0

Anybody help?

chopchop error

PostPosted: Fri Dec 10, 2004 6:25 am
by prompt
Hi,
Just wondering if anyone came across this error
and do they know the reason for it.I have already done everything
in the chopchop readme including patching.I have replaced the mac addresses below.

./chopchop -b macaddress -m macaddress -p /home/siouxchief/Kismet-Dec-09-2004-5.dump -burst 13

macaddress 6
0
macaddress 6
Cannot open the wlan device wlan0

cheers
prompt

PostPosted: Fri Dec 10, 2004 6:31 am
by RedSector
You probably shouldn't double post. (http://netstumbler.org/showpost.php?p=100356&postcount=31) A mod will come layeth the smack down.

Smackdown

PostPosted: Fri Dec 10, 2004 6:43 am
by Thorn
prompt,
Please do not crosspost. If you haven't already done so, please read the rules. Doing so will prevent a lot of grief.

PostPosted: Fri Dec 10, 2004 8:26 am
by KoreK
Stupid noobs can't even properly read the thread before posting. Never mind acknowledging the PM's I sent them (that applies to sknikam as well). Anyway prompt is a fucktard (apart from the double-post reason, not reading my post, not reading my PM) because
1) He wasn't root.
2) He didn't properly configure the pcmcia, so wlan-ng isn't properly loaded.
3) (And in the remote case this is some bug) The little shit doesn't even have the intelligence of posting his configuration/kernel version.

?

PostPosted: Fri Dec 10, 2004 9:57 am
by prompt
First of all.I posted a new thread thinking it would be a thread on its
own and never thought that it would be placed in

"chopchop (Experimental WEP attacks) thread "

so when i went to check for replies and saw that the post wasnt in the
main posting list i thought that i might have forgot to post it cos i have
been under a lot of pressure due to a death of a close relative yesterday so i reposted again which also got placed into this thread

"chopchop (Experimental WEP attacks) "

so it was an honest mistake and i admit silly mistake.Sorry if this upset anyone.I didnt think people were that serious about mistakes.I thank Thorn and RedSector for being somewhat understanding.Maybe ye could help me with that error?
Apart from that i applied the patch and installed everything as root and ran it as root.Just because i didnt read you were Pre-Menstrual (PM) Korek is no excuse to get annoyed.


regards
prompt

PostPosted: Fri Dec 10, 2004 10:39 am
by Thorn
prompt wrote:First of all.I posted a new thread thinking it would be a thread on its
own and never thought that it would be placed in

"chopchop (Experimental WEP attacks) thread "

so when i went to check for replies and saw that the post wasnt in the
main posting list i thought that i might have forgot to post it cos i have
been under a lot of pressure due to a death of a close relative yesterday so i reposted again which also got placed into this thread

"chopchop (Experimental WEP attacks) "

so it was an honest mistake and i admit silly mistake.Sorry if this upset anyone.I didnt think people were that serious about mistakes.I thank Thorn and RedSector for being somewhat understanding.Maybe ye could help me with that error?
Apart from that i applied the patch and installed everything as root and ran it as root.Just because i didnt read you were Pre-Menstrual (PM) Korek is no excuse to get annoyed.


regards
prompt

It's unfortunate about the death in the family. You have my sympathies.

In the future, if a post doesn't appear where you expect it to be, search under your name. You can get a current list of all your posts anytime. If you've posted in error, you may delete your own posts.

Also before posting a new thread, search to see if the subject is covered. If a prior thread is on the same subject, we reserve the right to merge the threads. (It says so right at the bottom of each page.)

If a thread is over one year or more, then it will probably be safe to start a new thread.

PostPosted: Wed Dec 15, 2004 9:48 pm
by joconnor
Hi,

Ive been reading with interest throughout this thread about chopchop so i installed everything required to use it.I just have a few queries.

First i was wondering what packets should i be filtering for with ethereal that would be able to be decoded with chopchop? and produce a prga?

Secondly i have a 100Mb file which i filtered for arp requests with ethereal
but it doesnt find a single one! is this a common thing on wireless networks and can you force arp requests with the aj0 driver to force dis-associations which might produce at least one arp request maybe?

There just a few thought to see if ye can shed light on them.Be gentle im just trying to get my head around these injection ideas.

regards
joconnor

PostPosted: Thu Dec 16, 2004 9:56 pm
by KoreK
joconnor wrote:First i was wondering what packets should i be filtering for with ethereal that would be able to be decoded with chopchop? and produce a prga?

Any IP/ARP packet should work. You will have problem with Netbios/netware/appletalk packets. In that case the first five-eight bytes will remain encrypted, IIRC. You get a prga file for each iv, though the format is specific to chopchop. Look up the source. And you get the decrypted pcap file.

Secondly i have a 100Mb file which i filtered for arp requests with ethereal
but it doesnt find a single one! is this a common thing on wireless networks and can you force arp requests with the aj0 driver to force dis-associations which might produce at least one arp request maybe?

I mentionned ARP packets at the beginning of the thread, but it doesn't matter. It's just they are just very fast to decrypt, since they are short, and full of 0's (0 being the first guess made by chopchop). Just take a short encrypted packet and try it. If you want to see ARP packets in your pcap file, you need to enter your wep key in ethereal preferences/protocols/ieee80211. They are encrypted, and unless you are using static arp tables, there should be quite a few.

ARP packets are used by devine's aireplay to generate traffic (which can be used to recover a key, with aircrack). chopchop doesn't care much about the traffic it generates, the goal is to decrypt a given packet (without the key).

Chopchop problem

PostPosted: Tue Feb 15, 2005 4:49 pm
by mfenetre
Hi all,

I was just wondering if someone ever met this problem with Chopchop.

when I launch chopchop, this happens :

[root@localhost chopchop]./chopchop -i eth1 -m 00:60:1D:1F:11:ED -b 00:40:96:33:33:33 -p capture.cap
00:60:1D:1F:11:ED 6
00:40:96:33:33:33 6
0
first pass
---------------
packet number 001
base src mac: 00 60 1d 1f 11 ed
base dst mac: ff 2a f7 d1 d8 ec

Then nothing happens during a long time. Furthermore, I'm scanning the network with another laptop and I sniff no packets from the laptop running chopchop...

I use a red Hat 8.0 with a 2.4.18-14 kernel. I have a Lucent Orinoco silver pcmcia card, and I use orinoco_cs driver (0.13e patched). I've followed the 4 steps descibed in Korek's readme...

I'm quite sure my wireless card is working fine, I'm able to sniff some traffic in monitor mode (using airodump & aircrack for example).

Any ideas ?

Thanks in advance,
mfenetre

PostPosted: Wed Feb 16, 2005 12:17 am
by sylvain
mfenetre wrote:Hi all,

I was just wondering if someone ever met this problem with Chopchop.

when I launch chopchop, this happens :

[root@localhost chopchop]./chopchop -i eth1 -m 00:60:1D:1F:11:ED -b 00:40:96:33:33:33 -p capture.cap
00:60:1D:1F:11:ED 6
00:40:96:33:33:33 6
0
first pass
---------------
packet number 001
base src mac: 00 60 1d 1f 11 ed
base dst mac: ff 2a f7 d1 d8 ec

Then nothing happens during a long time. Furthermore, I'm scanning the network with another laptop and I sniff no packets from the laptop running chopchop...

I use a red Hat 8.0 with a 2.4.18-14 kernel. I have a Lucent Orinoco silver pcmcia card, and I use orinoco_cs driver (0.13e patched). I've followed the 4 steps descibed in Korek's readme...

I'm quite sure my wireless card is working fine, I'm able to sniff some traffic in monitor mode (using airodump & aircrack for example).

Any ideas ?

Thanks in advance,
mfenetre


If I remember well you should patch your driver with a patch done by Korek for reinjecting packets.
Otherwise chopchop works better with Prism2 card