Re: V/Scan for Wireless LANs

From: Nicolas RUFF (lists) (ruff.lists@edelweb.fr)
Date: Mon Jul 21 2003 - 05:40:44 EDT

• Next message: slugbait: "Re: V/Scan for Wireless LANs"
• Previous message: Alvin Oga: "RE: Know such a web's server tool? -- huh"
• In reply to: Morgan, Andy: "RE: V/Scan for Wireless LANs"
• Next in thread: David Nester: "RE: V/Scan for Wireless LANs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> There are some tools that will work to try to find a WEP key but they require a lot of data and time. They exploit known vulnerabilities in the WEP algorithm to find the keys. However it could take as much as 500 meg of data. I don't have the links handy. Sorry.
> As far as brute forcing. ok idea but not very doable. to iterate through all cobinations would be 2^128 possibilities which gets you to about 3.4028236692093846346337460743177e+38 possible combinations. If you assumed you could do 1 per second - which would be tough if you wait for DHCP to respond it would take you 10790283070806014188970529154990 years to get through all the combinations. Thats a long time. :) If somebody could check my math that would be great.

        Hello,

Slight mistake here : the first 24 bits of the key are random (sometimes
incremental, but most vendors have fixed this by now), but transmitted
inside the paquet (this is called Initialisation Vector - IV), whereas
the last 40 / 104 bits are derived from one of the WEP key (since the
system might use up to 4 WEP keys).

2^40 = 1099511627776
2^104 = 20282409603651670423947251286016

Since RC4 is a fast algorithm, my P4 1.7GHz processor can check around
25,000 k/s, so I guess you can walk trough a 40-bit keyspace in a couple
of weeks if you have a cluster a 20 to 30 P4 2.5GHz computers.

There is also a trick that can save you time : some vendors derive the
WEP key directly from the ASCII passphrase - that is why you sometimes
have to give 5-character or 13-character only passphrases. In this case
you only have to check the ASCII printable character range. I
successfully manage to crack a 64-bit WEP key using a *single* packet
within hours using this trick. However I never tried on 128-bit WEP keys.

Regards,
- Nicolas RUFF
-----------------------------------
Security Consultant
EdelWeb (http://www.edelweb.fr/)
Mail : nicolas.ruff@edelweb.fr
-----------------------------------

---------------------------------------------------------------------------
----------------------------------------------------------------------------

• Next message: slugbait: "Re: V/Scan for Wireless LANs"
• Previous message: Alvin Oga: "RE: Know such a web's server tool? -- huh"
• In reply to: Morgan, Andy: "RE: V/Scan for Wireless LANs"
• Next in thread: David Nester: "RE: V/Scan for Wireless LANs"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:37 EDT