Penetration Testing mailing list archives
Re: Cracking WEP and WPA keys
From: Robin Wood <dninja () gmail com>
Date: Tue, 13 Dec 2005 17:18:05 +0000
Can you remember how many packets you captured for the 10 second crack? I was running with 1million generated using aireplay of a captured packet. Robin On 12/13/05, Dave Bush <hockeystatman () gmail com> wrote:
On 12/13/05, Robin Wood <dninja () gmail com> wrote:All the examples I've seen seem to suggest that cracking should take minutes not hours and all keys should be crackable. What experiences do other testers have? Have I done something wrong? I abandoned the full attack after 5 hours as it was running with the default fudge factor of 2 so would probably not have managed to crack the key.I don't think you captured enough data. I just finished NS621 - Applied Wireless Network Security at Capitol College as one of the final classes in my Masters in Network Security (as of tomorrow evening my Masters is complete!), and lab 5 for 621 was cracking WEP. The long and the short of cracking WEP was making sure you captured enough data to get the key. When I did the WEP cracking lab I had my wife's laptop start copying 6 GB of video files from a Linux server in my house so that IV collisions would happen more frequently than if just Internet surfing was going on. FWIW Her notebook was running Windows XP SP2 and an 802.11G PCMCIA card, and the Linux server was running Samba to talk to my wife's notebook & connected to the home WLAN using a USB 802.11B dongle. I then had my notebook running airodump in Windows (worked fine in Linux too) and just let it do its thing for an hour or so. At that point I guessed that it'd probably captured enough so I ran aircrack against the file airodump created, and it cracked my home WEP key in about 10 seconds. No exaggeration - 10 seconds! It's important to note that I did not stop running airodump while running aircrack on the file. That way if I'd had to capture more IV collisions to be able to crack WEP, I could just try it again later. Running aircrack in Linux yielded similar results to running it in Windows as far as performance goes. (ie: 10 seconds in Linux too) I've never gotten Air Snort to work in either Windows or Linux. I'm running the drivers from Wild Packets in Windows, and everything I've read says it should work on my Atheros based chipset wirelss card but my results are obviously different. Running Air Snort in Linux will capture data, but after leaving it going overnight it never did crack WEP. This was while performing the same 6 GB copy from the Linux server to my wife's notebook, so I know enough IV collisions should have been captured. I also tried using aircrack against the tcpdump files that Kismet kicked out after letting Kismet run for hours, and that didn't work either. NOTE: You have to be careful how you set your card in Linux to get it to work right with airodump or most any other wireless tool. Here's the script I use to configure my Atheros card for stuff like this: #!/bin/bash # # ----------------------------------------------------- # ! This script written by Dave Bush for use in ! # ! Capitol College's NS621-L01 Fall 2005 class ! # ! ! # ! This works well for me, and hopefully can be ! # ! used as a starting point for others exploring ! # ! wireless tools in Linux. I've used this for ! # ! setting up wireless for both Kismet and AirSnort. ! # ! ! # ! Please direct any questions to me at ! # ! hockeystatman () gmail com ! # ----------------------------------------------------- # # Set card to 802.11b mode # iwpriv ath0 mode 2 # # Set the speed for 802.11b # iwconfig ath0 rate 11M # # Set card to adhoc mode # iwpriv authmode 1 # # Clear any WEP key that has been set # iwconfig ath0 key off # # Clear any SSID that has been set # iwconfig ath0 essid any # # Set card into monitor mode # iwconfig ath0 mode monitor # # ----------------------------------------------------- # ! The wireless card should now be ready for use by ! # ! Kismet, AirSnort, and other Linux-based wireless ! # ! auditing tools. ! # ----------------------------------------------------- Long story short - airodump and aircrack worked fine for me once my card was correctly configured, but nothing else I've done has worked.I've also seen a video on the Remote Exploit site showing a WPA key cracked in 10 minutes using cowpatty and a dictionary attack. How realistic is this?Not sure, but I'm guessing it was WPA with a pre-shared key. Can you send a link to the video? Regards, - Dave -- Dave Bush <hockeystatman () gmail com> There are two seasons in my world - Hockey and Construction ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- Cracking WEP and WPA keys Robin Wood (Dec 13)
- Re: Cracking WEP and WPA keys Dave Bush (Dec 13)
- Re: Cracking WEP and WPA keys Seth Fogie (Dec 13)
- Re: Cracking WEP and WPA keys Erin Carroll (Dec 13)
- Re: Cracking WEP and WPA keys Robin Wood (Dec 14)
- Re: Cracking WEP and WPA keys Robin Wood (Dec 14)
- Re: Cracking WEP and WPA keys Dave Bush (Dec 13)
- Re: Cracking WEP and WPA keys Seth Fogie (Dec 13)
- Re: Cracking WEP and WPA keys Joachim Schipper (Dec 13)
- Re: Cracking WEP and WPA keys Robin Wood (Dec 13)
- Re: Cracking WEP and WPA keys Michael Sierchio (Dec 13)
- Re: Cracking WEP and WPA keys marko ruotsalainen (Dec 14)
- <Possible follow-ups>
- RE: Cracking WEP and WPA keys Shenk, Jerry A (Dec 13)
- Re: Cracking WEP and WPA keys Alvin Oga (Dec 13)
- Re: Cracking WEP and WPA keys Seth Fogie (Dec 13)
- RE: Cracking WEP and WPA keys cerealkilla (Dec 15)
- RE: Cracking WEP and WPA keys Sahir Hidayatullah (Dec 16)
(Thread continues...)
- Re: Cracking WEP and WPA keys Dave Bush (Dec 13)