Questions re WEP encryption

I hope you don't think *I* care if Jeff posts links to the exploits or not. I certainly can understand his reasoning.

-wolfgang

"Wolfgang S. Rupprecht" hath wroth:

Maybe. He seemed awfully interested in whether active WEP cracking could be detected.

Just for completeness, here's the proceedure for doing it with passive sniffing.

Note: I don't publicize exploits unless the fix is also available. In the case of WEP, the fix is WPA which has been available for quite some time.

Fun reading on wireless hacks:

I wonder if associate/disassociate requests should be syslog-ed. It sounds like the stock AP software is being pretty silly about throwing away information, even when it has security implications.

Ditto.

-wolfgang

Disingenuous in the extreme. Three posts ago you were demanding that he post evidence.

Mark McIntyre hath wroth:

I think you have two different people mixed up. It was Axel Hammerschmidt that was demanding that I substantiate my allegations.

Oh, come on! Flickengers book is from 2003. This stuff's been around for

3 years.

Is it? Really?

From page 1:

: This article will be a general overview of the procedures used by the : FBI team. A future article will give step-by-step instructions on how : to replicate the attack.

But, there's no future article that I can find.

That's after you have the collected the packets.

Collecting the packets takes time.

And:

: If the default fudge factor (two) fails, I usually double it for each : subsequent attack on the same data set. By terminating any attack that : takes longer than five or ten minutes, I have had good luck finding a : successful fudge factor fairly quickly.

That (aircrack execution time) takes lots of time. All in all, that's way beyond your 3 - 10 minutes.

Sigh!

We are within 100 yards of the person making the attack. This brings the attacker into the same category as a local burglar.

I've tried. As I understand it, APs work like ethernet hubs. Anyway, the traffic (replay) showed up in the Windows Network Control Panel.

Well, that's entirely up to you.

You publish (or perish).

Sharing knowledge?

Care to cite the post and message-ID? I'm really curious how you came to this conclusion.

-wolfgang

And rightly so, too!

snipped-for-privacy@hotmail.com (Axel Hammerschmidt) hath wroth:

My how time flys when we're having fun hacking.

Yes, it's old. In addition, there's a problem with the proceedure. Manufacturers of access points have generally adopted what's called WEP+ which changes the algorithm used to create the IV so that it does NOT generate too many weak IV's. The passive sniffing proceedure still works as printed, but only only on old access points and old firmware. Strangely, I've seen a few of these around.

Active sniffing solves the lack of weak IV's problem by generating a much larger number of IV's suitable for selecting. The WEP+ algorithm still produces fewer weak IV's, but a sufficient quantity to proceed with cracking. The FBI demonstration shows the method.

I posted the links to passive scanning in case you wanted to actually try some of the proceedures and generate your own performance numbers.

snipped-for-privacy@hotmail.com (Axel Hammerschmidt) hath wroth:

Yes, really. Need witnesses?

Complain to Humphrey Cheung, the author of the articles. If you click on his name at the top of page 1, you are presented with a web page that will email your complaints directly to the author.

No, that's the rate at which packets are sent at 11Mbits/sec. However, it's 8 times larger than it should be thanks to my mixing bits and bytes. Instead of 5 seconds, 40 seconds should be sufficient.

Ok, work out the numbers yourself. The average packet size is

256Bytes (2Kbits). The over the air data rate is 11Mbits/sec with a UDP throughput of about 5Mbits/sec. You claim that one needs to capture about 5-10 million packets of data to recover the WEP key. (I've found it is much less than that). You have all the data. How long does it take to capture the necessary data? Ask if you need help with the arithmetic.

It's really a question of how many "interesting" packets are generated by the access point and how many are captured. However, I'll agree that if optimizing the fudge factor is the order of the day, multiple

10 minute scans are required.

I haven't done much WEP cracking. The ones that I could crack usually take about 10 minutes with an active attack. I think the longest run I had to use was about 45 minutes. I thought something was broken with my laptop so I ran it again. The 2nd time, it only took about 15 minutes. I suspect I may have experienced some interference and missed capturing some packets.

California law defines assault as "feeling threatend". There is no distance limit. If you feel threatended by someone 100 yards away, file charges and see if you can find a district attorney that will prosecute.

All wrong. An access point is a bridge, not a hub. Officially, a hub is an ethernet "repeater", where everything one port receives is spewed out the other ports. A bridge is a two port device that inspected the destination MAC address of each packet. The bridge also maintains a table of what MAC addresses are located on each port. If the destination address of a packet is across the bridge, the packet is transmitted. If the destination address is on the local LAN, then the packet is NOT transmitted across the bridge, thus reducing wireless traffic.

There is no such thing as a "Windoze Network Control Panel". Where EXACTLY do you see disassociate and deauthorization packets, or for a different attack, the multiple ARP requests?

Exactly. I'm very free with information but I alway like to know what the person asking is planning to do with it. You would not believe some of the emailed requests I receive and ignore. There are a substantial number of amateur terrorists out there.

I haven't played teacher for many years. I don't publish. I edit which pays much better.

Yeah, sure. You haven't shared anything. I'm the one that's supplying all the numbers. It's also apparent that you either haven't read or understood any of the articles mentioned. You certainly haven't actually tried running any of the tools mentioned or your questions would be quite different. I also suspect you're fishing for scripted tools. Get those from someone else please.

If so, my apologies to the wrong person.

Just results that can be reproduced.

He is your reference, remember. You fix it.

Ahem!

People who live in glass houses...

Those numbers I quoted were from

The time it takes depends on the actual traffic, as your above link states.

I do not see what your figures are supposed to show. That I cannot add, subtract, multiply or divide?

I did a replay on one of my access points, a CnetTech model CNAP-711 (802,11b) connected to a routers switch. A Thinkpad (W2K) with a (RTL8180 chipset) PCMCIA card connected to this access point. I've found that setup very stable.

And ran KisMAC (0.21a) on an Apple Powerbook (OS X 19.3.9) with a Edimax EW-7102PC (Prism2) card. Starting with a deauth, KisMAC was able to get a replay going after a few minutes.

I ran the replay for 1 hour and 22 minutes. In that period KisMAC collected 1,000,736 unique IVs (about a million) without guessing the Key, which is not surprising considering what Airsnort is supposed to be able to do. However the time it took to collect the one million unique IVs was one hour and 15 minutes.

The rate of generating/collecting uIVs varied: 9.1 minutes for 1e5 packets (10K pr minute) and 8.7 minutes for 1.3e5 packets (15K pr minute).

Also, I could see the packets being sent in the Windows Network Control Panel. The activity lights in the switch that the access point was connected to also blinked furiously the whole time. When I stopped, the Thinkpad connection to the access point died.

These figures (and the blinking lights, the packet counts showing up in the Windows control panel) are in agreement with earlier attempts that I made last winter.

I do not think we have any disagreement about how long it takes Airsnort to guess the key. Airsnort also uses a dictionary attack and a lot of access point encryption keys are generated by a passphrase.

(There's an interessting recent article about the weakness of passwords by Robert Lemos from SecurityFocus in PC Magazine, May 9, 2006. Vol 25 No 8).

However. I do not know if KisMAC uses a dictionary attack. I do not think so.

The key I used with the CNAP-711 was generated on Steve Gibsons home page.

The point is, that we are not dealing with some hacker a long way away in Russia or China. Using a replay attack is like loitering in the neighbourhood with a dirty big crowbar sicking out of your bag and a set of skeleton keys hanging from your belt.

Others have access to the same tools. There is no distance involved and it's easy to take a bearing on a radio signal.

That's beside the point. The packets in replay attack are probably not transmitted across any bridge.

In this case, the Powerbook and the Thinkpad are "on the same side" of the access point.

Anyway, a very rapid packet count appeared in the control panel on the Thinkpad. And the lights in the switch blink rapidly all the time.

Anyone else should be able to reproduce that.

See above. Right click on the icon in the tray and a panel opens showing the number of transmitted packets (in W2K) for the active network connection.

Terrorists? You are being paranoid. The effect of spreading this kind of information is probably the opposite. The more people know about how WEP-cracking works, the bigger the deterrent, because a would be attacker will take into consideration that there is a good chance that he will be exposed.

It's not a very nice way to meet your neighbour for the first time.

Not much I can do with those numbers, until you explain what they are supposed to show.

(Jeff said)

Hang on a sec - you're the one who says this is wrong, /you/ fix it.

Read the thread again. It states in Jeff's reference, that there is a further article. I point out, that there is no further article. In this case it's Jeff's problem, that his ref does not come with the claimed further article.

I'm not going to argue the toss with you. Would you expect Jeff to fix the OED if a page he pointed you at contained a spelling mistake?

In that case, whom do you think is making the (spelling) mistake?

Which part of "I'm not going to argue the toss with you" was hard to understand? EOT

You didn't like my answer?