RE: Cracking WEP and WPA keys

["Sahir Hidayatullah" <sahirh () mielesecurity com>]

Sounds like you're not going about it right... If you try the attack with
aireplay or similar, you'll discover that you can hit 75,000 - 100,000 weak
IV's in about 4-6 minutes, which is about the total time you will take to
crack a 64 bit WEP key. Add another 5-6 minutes for a 128 bit key. I can't
understand why the original poster had a problem after collecting 1 million
weak IV's. I find that sometimes if I specify a keylength (-n 64 or 128),
things work better.

You certainly don't need to be the NSA, nor well financed to do this, an IBM
R51 + Netgear WG511 works just fine for me ;)

Wrt WPA, brute force/dictionary attacks are always be feasible against *any*
form of crypto, once again YMMV depending on how clueless the person who
chose the key is!

In short, your Mom checking email at home on WEP sounds like an ideal target
-- an unmonitored network with weak encryption and probably decent Internet
access.

Interestingly enough, aircrack 2.4 is out on the front page of packetstorm,
you could give it a spin and see if it makes a difference:
http://www.packetstormsecurity.org/wireless/aircrack-2.4.tgz

Regards,

Sahir Hidayatullah
Technical Consultant - Information Security
--------------------------------------
MIEL e-Security Pvt. Ltd.
C- 611 / 612, Floral Deck Plaza,
MIDC Central Road, Andheri (E),
Mumbai 400 093, India.
Tel No:+ 91 (022) 2821 5050
PGP KeyID: 0x4F5EC345
Fingerprint: F4C2 7274 792E 8E39 D90D  BA02 C070 B4BF 4F5E C345


-----Original Message-----
From: Shenk, Jerry A [mailto:jshenk () decommunications com] 
Sent: Tuesday, December 13, 2005 9:28 PM
To: Robin Wood; pen-test () securityfocus com
Subject: RE: Cracking WEP and WPA keys

Cracking WEP depends on a ton of stuff.  If you're cracking it looking for
weak IVs, you'll need an AP that has weak IVs.  Most of the new ones avoid
them to one degree or another.  What AP are you using?  I used a Linksys in
my initial testing (a couple years ago) and cracked the key in 4 hours.  I
also tried to crack a Cisco 350 (replaced by the 1200
series) and never was able to crack the key using that method, even after
running for days.

Another thing, that "crack in seconds" is based on already having hours or
days worth of traffic to use.

There are some new tools that generate traffic rather than having to wait
for it and some of the new cracking methods are better or worse, depending
on your perspective.  I think some of these "WEP is worthless"
stories are overly sensational.  Yes, WEP is broken, ok, possibly even
horribly broken but it stops a 'casual connector', it even stops quite a few
determined hackers (it stopped you;).  If you're the NSA...ok, WEP is
worthless....the people attacking you are determined, well financed
professionals.  If you're my mom, checking her e-mail from home with a
wireless laptop, I think WEP is perfectly fine.  Installing everything
needed for a good PEAP implementation for my mom is absolutely insane.
Most people are gonna be someplace in the middle where a little bit of risk
evaluation is in order.

-----Original Message-----
From: Robin Wood [mailto:dninja () gmail com]
Sent: Tuesday, December 13, 2005 5:09 AM
To: pen-test () securityfocus com
Subject: Cracking WEP and WPA keys

Hi
I've just been on a wireless security course where there was a lot of talk
about WEP keys being poor security and easily crackable. I got home and
decided to put it to practice and use aircrack against my own WEP key.

Using airodump and aireplay I collected 1 million IVs and set aircrack off
attacking it. After around 4 hours I got bored of waiting and on another
machine tried playing with aircracks debug option where you can pass
sections of the key you already know. I found if I passed the whole key
except the last digit it could be cracked with a fudge factor of 2, if I
removed the last 2 digits then I had to up the fudge factor to 5 and up it
to 8 if I removed the last 3 digits. With anything less than the fudge
factor mentioned I was told that it couldn't crack the key.

All the examples I've seen seem to suggest that cracking should take minutes
not hours and all keys should be crackable. What experiences do other
testers have? Have I done something wrong? I abandoned the full attack after
5 hours as it was running with the default fudge factor of 2 so would
probably not have managed to crack the key.

I've also seen a video on the Remote Exploit site showing a WPA key cracked
in 10 minutes using cowpatty and a dictionary attack. How realistic is this?

Robin

------------------------------------------------------------------------
------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities to SQL injection, Cross site scripting and other web attacks
before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
------------------------------------------------------------------------
-------





**DISCLAIMER
This e-mail message and any files transmitted with it are intended for the
use of the individual or entity to which they are addressed and may contain
information that is privileged, proprietary and confidential. If you are not
the intended recipient, you may not use, copy or disclose to anyone the
message or any information contained in the message. If you have received
this communication in error, please notify the sender and delete this e-mail
message. The contents do not represent the opinion of D&E except to the
extent that it relates to their official business.


----------------------------------------------------------------------------
--
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities to SQL injection, Cross site scripting and other web attacks
before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---



------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------