RE: Cracking WEP and WPA keys

From: cerealkilla@cox.net
Date: Tue Dec 13 2005 - 17:16:17 EST


To add my 2 cents, I've seen it stated that if you use a 63 character
complex pass phrase with WPA PSK that while theoretically possible, at this
time it will not be broken.

Also some have mentioned that newer equipment has fixed the problem with
weak IV's?

Does anyone know what specially has been changed?
Are these particular implementations still vulnerable? Are there any tested
exploits that may be used against these newer versions?

Has anyone tried cracking WEP with a Cisco 1200AP?

-----Original Message-----
From: Seth Fogie [mailto:seth@fogieonline.com]
Sent: Tuesday, December 13, 2005 1:02 PM
To: pen-test@securityfocus.com
Subject: Re: Cracking WEP and WPA keys

I teach a wireless hacking class and perform this wep cracking live in
under 4 minutes with generated data. The airoreplay method has taken
between 6 and 20 minutes, depending on luck and traffic generated.
However, this is in a controlled environment. One, you have to be sure
your airocrack is using the same frequency as your wireless network.
Two, you have to be sure your using the same standard (b vs g). If your
airodump is capturing only b traffic, and your network is primariy g,
you will only see beacons...which are worthless when cracking wep..

In addition, some vendors have taken steps to prevent these types of
attacks. I personally use a Linksys 54g router with a Netgear G card set
to 802.11b only during the tests...my senao card also works. However,
other cards and AP's I have used aren't as crack friendly.

WPA is a different story all together. I can crack WPA in less than a
second assuming my dictionary file is only one word long and that word
is my passphrase. All you need to do is capture 4 packets and then use
cowpatty to test the dictionary words to see which one matches.
Depending on the passphrase setup in WPA, and its position in the
dictionary, your crack could be seconds or years...and if the passphrase
is not in your dictionary file...well, then it won't be cracked.

Seth Fogie
Airscanner
Moderator for wifisec@securityfocus.com

Shenk, Jerry A wrote:

>Cracking WEP depends on a ton of stuff. If you're cracking it looking
>for weak IVs, you'll need an AP that has weak IVs. Most of the new ones
>avoid them to one degree or another. What AP are you using? I used a
>Linksys in my initial testing (a couple years ago) and cracked the key
>in 4 hours. I also tried to crack a Cisco 350 (replaced by the 1200
>series) and never was able to crack the key using that method, even
>after running for days.
>
>Another thing, that "crack in seconds" is based on already having hours
>or days worth of traffic to use.
>
>There are some new tools that generate traffic rather than having to
>wait for it and some of the new cracking methods are better or worse,
>depending on your perspective. I think some of these "WEP is worthless"
>stories are overly sensational. Yes, WEP is broken, ok, possibly even
>horribly broken but it stops a 'casual connector', it even stops quite a
>few determined hackers (it stopped you;). If you're the NSA...ok, WEP
>is worthless....the people attacking you are determined, well financed
>professionals. If you're my mom, checking her e-mail from home with a
>wireless laptop, I think WEP is perfectly fine. Installing everything
>needed for a good PEAP implementation for my mom is absolutely insane.
>Most people are gonna be someplace in the middle where a little bit of
>risk evaluation is in order.
>
>-----Original Message-----
>From: Robin Wood [mailto:dninja@gmail.com]
>Sent: Tuesday, December 13, 2005 5:09 AM
>To: pen-test@securityfocus.com
>Subject: Cracking WEP and WPA keys
>
>Hi
>I've just been on a wireless security course where there was a lot of
>talk
>about WEP keys being poor security and easily crackable. I got home and
>decided to put it to practice and use aircrack against my own WEP key.
>
>Using airodump and aireplay I collected 1 million IVs and set aircrack
>off
>attacking it. After around 4 hours I got bored of waiting and on another
>machine tried playing with aircracks debug option where you can pass
>sections of the key you already know. I found if I passed the whole key
>except the last digit it could be cracked with a fudge factor of 2, if I
>removed the last 2 digits then I had to up the fudge factor to 5 and up
>it
>to 8 if I removed the last 3 digits. With anything less than the fudge
>factor mentioned I was told that it couldn't crack the key.
>
>All the examples I've seen seem to suggest that cracking should take
>minutes
>not hours and all keys should be crackable. What experiences do other
>testers have? Have I done something wrong? I abandoned the full attack
>after
>5 hours as it was running with the default fudge factor of 2 so would
>probably not have managed to crack the key.
>
>I've also seen a video on the Remote Exploit site showing a WPA key
>cracked
>in 10 minutes using cowpatty and a dictionary attack. How realistic is
>this?
>
>Robin
>
>------------------------------------------------------------------------
>------
>Audit your website security with Acunetix Web Vulnerability Scanner:
>
>Hackers are concentrating their efforts on attacking applications on
>your
>website. Up to 75% of cyber attacks are launched on shopping carts,
>forms,
>login pages, dynamic content etc. Firewalls, SSL and locked-down servers
>are
>futile against web application hacking. Check your website for
>vulnerabilities
>to SQL injection, Cross site scripting and other web attacks before
>hackers do!
>Download Trial at:
>
>http://www.securityfocus.com/sponsor/pen-test_050831
>------------------------------------------------------------------------
>-------
>
>
>
>
>
>**DISCLAIMER
>This e-mail message and any files transmitted with it are intended for the
use of the individual or entity to which they are addressed and may contain
information that is privileged, proprietary and confidential. If you are not
the intended recipient, you may not use, copy or disclose to anyone the
message or any information contained in the message. If you have received
this communication in error, please notify the sender and delete this e-mail
message. The contents do not represent the opinion of D&E except to the
extent that it relates to their official business.
>
>
>---------------------------------------------------------------------------

---
>Audit your website security with Acunetix Web Vulnerability Scanner: 
>
>Hackers are concentrating their efforts on attacking applications on your 
>website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
>login pages, dynamic content etc. Firewalls, SSL and locked-down servers
are 
>futile against web application hacking. Check your website for
vulnerabilities 
>to SQL injection, Cross site scripting and other web attacks before hackers
do! 
>Download Trial at:
>
>http://www.securityfocus.com/sponsor/pen-test_050831
>---------------------------------------------------------------------------
----
>
>
>
>  
>
----------------------------------------------------------------------------
--
Audit your website security with Acunetix Web Vulnerability Scanner: 
Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for
vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers
do! 
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
----------------------------------------------------------------------------
---




This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:16 EDT