biosphear

Get 20 WEP Pass-Phases in 30 Seconds

11 posts in this topic

OK.

I found it. The why it works and step by step for the 20 WEP pass-phrases in 30 Seconds.

This can be done on the routers that Verizon gives out when you sign up for FiOS.

Read the PDF (so anyone can open it), and tell me what you think. :wink:

Take care,

biosphear

FiOS ExP.pdf

1

Share this post


Link to post
Share on other sites
They have their fiber go striate to your house, so every customer has an multi node line that goes from the CO to their house.
It doesn't usually hurt to proof read.

Anyway, nice find, well done. And holy crap, 85% default networks? Here it's 85% secured =/

0

Share this post


Link to post
Share on other sites

Anyway, nice find, well done. And holy crap, 85% default networks? Here it's 85% secured =/

Well technically the are "secured", but what people do not see is that WEP is a false sense of security, and it is made even worse with this Problem that Verizon has with their routers.

So it is left to default, but it has security.

only about 1% did not have any security.

Thanks for replay, and I will proof read it again to catch anything else.

biosphear

0

Share this post


Link to post
Share on other sites

OK.

I found it. The why it works and step by step for the 20 WEP pass-phrases in 30 Seconds.

This can be done on the routers that Verizon gives out when you sign up for FiOS.

Read the PDF (so anyone can open it), and tell me what you think. :wink:

Take care,

biosphear

FiOS ExP.pdf

Un-flipping-believeable!!! The uuber-stupidity of this is that there are TWO attack vectors. Since anybody can sniff the BSSID, that's a no-brainer.

But wait, there's more...the other vector is:

Are you familiar with OUIDs? The first three octets are assigned by manufacturer by IEEE.

http://standards.ieee.org/cgi-bin/ouisearch

So if you know (or guess) the maker of the device, you've got the first, second, and third octets as a gimmee.

For example, if the rocket-scientists at Verizon are using Actiontec, then 00:34:95 is going to be the first half of tens of thousands of pass-phrases.

From there the rest of the pass-phrase is a simple six character combination of 0-9 and A-F. 470,184,984,576 combinations, or around 70 minutes at 500,000 PPS. In reality you would create a ~600mb rainbow table with the values pre-populated, and it would take less than 20 minutes (since mac addresses are pairs of hex digits, it would be a smaller pool).

The blinding irony of this is that the keyspace for the AES encryption of WPA2 is gi-normous. Unless you're NASA with a room full of FPGAs, you are not going to ever get within a galaxy of brute-forcing AES. And yet, some Telco leaves the key under the mat..... :)

Edited by robo_geek
0

Share this post


Link to post
Share on other sites

OK.

I found it. The why it works and step by step for the 20 WEP pass-phrases in 30 Seconds.

This can be done on the routers that Verizon gives out when you sign up for FiOS.

Read the PDF (so anyone can open it), and tell me what you think. :wink:

Take care,

biosphear

FiOS ExP.pdf

Un-flipping-believeable!!! The uuber-stupidity of this is that there are TWO attack vectors. Since anybody can sniff the BSSID, that's a no-brainer.

But wait, there's more...the other vector is:

Are you familiar with OUIDs? The first three octets are assigned by manufacturer by IEEE.

http://standards.ieee.org/cgi-bin/ouisearch

So if you know (or guess) the maker of the device, you've got the first, second, and third octets as a gimmee.

For example, if the rocket-scientists at Verizon are using Actiontec, then 00:34:95 is going to be the first half of tens of thousands of pass-phrases.

From there the rest of the pass-phrase is a simple six character combination of 0-9 and A-F. 470,184,984,576 combinations, or around 70 minutes at 500,000 PPS. In reality you would create a ~600mb rainbow table with the values pre-populated, and it would take less than 20 minutes (since mac addresses are pairs of hex digits, it would be a smaller pool).

The blinding irony of this is that the keyspace for the AES encryption of WPA2 is gi-normous. Unless you're NASA with a room full of FPGAs, you are not going to ever get within a galaxy of brute-forcing AES. And yet, some Telco leaves the key under the mat..... :)

With both WAP being cracked, and one version of WAP2 cracked as well, wtf is secure anymore? WEP/WAP/WAP2 is security against the inpatient and lazy, or the average freeloader. If someone wants in, etc. etc.

0

Share this post


Link to post
Share on other sites

With both WAP being cracked, and one version of WAP2 cracked as well, wtf is secure anymore? WEP/WAP/WAP2 is security against the inpatient and lazy, or the average freeloader. If someone wants in, etc. etc.

I think you mean WPA, not WAP. WPA is secure if you have a secure password.

0

Share this post


Link to post
Share on other sites

With both WAP being cracked, and one version of WAP2 cracked as well, wtf is secure anymore? WEP/WAP/WAP2 is security against the inpatient and lazy, or the average freeloader. If someone wants in, etc. etc.

I have never been able to crack WPA2. If you have a video of you doing it or someone else I would love to see it. :dry:

WPA is secure if you have a secure password.

That is true. Just the simple things can make a real difference when it comes to system security. One would think it is common senses, but that is not always the case...Sadly.

I am glad you guys are reading this, and seem to like it. :biggrin:

biosphear

0

Share this post


Link to post
Share on other sites

With both WAP being cracked, and one version of WAP2 cracked as well, wtf is secure anymore? WEP/WAP/WAP2 is security against the inpatient and lazy, or the average freeloader. If someone wants in, etc. etc.

I think you mean WPA, not WAP. WPA is secure if you have a secure password.

Blah Blah Blah

Incorrect.

http://www.engadget.com/2009/08/27/wpa-networks-cracked-in-just-under-a-minute-researchers-claim/

http://www.engadget.com/2008/11/06/wpa-cracked-in-15-minutes-or-less-or-your-next-routers-free/

-2

Share this post


Link to post
Share on other sites

With both WAP being cracked, and one version of WAP2 cracked as well, wtf is secure anymore? WEP/WAP/WAP2 is security against the inpatient and lazy, or the average freeloader. If someone wants in, etc. etc.

I think you mean WPA, not WAP. WPA is secure if you have a secure password.

Blah Blah Blah

Incorrect.

http://www.engadget.com/2009/08/27/wpa-networks-cracked-in-just-under-a-minute-researchers-claim/

http://www.engadget.com/2008/11/06/wpa-cracked-in-15-minutes-or-less-or-your-next-routers-free/

Hey give him a break :wink: ...to some people 2 days is like two years to others it is simply 2 days. This just came out.

Also, to clarify, you are able to read the packets that are intercepted; however, you are still unable to complete authentication to get onto the network. This is spliting hairs of course but it is still a fundamentally different hack.

0

Share this post


Link to post
Share on other sites

Blah Blah Blah

Incorrect.

Now I don't want to rain on your gravy train, but as stated by others, they state that there are some limitations with this.

There are some limitations, as the data sent from a connected device to the compromised router is apparently still safe, but anything headed t'other way is wide open, and could even be supplanted by bogus bits sent from a Cheetos-munching hacker slouching in a rusty Ford Taurus in the parking lot.

So you only see one way, yes this is helpful, and also a great find, but it is not that you can get into their network (that is what it sounds like). I guess we will have to see on 9/25/2009 to see what they really have to show.

Edited by biosphear
-1

Share this post


Link to post
Share on other sites

With both WAP being cracked, and one version of WAP2 cracked as well, wtf is secure anymore? WEP/WAP/WAP2 is security against the inpatient and lazy, or the average freeloader. If someone wants in, etc. etc.

I have never been able to crack WPA2. If you have a video of you doing it or someone else I would love to see it. :dry:

The recent WPA crack is a TKIP problem. WPA2 with TKIP has the same exact flaw. So WPA2(TKIP) is cracked. Since half of all WPA2 devices only have TKIP option, it is a big problem.

WPA2 + AES has not been cracked.

JFGI.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now