From: Jason Ostrom (justiceguy@pobox.com)
Date: Thu Jun 24 2004 - 09:56:21 EDT
So I'm assuming you were able to decipher the ASCII/Hex 5 or 13-byte WEP key
using tools based on the FMS attack. And you said below that you
try to connect to the network but can't bridge / route through the AP
- but I didn't see you mention that you used the WEP key to connect to
the network. Even with the spoofing in place, you won't be able to
communicate to the AP unless you use the WEP key properly. I'm assuming that
you were able to determine the WEP key on a network using static WEP.
Because if the network is using rotating WEP keys with 802.1x, your
problem is complicated. It may seem obvious, but I didn't see you
mention this about using the WEP key.
When you try to route through the AP, what kind of a response do you
see from the AP?
Jason
zcrips xrabbitz> hi everyone,
zcrips xrabbitz> i have been taking on my
zcrips xrabbitz> first large and blind wireless pentest and i
zcrips xrabbitz> have nearly become lost in the jaws
zcrips xrabbitz> of a wireless network and would
zcrips xrabbitz> appreciate any help. first i'lll
zcrips xrabbitz> state what i have so far done and seen
zcrips xrabbitz> the network was encrypted but with
zcrips xrabbitz> wep and large traffic so i was able to
zcrips xrabbitz> bruteforce the key
zcrips xrabbitz> The network in focus is quite large
zcrips xrabbitz> with multiple subnets and lots of
zcrips xrabbitz> “firewalls”
zcrips xrabbitz> These I did.
zcrips xrabbitz> Using kismet I sniffed a whole lot
zcrips xrabbitz> of packets. And decoded them with the
zcrips xrabbitz> found wep key
zcrips xrabbitz> Then using my conventional ettercap
zcrips xrabbitz> and ethereal I looked through the
zcrips xrabbitz> packets.
zcrips xrabbitz> i sniffed a lot more with ettereal
zcrips xrabbitz> and looked through them for a similar mac
zcrips xrabbitz> address but all packets
zcrips xrabbitz> had i local (destination) ip and mac address
zcrips xrabbitz> Now The Problem.
zcrips xrabbitz> I tried to connect to the net work
zcrips xrabbitz> I used a nice ip to match one on the network
zcrips xrabbitz> (8.5) i changed mac addresses to
zcrips xrabbitz> match the host i was spoofing.
zcrips xrabbitz> then i tried to route packets to another client
zcrips xrabbitz> which failed with the network unreachable error
zcrips xrabbitz> i tried a traceroute to my target
zcrips xrabbitz> client but it failed too with the same
zcrips xrabbitz> error
zcrips xrabbitz> i used ettercap to passively watch
zcrips xrabbitz> traffic and came up with a comprehensive
zcrips xrabbitz> list of ip/mac addresses and tried
zcrips xrabbitz> to spoof most of them but still my
zcrips xrabbitz> packets didn't get routed
zcrips xrabbitz> i tried using etterape to watch
zcrips xrabbitz> traffic flow and come up with a route but i
zcrips xrabbitz> figure out that nearly all traffic
zcrips xrabbitz> was internal most hosts were connecting
zcrips xrabbitz> to each other
zcrips xrabbitz> HELP:
zcrips xrabbitz> HOW CAN I ROUTE PACKETS THROUGH
zcrips xrabbitz> TO OTHER CLIENTS OR BECOME A CLIENT
zcrips xrabbitz> OR IS THERE A BETTER WAY I COULD DO
zcrips xrabbitz> THIS WHOLE PENTEST FROM THE BEGINING
zcrips xrabbitz> PLS ANY HELP WOULD BE APPRECIATED.
zcrips xrabbitz> ZIPPERS CRIPS
zcrips xrabbitz> _________________________________________________________________
zcrips xrabbitz> MSN 8 with e-mail virus protection
zcrips xrabbitz> service: 2 months FREE*
zcrips xrabbitz> http://join.msn.com/?page=features/virus
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:56 EDT