RE: Wireless Pent-Test

From: Christopher Harrington (cmh@nmi.net)
Date: Mon Oct 06 2003 - 14:22:15 EDT

• Next message: Keith T. Morgan: "RE: Wireless Pent-Test"
• Previous message: R. DuFresne: "Re: Wireless Pent-Test"
• In reply to: Matthew Leeds: "Re: Wireless Pent-Test"
• Next in thread: Raistlin: "Re: Wireless Pent-Test"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Matthew,

The weakness is in the Key Scheduling Algorithm in WEP. The WEP keys
themselves are weak. This flaw causes allows they key to be "guessed"
based on statistical information derived from what are called
Interesting Packets. These packets have a problem with weak
Initialization Vectors. Some vendors have changed their firmware to
reduce the # of Interesting Packets. This means that tools like Wepcrack
and Airsnort are much less effective than they used to be. However,
there are tools / code out there that can inject Interesting Packets
into legitimate traffic thus cutting down the time required to derive
the WEP key. This technique will work whether or not the vendor has
fixed their WEP implementation.

--Chris

Christopher Harrington
NMI InfoSecurity Solutions
207-878-2310 x236
http://www.nmi.net

-----Original Message-----
From: Matthew Leeds [mailto:mleeds@theleeds.net]
Sent: Monday, October 06, 2003 12:51 PM
To: pen-test@securityfocus.com
Subject: Re: Wireless Pent-Test

OK, I keep hearing about how simple it is to crack WEP using a variety
of tools. I also keep hearing that some WLAN hardware manfacturers have
modified their firmware to eliminate the generation of 'weak' WEP keys.
Has anyone investigated this sufficiently to authortatively discuss
whether the 'removal' of weak keys reduces/eliminates the risk of WEP?
Whether it renders the current generation of tools for cracking WEP
ineffective?

Some references: http://www.agere.com/NEWS/PRESS2001/111201b.html
http://www.ydi.com/deployinfo/wp-wep-plus.php

---Matthew
*********** REPLY SEPARATOR ***********

On 10/6/2003 at 5:09 PM Daniel Nylander wrote:

>Getting the WEP-key from a WLAN is "pretty" simple.
>Download airsnort, wepcrack, kismet and other usefull tools.. then
>capture enough packets to wepcrack and .. voila!
>
>Daniel
>
>----- Original Message -----
>From: "Cesar Diaz" <cesadiz@yahoo.com>
>To: <pen-test@securityfocus.com>
>Sent: Sunday, October 05, 2003 3:16 AM
>Subject: Wireless Pent-Test
>
>
>>
>>
>> Remote users in my company have been begging for permission to use
>wireless NICs in their laptops for awhile now. When they are not on
>the road, most of them work from home and would like to be able to use
>their laptops anywhere in their house.
>>
>> Due to our industry and business requierements, we have to document
>> every
>process and method used to access our data and prove that we've tested
>the security of our data.In order to let the users go wireless I have
>to show that I've tested the security on a wireless network.
>>
>> Our idea is to let the users buy wireless routers to connect to
>> their
>cable/dsl routers and then wireless PCMCIA or USB cards on the laptop.

>We would implement 128 bit WEP security to prevent unauthorized access.

>I realize that WEP does not provide for stringent security, but we feel

>that by forcing users to change their WEP key regularly we can meet our

>requierements.
>>
>> My question is, how do I test WEP and document wether or not it's
>> secure?
>Any way to sniff for WEP keys, or to brute force attack a WEP session?

>If there is, how hard is it to set up? How much of a risk of a
>wireless connection with WEP enabled to be comprimised other than a
>dedicated, brute force attack?
>>
>> Any information is greatly appreciated.
>>
>>
>> Cesar
>>
>>
>-----------------------------------------------------------------------
>---
>-
>> Tired of constantly searching the web for the latest exploits? Tired
>> of using 300 different tools to do one job? Get CORE IMPACT and get
>> some rest. www.coresecurity.com/promos/sf_ept2
>>
>-----------------------------------------------------------------------
>---
>--
>>
>>
>
>
>
>-----------------------------------------------------------------------
>----
>Tired of constantly searching the web for the latest exploits?
>Tired of using 300 different tools to do one job?
>Get CORE IMPACT and get some rest.
>www.coresecurity.com/promos/sf_ept2
>-----------------------------------------------------------------------
-----

------------------------------------------------------------------------

---
Tired of constantly searching the web for the latest exploits? Tired of
using 300 different tools to do one job? Get CORE IMPACT and get some
rest. www.coresecurity.com/promos/sf_ept2
------------------------------------------------------------------------
----

• application/x-pkcs7-signature attachment: smime.p7s

• Next message: Keith T. Morgan: "RE: Wireless Pent-Test"
• Previous message: R. DuFresne: "Re: Wireless Pent-Test"
• In reply to: Matthew Leeds: "Re: Wireless Pent-Test"
• Next in thread: Raistlin: "Re: Wireless Pent-Test"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:41 EDT