Cracking WEP using XP
keatron
Member Posts: 1,213 ■■■■■■□□□□
Hi guys, I got a private message asking about cracking WEP on XP. I thought it might be beneficial to others if I posted my response here. Hope this helps someone.
Do you mean WEP Keys? One thing to know about most implementations of WEP is that it is symmetric, so the same key used to encrypt is essentially used to decrypt. This in itself is a serious flaw. But to answer your question. I usually use a combination of ethereal (sniffing), Netstumbler and Kismet (War driving, or site checking wireless vulnerability), airsnort and wepcrack (for the actual cracking of the keys). I usually run these types of exercises on linux, just because I often need to tweak source code to give me the results I desire. Every client is potentially different so always be prepared to change your arsenal up. These are measures I take when I'm dealing with a client that's got a security minded IT department. It's sad to say, but most clients I never even get to the good stuff like this, because most wireless LANs out there are doing silly things like broadcasting SSID in clear text, etc etc etc. I commute via public commuter train to my office everyday, and if I told you how many un-protected LANs I can pick up on the 1 hour train ride (about 25 miles) you'd probably be suprised (or maybe you wouldn't
Airsnort is nice on XP, I've used it on XP just because when I'm doing security training, (even though most of it is done on linux boxes) I always get questions and requests like "how do I do this on XP/windows". Here is a link to get it working on xp.
http://airsnort.shmoo.com/windows.html
As a side note, remember that you won't have much luck trying to sniff wireless packets with your typical bestbuy or compusa wireless nic. You'll need something more robust like an Orinco (some of the cisco cards work nicely too). The key is being able to use the card in promiscuous mode.
Do you mean WEP Keys? One thing to know about most implementations of WEP is that it is symmetric, so the same key used to encrypt is essentially used to decrypt. This in itself is a serious flaw. But to answer your question. I usually use a combination of ethereal (sniffing), Netstumbler and Kismet (War driving, or site checking wireless vulnerability), airsnort and wepcrack (for the actual cracking of the keys). I usually run these types of exercises on linux, just because I often need to tweak source code to give me the results I desire. Every client is potentially different so always be prepared to change your arsenal up. These are measures I take when I'm dealing with a client that's got a security minded IT department. It's sad to say, but most clients I never even get to the good stuff like this, because most wireless LANs out there are doing silly things like broadcasting SSID in clear text, etc etc etc. I commute via public commuter train to my office everyday, and if I told you how many un-protected LANs I can pick up on the 1 hour train ride (about 25 miles) you'd probably be suprised (or maybe you wouldn't
Airsnort is nice on XP, I've used it on XP just because when I'm doing security training, (even though most of it is done on linux boxes) I always get questions and requests like "how do I do this on XP/windows". Here is a link to get it working on xp.
http://airsnort.shmoo.com/windows.html
As a side note, remember that you won't have much luck trying to sniff wireless packets with your typical bestbuy or compusa wireless nic. You'll need something more robust like an Orinco (some of the cisco cards work nicely too). The key is being able to use the card in promiscuous mode.
Comments
-
Webmaster Admin Posts: 10,292 AdminThanks for sharing the info 'publicly'
I think this was the (similar/) original question:
www.techexams.net/forums/viewtopic.php?t=7923
In addition to the info here and in that post, I jsut want to point out my related TechNotes, particularly because of the 24-bit initialization vector (IV) that is sent in clear text:
www.techexams.net/technotes/securityplus/wireless.shtml -
jdredd Member Posts: 33 ■■□□□□□□□□I thought this was a really good article: http://www.tomsnetworking.com/Sections-article111.php
-
dissolved Inactive Imported Users Posts: 228The free tools are usually hit and miss for me. I hate to admit it, but the best one is the commercial one (I shall not name.) I usually get 40 bit keys with a gig of captured data
-
JDMurray Admin Posts: 13,090 Adminjdredd wrote:I thought this was a really good article: http://www.tomsnetworking.com/Sections-article111.php
Your mileage may vary. -
keatron Member Posts: 1,213 ■■■■■■□□□□You're right JD, I had some questions myself. Although, this is a good awareness article for those who swear by WEP.
Some things I question are.The FBI team used the deauth feature of void11 to repeatedly disassociate the laptop from the access point. Desired additional traffic was then generated as Windows XP tried to re-associate back to the AP. Note that this is not a particularly stealthy attack, as the laptop user will notice a series of "Wireless Network unavailable" notifications in the taskbar of their desktop screen.
Not being stealthy means easily being caught or detected by even the most basic IDS.Another attack method the FBI team used is a replay attack. The basic premise of this attack is to capture at least one packet traveling from the victim laptop to victim access point. This packet can then be replayed into the network, causing the target AP to respond and provide more traffic to capture.
Most of us in the security world started advising people and thwarting replay attacks three years ago. Again, a decently configured IDS or IPS would go crazy when this activity starts. Flooding the air with packets in order to speed up the process is definantly doable and even commonly practiced, but it is also plain stupid if you're trying not to be noticed. To generate enough traffic to do this in 3 minutes would definantly require some serious bandwith consumption.