[Fwd: Further results of a few tools cracking 128 WEP on Cisco]

Matthew Carpenter matt
Thu Dec 23 19:03:54 PST 2004 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Cross-forwarded from AirSnort and Kismet Wireless lists.

Gist: 128bit WEP cracked with less than 4 hours of capture and under 10
seconds of processing....
For more information look at http://securityfocus.com  -> pen test

- -------- Original Message --------
Subject: Further results of a few tools cracking 128 WEP on Cisco
Date: Wed, 22 Dec 2004 23:31:26 -0500
From: Matthew Carpenter <matt at eisgr.com>
To: Airsnort-user at lists.sourceforge.net,  wireless at kismetwireless.net,
matt.carpenter at alticor.com

As a follow-up to my earlier post....

AirSnort so far has dominated this test.  Aircrack came in a relatively
close second.  WepLab, while doing well, is taking its time.

Testing Environment:

AccessPoint:		Cisco AP1200b/g
Dummy Machine:		Dell Inspiron 1150/Orinoco Gold/SuSE 9.1 Pro
Capture Machine:	Dell Latitude C640/Dell TrueMobile 1150(Orinoco)
			SuSE 9.1pro (Orinoco Drivers as in 2.6.5)
Capture Software:	kismet-feb.04.01-43 (packaged with SuSE)


* The Orinoco drivers have Monitor mode included in the 2.6.5 version of
the kernel I'm using.  While I believe this to be the case all-around,
this could be a SuSE-ism.

The Dummy system was configured and talking to the AP normally.  As root
on the Dummy, "ping -f <defgw> -s 1"  was executed for the duration of
packet capture, generating a steady stream of small packets... a sort of
worst-case-scenario.

The Capture machine ran Kismet to capture the traffic and keep track of
statistics (yes, TCPDUMP would have been sufficient, but Kismet has
valuable stats and lots more Bling :)
Since I'm not covering Kismet configuration, you could use:
~  # iwconfig <NIC> monitor 1 <CHANNEL>
~  # tcpdump -i <NIC> -s0 -w <DUMPFILE>
The resulting Kismet-Dec*.dump file was shared out over Samba to make it
available to my counterpart testing the Windows toolz.

At approx 5pm my counterpart called my cell phone to tell me he had
cracked WEP (thus the earlier email).
Afterward, I spent some time with a few other toolz.  Each had 1057043
packets in the dump, 643871 unique IV's (198 interesting):

AirSnort:
Originally I used AirSnort to simply determine how many unique IV's had
been collected (using the Import PCAP File option) while I played around
with weplab and aircrack (as described on SecurityFocus' front-page
article).  When the collection was done, however, I ran it through
AirSnort just for kicks (it being an old favorite for me).  Lo and
behold, AirSnort found the Key (non-trivial key) in a matter of seconds.
~ I ran it again and timed it.  9 seconds.  I ran it a few more times,
all getting sub-10 second results.  Furthermore, this was not specifying
an AP to focus on....  More on that with the other tools.

WepLab:
~ I spent most of my day (when I *wasn't* teaching another fellow secprof
Perl) learning to use WepLab.  SecurityFocus rated WepLab as one of the
top two tools (AirSnort didn't do so hot on their tests, maybe I got
lucky?).  I found it to be Parameter-Hell, and confusing to boot.  Then
I read the README file.  WepLab, dubbed a "teaching tool", has so many
parameters because it allows all sorts of tweaking.  It has two crack
modes: Brute and Statistical (Heuristical).  The confusing part was that
the Heuristic mode was labeled FMS mode (the older cracking method) with
no mention of Korek, the first implementor of the new crack method
(except buried in the README).  It turns out that the
Statistical/Heuristic method covers both old and new, just as the Brute
method covers Dictionary as well.
WepLab allows you (or forces, depending on your perspective) to specify
a BSSID (AP) to attack from the dump (my dump had 7 AP's in it).
WepLab *does* include a nice analysis parameter (-a) allowing for a
little more information to be learned up front (like Prism headers or
not, BSSID's, etc....):

~ # weplab -a mydump.dump

spits out something like this:

Statistics for packets that belong to
[00:0B:BE:51:27:98]
~  - Total valid packets read: 1031012
~  - Total packets read: 1031012
~  - Total unique IV read: 1031012
~  - Total truncated packets read: 0
~  - Total non-data packets read: 0
~  - Total FF checksum packets read: 0
PRISMHEADER SHOULD --NOT-- BE USED as there are 1030210 packets smaller
than this header

(but of course the second and third numbers are wrong)

The command line I'm using is as follows:

weplab -r./Kismet-Dec-22-2004-1.dump --debug 1 --key 128 --bssid \
00:0B:BE:51:27:98 --perc 95 Kismet-Dec-22-2004-1.dump

WepLab is still cranking away.  Since it gives statistics if you ask, I
can see that it has cracked half of the key.


AirCrack:
AirCrack (also available for Windows) also cracked WEP quickly,
averaging 14-15 seconds.  You do have to tell it what AP to attack from
the dump.  You also have to tell it what key size to use.  Here is the
results from AirCrack:

| time aircrack -f 4 -m 00:0B:BE:51:27:98 -n 128 Kismet-Dec-22-2004-1.dump

~   aircrack 2.1

~   * Got  643866  unique IVs | fudge factor = 4
~   * Elapsed time [00:00:07] | tried 1 keys at 8 k/m

~   KB    depth   votes
~    0    0/  1   BA( 267) 97(  21) 56(  12) FC(  12) 7C(  11) 2D(   3)
<SNIP A BUNCH OF THE SAME>
FE(  17) 67(  16) AD(  15) DD(  15) D6(  11) 01(  10) 75(  10) 78(  10)
95(  10) 49(   9)

~                 KEY FOUND! [ DONTYOUWISHDONTYOUWISHDONT ]


real    0m14.117s
user    0m0.796s
sys     0m8.239s


Have a nice day, folks!



- --
Matthew Carpenter
matt at eisgr.com                          http://www.eisgr.com/

Enterprise Information Systems
* Network Server Appliances
* Security Consulting, Incident Handling & Forensics
* Network Consulting, Integration & Support
* Web Integration and E-Business
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFBy02Cso9lqh4MragRAlmMAKClfnZU0XU3R3zWcQe8l1TLFL6F7gCgkoNH
/EEtyNI1KGyzUo29ncEdkoY=
=xvW9
-----END PGP SIGNATURE-----

More information about the Linux-users mailing list