From: leonardo (billtorvalds1@yahoo.it)
Date: Wed Jun 02 2004 - 15:50:41 EDT
* Wednesday 02 June 2004, alle 08:09, Jeremy Junginger scrive:
> But before I can even think about the key, I need to figure out how to
> identify these encrypted DHCP? Anyone know?
if you have enough time to arrange this attack, you just have to wait
for a new machine to authenticate (or, force any machine to
deauthenticate and waut for it to authenicate again). Authentication in
WEP works quite surprisingly like this: AP sends a challengetext in
clear (128 bit), supplicant answers with the same challengetext crypted
with the wep key, AP checks correctness of the encryption and
authenticates the client. So if you listen to an authentication you see
128 bit passing in plaintext and crypted and you can get those 128 bit of
keystream.
> 1) Generate an 8 byte (n-3) message that generates a predictable response (8
> byte ICMP packet? What shall we use here?)
you don't really need a predictable packet, if you send a ACK TCP
message on a closed port of any host you'll get a RST if your forged
packet was correctly checksummed, otherwise nothing. so if you get a
response you got the right byte.
ciao,
leonardo.
-- 0C5F B8DE 3136 1506 96D0 1806 7674 D513 A66E 7854
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:55 EDT