[Fwd: Further results of a few tools cracking 128 WEP on Cisco]

Net Llama! netllama
Thu Dec 23 19:39:23 PST 2004 

The only thing that makes this newsworthy is the fact that WEP128 can be 
cracked so quickly.  Its been know to be crackable for years.

wifi is going to be the new frontier of those with malicious intent.  No 
more brute force attacks on servers.  Just sniff the packets from the 
air and get 0wn3d.

I don't do anything on wifi that I either don't care gets sniffed or is 
encrypted with SSL or the like.

On 12/23/2004 02:58 PM, Matthew Carpenter wrote:
> Cross-forwarded from AirSnort and Kismet Wireless lists.
> 
> Gist: 128bit WEP cracked with less than 4 hours of capture and under 10
> seconds of processing....
> For more information look at http://securityfocus.com  -> pen test
> 
> - -------- Original Message --------
> Subject: Further results of a few tools cracking 128 WEP on Cisco
> Date: Wed, 22 Dec 2004 23:31:26 -0500
> From: Matthew Carpenter <matt at eisgr.com>
> To: Airsnort-user at lists.sourceforge.net,  wireless at kismetwireless.net,
> matt.carpenter at alticor.com
> 
> As a follow-up to my earlier post....
> 
> AirSnort so far has dominated this test.  Aircrack came in a relatively
> close second.  WepLab, while doing well, is taking its time.
> 
> Testing Environment:
> 
> AccessPoint:        Cisco AP1200b/g
> Dummy Machine:        Dell Inspiron 1150/Orinoco Gold/SuSE 9.1 Pro
> Capture Machine:    Dell Latitude C640/Dell TrueMobile 1150(Orinoco)
>             SuSE 9.1pro (Orinoco Drivers as in 2.6.5)
> Capture Software:    kismet-feb.04.01-43 (packaged with SuSE)
> 
> 
> * The Orinoco drivers have Monitor mode included in the 2.6.5 version of
> the kernel I'm using.  While I believe this to be the case all-around,
> this could be a SuSE-ism.
> 
> The Dummy system was configured and talking to the AP normally.  As root
> on the Dummy, "ping -f <defgw> -s 1"  was executed for the duration of
> packet capture, generating a steady stream of small packets... a sort of
> worst-case-scenario.
> 
> The Capture machine ran Kismet to capture the traffic and keep track of
> statistics (yes, TCPDUMP would have been sufficient, but Kismet has
> valuable stats and lots more Bling :)
> Since I'm not covering Kismet configuration, you could use:
> ~  # iwconfig <NIC> monitor 1 <CHANNEL>
> ~  # tcpdump -i <NIC> -s0 -w <DUMPFILE>
> The resulting Kismet-Dec*.dump file was shared out over Samba to make it
> available to my counterpart testing the Windows toolz.
> 
> At approx 5pm my counterpart called my cell phone to tell me he had
> cracked WEP (thus the earlier email).
> Afterward, I spent some time with a few other toolz.  Each had 1057043
> packets in the dump, 643871 unique IV's (198 interesting):
> 
> AirSnort:
> Originally I used AirSnort to simply determine how many unique IV's had
> been collected (using the Import PCAP File option) while I played around
> with weplab and aircrack (as described on SecurityFocus' front-page
> article).  When the collection was done, however, I ran it through
> AirSnort just for kicks (it being an old favorite for me).  Lo and
> behold, AirSnort found the Key (non-trivial key) in a matter of seconds.
> ~ I ran it again and timed it.  9 seconds.  I ran it a few more times,
> all getting sub-10 second results.  Furthermore, this was not specifying
> an AP to focus on....  More on that with the other tools.
> 
> WepLab:
> ~ I spent most of my day (when I *wasn't* teaching another fellow secprof
> Perl) learning to use WepLab.  SecurityFocus rated WepLab as one of the
> top two tools (AirSnort didn't do so hot on their tests, maybe I got
> lucky?).  I found it to be Parameter-Hell, and confusing to boot.  Then
> I read the README file.  WepLab, dubbed a "teaching tool", has so many
> parameters because it allows all sorts of tweaking.  It has two crack
> modes: Brute and Statistical (Heuristical).  The confusing part was that
> the Heuristic mode was labeled FMS mode (the older cracking method) with
> no mention of Korek, the first implementor of the new crack method
> (except buried in the README).  It turns out that the
> Statistical/Heuristic method covers both old and new, just as the Brute
> method covers Dictionary as well.
> WepLab allows you (or forces, depending on your perspective) to specify
> a BSSID (AP) to attack from the dump (my dump had 7 AP's in it).
> WepLab *does* include a nice analysis parameter (-a) allowing for a
> little more information to be learned up front (like Prism headers or
> not, BSSID's, etc....):
> 
> ~ # weplab -a mydump.dump
> 
> spits out something like this:
> 
> Statistics for packets that belong to
> [00:0B:BE:51:27:98]
> ~  - Total valid packets read: 1031012
> ~  - Total packets read: 1031012
> ~  - Total unique IV read: 1031012
> ~  - Total truncated packets read: 0
> ~  - Total non-data packets read: 0
> ~  - Total FF checksum packets read: 0
> PRISMHEADER SHOULD --NOT-- BE USED as there are 1030210 packets smaller
> than this header
> 
> (but of course the second and third numbers are wrong)
> 
> The command line I'm using is as follows:
> 
> weplab -r./Kismet-Dec-22-2004-1.dump --debug 1 --key 128 --bssid \
> 00:0B:BE:51:27:98 --perc 95 Kismet-Dec-22-2004-1.dump
> 
> WepLab is still cranking away.  Since it gives statistics if you ask, I
> can see that it has cracked half of the key.
> 
> 
> AirCrack:
> AirCrack (also available for Windows) also cracked WEP quickly,
> averaging 14-15 seconds.  You do have to tell it what AP to attack from
> the dump.  You also have to tell it what key size to use.  Here is the
> results from AirCrack:
> 
> | time aircrack -f 4 -m 00:0B:BE:51:27:98 -n 128 Kismet-Dec-22-2004-1.dump
> 
> ~   aircrack 2.1
> 
> ~   * Got  643866  unique IVs | fudge factor = 4
> ~   * Elapsed time [00:00:07] | tried 1 keys at 8 k/m
> 
> ~   KB    depth   votes
> ~    0    0/  1   BA( 267) 97(  21) 56(  12) FC(  12) 7C(  11) 2D(   3)
> <SNIP A BUNCH OF THE SAME>
> FE(  17) 67(  16) AD(  15) DD(  15) D6(  11) 01(  10) 75(  10) 78(  10)
> 95(  10) 49(   9)
> 
> ~                 KEY FOUND! [ DONTYOUWISHDONTYOUWISHDONT ]
> 
> 
> real    0m14.117s
> user    0m0.796s
> sys     0m8.239s
> 
> 
> Have a nice day, folks!



-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
L. Friedman                       	       netllama at linux-sxs.org
Linux Step-by-step & TyGeMo: 		    http://netllama.ipfox.com

  16:40:00 up 116 days,  7:24, 15 users,  load average: 1.13, 1.16, 1.11

More information about the Linux-users mailing list