Page 1 of 2

aircrack only collects 256 IVs on D-Link AP, works fine on Cisco AP..??

PostPosted: Mon Aug 15, 2005 1:10 am
by klaymen
Hi all,

I'm using version 2.21 of the aircrack suite under SuSE Linux 9.3 (2.6.11.4-21.2), using a Netgear WG511T card (Atheros chipset). While I can perfectly crack my own WEP-key (64 and 128 bits) within a few minutes on a pretty new Cisco Aironet 1200 AP, I got a strange problem at my other, old D-Link DWL-1000AP. On the latter one, airodump never gets more than 256 IVs.

Actually, aireplay successfully injects thousands of ARP requests (I can also see them from within the WLAN using ethereal, including the replies). airodump does also collect all these packets, but the number under "IVs" (usable IVs) only climbs slower and slower and finally stops at 256 IVs. I tried it several times, using captured ARP requests as seed, as well as packets forged using arpforge (and the chopchop attack in advance, which works fine in itself). The symptom is always the same - it can never collect more than 256 IVs. I also tried collecting packets using kismet instead of airodump and then apply aircrack onto it. In this case, aircrack does report thousand of packets, but only 256 usable IVs (at most).

This is really weird because, as mentioned, it works perfectly on the much newer Cisco AP (which is supposed to be more secure than the old D-Link, isn't it?). Am I doing something wrong, or does indeed aircrack not work on some (even old-old-old) APs like the D-Link...?

Thanks in advance for any help! klaymen

PostPosted: Mon Aug 15, 2005 4:08 am
by devine
klaymen wrote:airodump does also collect all these packets, but the number under "IVs" (usable IVs) only climbs slower and slower and finally stops at 256 IVs.


Hi,

Please PM me a sample .cap file, I'm interested to have a look.

PostPosted: Mon Aug 15, 2005 10:55 am
by devine
devine wrote:Please PM me a sample .cap file, I'm interested to have a look.


Ok, I had a long, good look at the capture file. It appears that the IV generation routine on that particular access points is quite flawed: IVs are supposed to be randomly generated, but actually are always chosen from a pool of 256 IVs -- which actually makes the AP itself immune to the statistical attack. However, as soon as one client connects you should get new IVs from that client, so the idea would be to chopchop a packet from the legitimate client, and forge an ARP request with the client's IP as destination, so as to generate traffic from that client.

(Needless to say, if there are no clients connected you are screwed).

PostPosted: Mon Aug 15, 2005 12:52 pm
by klaymen
devine wrote:It appears that the IV generation routine on that particular access points is quite flawed: IVs are supposed to be randomly generated, but actually are always chosen from a pool of 256 IVs -- which actually makes the AP itself immune to the statistical attack.


Yes, I already suspected something like that, this AP really is pretty old... the old and bugged implementation protects it from current attacks. Stupidity sometimes protects :-)

[QUOTe=devine]However, as soon as one client connects you should get new IVs from that client, so the idea would be to chopchop a packet from the legitimate client, and forge an ARP request with the client's IP as destination, so as to generate traffic from that client.

(Needless to say, if there are no clients connected you are screwed).[/QUOTE]

You mean subsequently "chopchopping" (great word...) several packets from the same client? I'll have a try into that... of course this would only create a few hundred IVs per regular packet.

[EDIT]: Just tried it out, doesn't work either... it seems the AP always covers the same IVs, even after getting new packets from the client as chopchop-seeds. Even resetting the APs (pulling power plug) doesn't get new ones. I guess one would only need to store these few 100 xor flows and bruteforce-try them onto packets until you get legitimate packets in order to decrypt a capture file without needing to break the key though :D

PostPosted: Mon Aug 15, 2005 1:16 pm
by Dutch
Which firmware revision does the D-link run ? Any chance of you trying to older/newer firmwares, to check if this flaw exists in those ?

Dutch

PostPosted: Mon Aug 15, 2005 9:39 pm
by klaymen
I think I'm having the most recent firmware 2.2 on the AP (if you can call January 2002 "recent...), see http://support.dlink.com/products/view.asp?productid=DWL%2D1000AP. I'll check that again at home. If it is of general interest, I can try to downgrade to 2.1 to check if the "feature" exists there as well.

PostPosted: Sun Apr 29, 2007 2:11 am
by 1312rene
hi,

I know this is a big kick, but I am experiencing the same problem here with a certain 3Com AP. Tried it on a linksys, which worked like a charm, but the 3Com AP gives the same result.

I am using a Netgear WG111v2 (R8187 chipset), and using linux (BT2.0), and everything patched for injection and stuff...

The weird thing is that my symptons are the exact same: Exactly 256 IVs, and the IVs are all the same (I found out after reading out multiple captures with aircrack, which also said to see 256 different packages).

Have any of you found a solution after 1 and a half year?
with regards,

1312rene :)

PostPosted: Sun Apr 29, 2007 2:25 am
by itsnotme
Go to the welcome desk and read the threads on zombie revival. What the fuck is this, the year of Zombie revivals?

Edit: Removed the last sentence, didn't make enough grammatical sense to me. It's too early in the morning for me to properly reduce you to charbroil, so I'll do that later today if somebody else hasn't.

PostPosted: Sun Apr 29, 2007 3:26 am
by 1312rene
as much as I would like to join this community, I haven't read that particular thread you are talking about, and I couldn't find it either.

Besides, at most forums it is normal that people revive threads, because:
A: Usually the one that has posted the question before, could have found the answer while time passed, and can help you faster
B: You don't have to explain everything again

So I just figured to use the search, find this thread and post in it, because of the above. I'm a moderator at a well-known dutch gamer-forum (I rule the Software/hardware section), so I'm used to those standards.

Now that I have explained, what does that zombie revival in short means? Where should I post my question then, before I get yelled at?

PostPosted: Sun Apr 29, 2007 3:35 am
by itsnotme
1312rene wrote:as much as I would like to join this community, I haven't read that particular thread you are talking about, and I couldn't find it either.

Besides, at most forums it is normal that people revive threads, because:
A: Usually the one that has posted the question before, could have found the answer while time passed, and can help you faster
B: You don't have to explain everything again

So I just figured to use the search, find this thread and post in it, because of the above. I'm a moderator at a well-known dutch gamer-forum (I rule the Software/hardware section), so I'm used to those standards.

Now that I have explained, what does that zombie revival in short means? Where should I post my question then, before I get yelled at?


(Here's another fucking clue: the thread's been dead since 2005! This is the year of 2007, the year of fucktards reviving long dead threads.)
Jesus H Fucking Christ, you can't find the welcome desk? Go to the main page (clicky provided in case you couldn't find the main page!) and then read the forum rules (clicky provided again since you claim to be a mod at another forum but haven't been hit by the cluebat about reading the rules.) and then why don't you give us a nice detailed description of where you erred.

If that wasn't abundantly clear, (did I do enough fucking spoonfeeding yet?) I'm sure you'll let me know.

PostPosted: Sun Apr 29, 2007 4:01 am
by 1312rene
First of all, I don't know why you are giving me some hard time. If you read my post, you see the circumstances in my situation are the EXACT same.

Furthermore,
itsnotme wrote:(Here's another fucking clue: the thread's been dead since 2005! This is the year of 2007, the year of fucktards reviving long dead threads.)

True, but don't forget there is someone here who experienced the same problem. Maybe he found out after a while, and didn't bother to post it here? I was always learned (at forums) to post in the old threads as much as possible...
itsnotme wrote:Jesus H Fucking Christ, you can't find the welcome desk? Go to the main page (clicky provided in case you couldn't find the main page!) and then read the forum rules (clicky provided again since you claim to be a mod at another forum but haven't been hit by the cluebat about reading the rules.)

Well, maybe I'm stupid, but I don't see anything about "Zombie revival" there or something similar concerning old/dead threads. I DID found your rules, and I DID read them.

You could be a lot more polite to me. Instead of calling me a pain in the ass, you could be a little more helpful and help me with this issue, or at least don't yell at me. Like I said, I try to do my best to fit in this community, but all this yelling isn't very useful in a community.
itsnotme wrote: and then why don't you give us a nice detailed description of where you erred.

I didn't found that necessary because our situations (mine and the Topic starter's) are the exact same. If you need any extra info I forgot, just ask, but please, stay polite.
itsnotme wrote:If that wasn't abundantly clear, (did I do enough fucking spoonfeeding yet?) I'm sure you'll let me know.

Ding!

PostPosted: Sun Apr 29, 2007 4:31 am
by itsnotme
Ok, fucknut.

4. Spamming, Power posting, and Advertising
Only post if you have something valuable to add to the ongoing conversation. Refrain from posting only a short, meaningless sentence or only one emote/smiley. Also, avoid posting messages solely to get people to visit an external link (such as a personal website), especially if you are a new user to this forum. [color="Red"]Spamming/power posting includes bumping up old topics without adding new and substantial content to them[/color]. It also includes posting the same text multiple times in a row. [color="Red"]Power posting also covers the 'me too' posts. 'Me too' posts are when users simply reply to a message with 'me too' or 'yes' or something similarly inane[/color]. Also, instead of posting additions / corrections to a new post of yours separately, please use the edit button instead. Refrain from posting advertisement of any form (commercial or non-commercial) if it is not related to an ongoing discussion.

Edit: I also wanted to add one more thing, does this look like the aircrack forums? There's a reason why there's no new threads related to aircrack where users haven't been strongly encouraged to go over there and seek their aircrack/wep cracking/etc problems over there.

PostPosted: Sun Apr 29, 2007 4:48 am
by 1312rene
Ok ok, you got me. Maybe I bump this old thread without adding new and substantial content, but I was just wondering if the TS had figured out the problem, that's all. If I would start a new thread, he wouldn't read it.

I will try to contact the topicstarter then.

Sorry for the inconvinience.

PostPosted: Sun Apr 29, 2007 5:26 am
by wrzwaldo
1312rene wrote:First of all, I don't know why you are giving me some hard time. If you read my post, you see the circumstances in my situation are the EXACT same.

Go read the forum rules dipstick! Then you'll see why you are getting a "hard time".

Ding!

PostPosted: Sun Apr 29, 2007 5:48 am
by 1312rene
wrzwaldo wrote:Go read the forum rules dipstick! Then you'll see why you are getting a "hard time".

Ding!

So I should just start a new thread and copy-paste all the posts from this thread?

Yeah... very logical...

besides, according to the rules you shouldn't be giving people a hard time using bad language...