Jump to content


Photo
- - - - -

Cracking Wep Keys On the fly while wardriving.


  • Please log in to reply
19 replies to this topic

#1 IndexPhinger

IndexPhinger

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 481 posts
  • Country:
  • Gender:Male
  • Location:192.168.0.254

Posted 31 December 2008 - 01:35 PM

Now then, I don't have space for gigabytes of rainbow tables, is there a valid way to quickly brute-force a key other than sniffing for it? any pointers? I'd like to go wardriving soon and mapping out the area because. Quite literally you can walk 2 feet and get an entirely new batch of Access Points!

#2 xof7

xof7

    Hakker addict

  • Members
  • 558 posts
  • Location:Spokane, Washington

Posted 31 December 2008 - 03:27 PM

You can't crack wep keys with Rainbow Tables because of the way the algorithm works. The Aircrack-ng group has made a few somewhat automated tools to crack wep. You still a few thousand packets of data to crack the key

What is your setup?

#3 IndexPhinger

IndexPhinger

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 481 posts
  • Country:
  • Gender:Male
  • Location:192.168.0.254

Posted 31 December 2008 - 08:22 PM

You can't crack wep keys with Rainbow Tables because of the way the algorithm works. The Aircrack-ng group has made a few somewhat automated tools to crack wep. You still a few thousand packets of data to crack the key

What is your setup?


MSI Megabook, toshiba wifi (I'm doing this with my buddy andre so I dotn has the specs offhand).

;) I have a few Ralink RT2500 based sticks around too because they're definately supported.

#4 Seal

Seal

    Not a fan of clubs.

  • Agents of the Revolution
  • 2,440 posts
  • Country:
  • Gender:Male
  • Location:Canada

Posted 31 December 2008 - 08:32 PM

You can crack WEP in a few minutes anyways using a replay attack. You force the target to generate packets for you.

http://www.tomsguide...view-459-6.html

#5 zandi

zandi

    SUP3R 31337 P1MP

  • Members
  • 263 posts
  • Location:michigan

Posted 01 January 2009 - 12:15 AM

I can second the replay attack, it works rather quickly and doesn't rely on any legitimate clients using the wireless network. here's a link to a replay attack tutorial on the aircrack-ng website, which coincidentally also has other good tutorials regarding aircrack-ng.

http://www.aircrack-...with_no_clients

#6 biosphear

biosphear

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 327 posts
  • Country:
  • Gender:Male
  • Location:SD

Posted 01 January 2009 - 05:07 AM

I am retyping my guide to cracking 64/128 bit WEP, when I get done, I will post is up.
Should only take 10 Min.

EDIT:

Here it is.
Tell me what you think.
If you find any errors on it, please tell me, so I may fix them. :D


This guide does not explain exactly what is going on just what the functions do. I have an guide that gets more in depth, but need to retype that as well (flash drive broke :(...)

They are the same file, one is a .doc and the other is .txt, the .doc is easier to read.

Attached Files


Edited by biosphear, 01 January 2009 - 06:10 AM.


#7 deickos

deickos

    HACK THE PLANET!

  • Members
  • 62 posts
  • Location:Balbec

Posted 01 January 2009 - 05:21 AM

i was told backtrack 3 would be perfect for cracking
is that correct ?
suggestions any

#8 Meman5150

Meman5150

    Will I break 10 posts?

  • Members
  • 8 posts

Posted 01 January 2009 - 06:03 AM

I doubt you would consider backtrack 3 perfect for anything. Cracking anything seems to be a time consuming task. You can't expect to stick a CD in a drive and expect everything.

Edited by Meman5150, 01 January 2009 - 06:04 AM.


#9 phr34kc0der

phr34kc0der

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 469 posts
  • Country:
  • Gender:Male

Posted 01 January 2009 - 08:50 AM

i was told backtrack 3 would be perfect for cracking
is that correct ?
suggestions any


Personally i havnet used backtrack for wep cracking, but any Linux distro will work. You just need to install airocrack-ng suite and made sure your drivers are patched. Then some documentation online. Cracking a wep key will only take about 20 min from start to finish and only about 10 secs to crack the actual key :P

#10 PurpleJesus

PurpleJesus

    Dangerous free thinker

  • Members
  • 1,578 posts
  • Gender:Male
  • Location:800

Posted 01 January 2009 - 12:29 PM

Just got my Belkin F5D9050 v.3002 to say it's packet injection is working.. I am so psyched. I'm not sure if it was updating the RT73 driver or the iwpriv command that did it... but it seems to be happy now.

For testing: Would this work? I have a Linksys WUSB54Gv2 usb adapter.. if I used it with ndiswrapper and another computer.. set it up as a wep access point w/o internet access.. Should that be sufficient to let me get this aircrack stuff figured out?

edit: all of this will be done on Ubuntu boxes.

Edited by PurpleJesus, 01 January 2009 - 12:30 PM.


#11 phr34kc0der

phr34kc0der

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 469 posts
  • Country:
  • Gender:Male

Posted 01 January 2009 - 06:12 PM

Just got my Belkin F5D9050 v.3002 to say it's packet injection is working.. I am so psyched. I'm not sure if it was updating the RT73 driver or the iwpriv command that did it... but it seems to be happy now.

For testing: Would this work? I have a Linksys WUSB54Gv2 usb adapter.. if I used it with ndiswrapper and another computer.. set it up as a wep access point w/o internet access.. Should that be sufficient to let me get this aircrack stuff figured out?

edit: all of this will be done on Ubuntu boxes.


Do you mean turning a Ubuntu box into a wireless router? Never tried it that way, but i dont see why it wouldnt work. Before i had a wireless router i did a similar thing but putting it in adhoc mode and no encryption. Cracking wep for the first time can be quite difficult because there are so many different variables involved (e.g. wireless chipset, drivers, attack types etc). I would suggest, if possible, using a wireless router in wep mode to practice on then you at least know that the router is work as it should. If you're worried about security just make sure to monitor your logs and connections and you should be fine and put it back to wpa when you're done.

#12 PurpleJesus

PurpleJesus

    Dangerous free thinker

  • Members
  • 1,578 posts
  • Gender:Male
  • Location:800

Posted 01 January 2009 - 06:26 PM

Just got my Belkin F5D9050 v.3002 to say it's packet injection is working.. I am so psyched. I'm not sure if it was updating the RT73 driver or the iwpriv command that did it... but it seems to be happy now.

For testing: Would this work? I have a Linksys WUSB54Gv2 usb adapter.. if I used it with ndiswrapper and another computer.. set it up as a wep access point w/o internet access.. Should that be sufficient to let me get this aircrack stuff figured out?

edit: all of this will be done on Ubuntu boxes.


Do you mean turning a Ubuntu box into a wireless router? Never tried it that way, but i dont see why it wouldnt work. Before i had a wireless router i did a similar thing but putting it in adhoc mode and no encryption. Cracking wep for the first time can be quite difficult because there are so many different variables involved (e.g. wireless chipset, drivers, attack types etc). I would suggest, if possible, using a wireless router in wep mode to practice on then you at least know that the router is work as it should. If you're worried about security just make sure to monitor your logs and connections and you should be fine and put it back to wpa when you're done.


Yeah, you got it.. I was thinking of using my slow machine as an AP w/ the eithernet cable unplugged for testing, and security. Then use my Palm TX to generate some traffic on it. I could drop my WPA stuff from my router and do it that way too - that would be a better real-world exercise anyways.

#13 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,115 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 02 January 2009 - 02:26 AM

If the router broadcasts UPnP (default for most routers) WEP can be cracked in under 15 minutes with no clients using the Chop Chop attack. If ARP reinjection is used and sufficient data is collected a 128 bit will basically be cracked on the fly using the latest aircrack-ng cracking algorithm.

#14 biosphear

biosphear

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 327 posts
  • Country:
  • Gender:Male
  • Location:SD

Posted 02 January 2009 - 04:02 AM

With the guide I put out (my other post) I was able to crack WEP in 5 minuets and 12 seconds.
Look at the guide it is easy to understand and gives a step by step on how to do it.

#15 R0ckL0lz

R0ckL0lz

    I broke 10 posts and all I got was this lousy title!

  • Banned
  • 13 posts

Posted 02 January 2009 - 08:29 PM

If the router broadcasts UPnP (default for most routers) WEP can be cracked in under 15 minutes with no clients using the Chop Chop attack. If ARP reinjection is used and sufficient data is collected a 128 bit will basically be cracked on the fly using the latest aircrack-ng cracking algorithm.


im not sure exactly what you mean here. i dont see howUPnP has anything to do with initialization vectors. UPnP is part of the capability information contained in the management/probe response packets. its not a packet type. capability information of the router wouldnt do you any good if youre trying to crack wep.

#16 deickos

deickos

    HACK THE PLANET!

  • Members
  • 62 posts
  • Location:Balbec

Posted 02 January 2009 - 09:02 PM

With the guide I put out (my other post) I was able to crack WEP in 5 minuets and 12 seconds.
Look at the guide it is easy to understand and gives a step by step on how to do it.






what other post - where is it ?


ok i found it-
it says about 64 and 128 bit wep -
can anyone explain that to a newman
is that the type my neighbor could have i mean

Edited by deickos, 02 January 2009 - 11:22 PM.


#17 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,115 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 02 January 2009 - 10:40 PM

If the router broadcasts UPnP (default for most routers) WEP can be cracked in under 15 minutes with no clients using the Chop Chop attack. If ARP reinjection is used and sufficient data is collected a 128 bit will basically be cracked on the fly using the latest aircrack-ng cracking algorithm.


im not sure exactly what you mean here. i dont see howUPnP has anything to do with initialization vectors. UPnP is part of the capability information contained in the management/probe response packets. its not a packet type. capability information of the router wouldnt do you any good if youre trying to crack wep.


http://www.codeproje...ortForward.aspx
http://74.125.45.132...lient=firefox-a



to function it sends data packets. Usually they are unicast (239.x.x.x i believe) port 1900. The chopchop attack can use these packets, byte by byte break the encryption. At that point packetforge-ng can make an ARP to reinject.

#18 R4p1d

R4p1d

    Hakker addict

  • Members
  • 840 posts
  • Country:
  • Gender:Not Telling
  • Location:Space

Posted 03 January 2009 - 02:34 AM

Kismet first to find the AP
Start monitoring it
Run the Injector
Create injection requests
Now you have your packets
Yay

Edited by R4p1d, 03 January 2009 - 02:36 AM.


#19 biosphear

biosphear

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 327 posts
  • Country:
  • Gender:Male
  • Location:SD

Posted 03 January 2009 - 12:31 PM

Kismet first to find the AP
Start monitoring it
Run the Injector
Create injection requests
Now you have your packets
Yay


I do like Kismet, but only use it for cracking WPA.
airodump-ng does everything you need to when cracking WEP (and comes in handy when cracking WPA)

All one has to do is read my guide.
I need more feed back on it, also I know there are a few errors, I have fix them but do not have the file with me because I am at work.

#20 R4p1d

R4p1d

    Hakker addict

  • Members
  • 840 posts
  • Country:
  • Gender:Not Telling
  • Location:Space

Posted 04 January 2009 - 09:26 PM

Kismet first to find the AP
Start monitoring it
Run the Injector
Create injection requests
Now you have your packets
Yay


I do like Kismet, but only use it for cracking WPA.
airodump-ng does everything you need to when cracking WEP (and comes in handy when cracking WPA)

All one has to do is read my guide.
I need more feed back on it, also I know there are a few errors, I have fix them but do not have the file with me because I am at work.


Well airodump-ng is passive, if you want your packets fast use aireplay-ng to do an active attack, much more efficient, but it pretty much kicks everyone off the network.

Edited by R4p1d, 04 January 2009 - 09:28 PM.





BinRev is hosted by the great people at Lunarpages!