Penetration Testing mailing list archives
Re: Wireless Scanning
From: Joshua Wright <jwright () hasborg com>
Date: Tue, 28 Sep 2004 16:01:50 -0400
Jason T wrote:
Just a comment on using a WEP cracking programs. I heard from Keith Parsons who is an expert wireless teacher saying that WEP cracking in the wild today doesn't exist in most cases.
I suspect Parsons said this based on empirical evidence due to the difficulty he perceives in recovery WEP keys. Since most attacks against WEP are passive or offline attacks, it's difficult to know if it is used frequently in practice. More below.
In early 2002 all vendors saw the weak IV as an attack. So they changed the firmware to no longer support those weak IV's. If you want to crack WEP it will most likely be on an AP that has a firmware version prior to 2002.
While it is true that tools like wep_attack and AirSnort rely on the now less-common IV values, more recent tools such as AirCrack and WEPlab are successful at recovering WEP keys even when common weak IV's are filtered. I've been successful at recovering WEP keys with as few as 75,000 IV's with AirCrack.
Moreover, there are other key-recovery attack methods as well, including dictionary attacks and attacks against the Neesus Datacom key generation algorithm. Not to mention many other attacks against WEP to inject frames or decrypt traffic without the knowledge of the WEP key (ICV invalidation, IV collision/known plaintext recovery, etc.)
WEP is badly broken. Even when deployed in a dynamic keying environment with short key durations, it is susceptible to many different attacks. I recommend steering away from WEP-based encryption wherever security is a concern.
-Josh -- -Joshua Wright jwright () hasborg com http://home.jwu.edu/jwright/ pgpkey: http://home.jwu.edu/jwright/pgpkey.htm fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73 Today I stumbled across the world's largest hotspot. The SSID is "linksys".
Current thread:
- Re: Wireless Scanning, (continued)
- Re: Wireless Scanning Konstantin V. Gavrilenko (Sep 28)
- RE: Wireless Scanning Carney, Mark (Sep 24)
- RE: Wireless Scanning Clarke, Tyronne (Contractor) (Sep 24)
- RE: Wireless Scanning DeGennaro, Gregory (Sep 27)
- Re:Wireless Scanning Ghaith Nasrawi (Sep 27)
- Re: Wireless Scanning admin (Sep 27)
- RE: Wireless Scanning Ben Cook (Sep 27)
- RE: Wireless Scanning Maliha Rashid (Sep 27)
- RE: Wireless Scanning Lodin, Steven {D106~Indianapolis} (Sep 27)
- RE: Wireless Scanning Jason T (Sep 28)
- Re: Wireless Scanning Joshua Wright (Sep 30)
- Re: Wireless Scanning sam stover (Sep 30)
- RE: Wireless Scanning Jerry Shenk (Sep 30)
- Re: Wireless Scanning Max Moser (Sep 30)
- Re: Wireless Scanning Konstantin V. Gavrilenko (Sep 30)
- RE: Wireless Scanning Jason T (Sep 28)
- RE: Wireless Scanning Wozny, Scott (US - New York) (Sep 30)