+ Reply to Thread
Results 1 to 9 of 9
  1. Security Tinkerer
    Join Date
    Sep 2004
    Location
    I'm conviced, we all live in the Matrix.
    Posts
    1,228

    Certifications
    CISSP,,CCSP,CNSS-4013+4011,MCT MCSA2K3,CWNA MCSE2K3:Sec LPT ECSA CEH CHFI,CCNA CS-CFW, CCIE-Sec/Written, etc..
    #1

    Default Cracking WEP using XP

    Hi guys, I got a private message asking about cracking WEP on XP. I thought it might be beneficial to others if I posted my response here. Hope this helps someone.

    Do you mean WEP Keys? One thing to know about most implementations of WEP is that it is symmetric, so the same key used to encrypt is essentially used to decrypt. This in itself is a serious flaw. But to answer your question. I usually use a combination of ethereal (sniffing), Netstumbler and Kismet (War driving, or site checking wireless vulnerability), airsnort and wepcrack (for the actual cracking of the keys). I usually run these types of exercises on linux, just because I often need to tweak source code to give me the results I desire. Every client is potentially different so always be prepared to change your arsenal up. These are measures I take when I'm dealing with a client that's got a security minded IT department. It's sad to say, but most clients I never even get to the good stuff like this, because most wireless LANs out there are doing silly things like broadcasting SSID in clear text, etc etc etc. I commute via public commuter train to my office everyday, and if I told you how many un-protected LANs I can pick up on the 1 hour train ride (about 25 miles) you'd probably be suprised (or maybe you wouldn't

    Airsnort is nice on XP, I've used it on XP just because when I'm doing security training, (even though most of it is done on linux boxes) I always get questions and requests like "how do I do this on XP/windows". Here is a link to get it working on xp.

    http://airsnort.shmoo.com/windows.html

    As a side note, remember that you won't have much luck trying to sniff wireless packets with your typical bestbuy or compusa wireless nic. You'll need something more robust like an Orinco (some of the cisco cards work nicely too). The key is being able to use the card in promiscuous mode.
    Reply With Quote Quote  

  2. SS -->
  3. Johan Hiemstra Forum Admin Webmaster's Avatar
    Join Date
    Jun 2002
    Location
    52n31, 6e06
    Posts
    10,383
    Blog Entries
    3

    Certifications
    MCSE NT4 MCSA 2000/2003 Security+ (expired: CWNA, CNA, CCNA)
    #2
    Thanks for sharing the info 'publicly'

    I think this was the (similar/) original question:
    www.techexams.net/forums/viewtopic.php?t=7923

    In addition to the info here and in that post, I jsut want to point out my related TechNotes, particularly because of the 24-bit initialization vector (IV) that is sent in clear text:
    http://www.techexams.net/technotes/s...wireless.shtml
    Reply With Quote Quote  

  4. Member
    Join Date
    Feb 2005
    Posts
    35
    #3

    Default Cracking WEP

    I thought this was a really good article: http://www.tomsnetworking.com/Sections-article111.php
    Reply With Quote Quote  

  5. Senior Member
    Join Date
    Apr 2004
    Posts
    1,939

    Certifications
    yes
    #4
    nice post.
    Reply With Quote Quote  

  6. Member
    Join Date
    Feb 2005
    Posts
    35
    #5
    Here's another really good article:

    http://www.tomsnetworking.com/Sections-article118.php
    Reply With Quote Quote  

  7. Security Tinkerer
    Join Date
    Sep 2004
    Location
    I'm conviced, we all live in the Matrix.
    Posts
    1,228

    Certifications
    CISSP,,CCSP,CNSS-4013+4011,MCT MCSA2K3,CWNA MCSE2K3:Sec LPT ECSA CEH CHFI,CCNA CS-CFW, CCIE-Sec/Written, etc..
    #6
    Yes, a very good article indeed.
    Reply With Quote Quote  

  8. Senior Member
    Join Date
    Jul 2004
    Posts
    236

    Certifications
    A bunch, and I still suck
    #7
    The free tools are usually hit and miss for me. I hate to admit it, but the best one is the commercial one (I shall not name.) I usually get 40 bit keys with a gig of captured data
    Reply With Quote Quote  

  9. Certification Invigilator Forum Admin JDMurray's Avatar
    Join Date
    Jul 2003
    Location
    Surf City USA
    Posts
    10,616
    Blog Entries
    50

    Certifications
    GSEC, EnCE, CISSP, SSCP, CEH (ANSI), CASP, CCNA, CCENT, CWSP, CWNA, CWTS, Security+, Server+, Network+, A+, DHTI+, PDI+, MSIT InfoSec
    #8

    Default Re: Cracking WEP

    Quote Originally Posted by jdredd
    I thought this was a really good article: http://www.tomsnetworking.com/Sections-article111.php
    Uh, broke a 128-bit WEP key in about three minutes? I'll bet that the key's bit pattern was very simple, and they were pumping as many packets across the air as the bandwidth would permit. I also wonder if their cracking machine was a typical Celeron laptop, or a non-mobile workstation with a lot of CPU horsepower.

    Your mileage may vary.
    Moderator of the InfoSec, CWNP, IT Jobs, Virtualization, Java, and Microsoft Developers forums at www.techexams.net
    --
    Blog: www.techexams.net/blogs/jdmurray
    LinkedIn: www.linkedin.com/in/jamesdmurray
    Twitter: www.twitter.com/jdmurray
    Reply With Quote Quote  

  10. Security Tinkerer
    Join Date
    Sep 2004
    Location
    I'm conviced, we all live in the Matrix.
    Posts
    1,228

    Certifications
    CISSP,,CCSP,CNSS-4013+4011,MCT MCSA2K3,CWNA MCSE2K3:Sec LPT ECSA CEH CHFI,CCNA CS-CFW, CCIE-Sec/Written, etc..
    #9
    You're right JD, I had some questions myself. Although, this is a good awareness article for those who swear by WEP.

    Some things I question are.

    The FBI team used the deauth feature of void11 to repeatedly disassociate the laptop from the access point. Desired additional traffic was then generated as Windows XP tried to re-associate back to the AP. Note that this is not a particularly stealthy attack, as the laptop user will notice a series of "Wireless Network unavailable" notifications in the taskbar of their desktop screen.


    Not being stealthy means easily being caught or detected by even the most basic IDS.

    Another attack method the FBI team used is a replay attack. The basic premise of this attack is to capture at least one packet traveling from the victim laptop to victim access point. This packet can then be replayed into the network, causing the target AP to respond and provide more traffic to capture.
    Most of us in the security world started advising people and thwarting replay attacks three years ago. Again, a decently configured IDS or IPS would go crazy when this activity starts. Flooding the air with packets in order to speed up the process is definantly doable and even commonly practiced, but it is also plain stupid if you're trying not to be noticed. To generate enough traffic to do this in 3 minutes would definantly require some serious bandwith consumption.
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks