Re: Cracking WEP and WPA keys

From: Robert Baldi (robert.baldi@gmail.com)
Date: Tue Dec 13 2005 - 12:18:01 EST


My students can crack almost any WEP key in 10-30 minutes using the
Void 11 attack (found on the Auditor CD). Just use a wireless packet
injector like Aireplay (also found on the Auditor CD) and check out:

http://www.tomsnetworking.com/Sections-article118.php

Robert Baldi
Information Security Specialist
DoD, USAFR, Information Security Instructor
robert.baldi@gmail.com

How many organizations have M&M networks?
Hard on the outside, soft on the inside.....

On 12/13/05, Robin Wood <dninja@gmail.com> wrote:
> All the examples I've seen seem to suggest that cracking should take minutes
> not hours and all keys should be crackable. What experiences do other
> testers have? Have I done something wrong? I abandoned the full attack after
> 5 hours as it was running with the default fudge factor of 2 so would
> probably not have managed to crack the key.

I don't think you captured enough data.

I just finished NS621 - Applied Wireless Network Security at Capitol
College as one of the final classes in my Masters in Network Security
(as of tomorrow evening my Masters is complete!), and lab 5 for 621
was cracking WEP. The long and the short of cracking WEP was making
sure you captured enough data to get the key.

When I did the WEP cracking lab I had my wife's laptop start copying 6
GB of video files from a Linux server in my house so that IV
collisions would happen more frequently than if just Internet surfing
was going on. FWIW Her notebook was running Windows XP SP2 and an
802.11G PCMCIA card, and the Linux server was running Samba to talk to
my wife's notebook & connected to the home WLAN using a USB 802.11B
dongle. I then had my notebook running airodump in Windows (worked
fine in Linux too) and just let it do its thing for an hour or so. At
that point I guessed that it'd probably captured enough so I ran
aircrack against the file airodump created, and it cracked my home WEP
key in about 10 seconds. No exaggeration - 10 seconds!

It's important to note that I did not stop running airodump while
running aircrack on the file. That way if I'd had to capture more IV
collisions to be able to crack WEP, I could just try it again later.

Running aircrack in Linux yielded similar results to running it in
Windows as far as performance goes. (ie: 10 seconds in Linux too)

I've never gotten Air Snort to work in either Windows or Linux. I'm
running the drivers from Wild Packets in Windows, and everything I've
read says it should work on my Atheros based chipset wirelss card but
my results are obviously different. Running Air Snort in Linux will
capture data, but after leaving it going overnight it never did crack
WEP. This was while performing the same 6 GB copy from the Linux
server to my wife's notebook, so I know enough IV collisions should
have been captured.

I also tried using aircrack against the tcpdump files that Kismet
kicked out after letting Kismet run for hours, and that didn't work
either.

NOTE: You have to be careful how you set your card in Linux to get it
to work right with airodump or most any other wireless tool. Here's
the script I use to configure my Atheros card for stuff like this:

#!/bin/bash
#
# -----------------------------------------------------
# ! This script written by Dave Bush for use in !
# ! Capitol College's NS621-L01 Fall 2005 class !
# ! !
# ! This works well for me, and hopefully can be !
# ! used as a starting point for others exploring !
# ! wireless tools in Linux. I've used this for !
# ! setting up wireless for both Kismet and AirSnort. !
# ! !
# ! Please direct any questions to me at !
# ! hockeystatman@gmail.com !
# -----------------------------------------------------
#
# Set card to 802.11b mode
#
iwpriv ath0 mode 2
#
# Set the speed for 802.11b
#
iwconfig ath0 rate 11M
#
# Set card to adhoc mode
#
iwpriv authmode 1
#
# Clear any WEP key that has been set
#
iwconfig ath0 key off
#
# Clear any SSID that has been set
#
iwconfig ath0 essid any
#
# Set card into monitor mode
#
iwconfig ath0 mode monitor
#
# -----------------------------------------------------
# ! The wireless card should now be ready for use by !
# ! Kismet, AirSnort, and other Linux-based wireless !
# ! auditing tools. !
# -----------------------------------------------------

Long story short - airodump and aircrack worked fine for me once my
card was correctly configured, but nothing else I've done has worked.

> I've also seen a video on the Remote Exploit site showing a WPA key cracked
> in 10 minutes using cowpatty and a dictionary attack. How realistic is this?

Not sure, but I'm guessing it was WPA with a pre-shared key. Can you
send a link to the video?

Regards,
- Dave

--
Dave Bush <hockeystatman@gmail.com>
There are two seasons in my world - Hockey and Construction
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:16 EDT