WEP key lenghts

Data that travels over the air and how to protect (or decipher) it

WEP key lenghts

Post by acantho on Wed Jun 23, 2010 4:13 pm
([msg=40680]see WEP key lenghts[/msg])

Around where I stay there are quite a few WEP encrypted networks and even more WPA ones. I have been breaking the encryptions on the WEP ones just for the hell of it. They are broadcasting, I can collect the data passively and then use Aircrack to break the encryption. I then log on to the networks to confirm that the WEP key was correct and then log off and smile at being able to do this.
I know this is old hat to quite a few of you but it's relatively new to me and I find the poor security that people have such faith in a bit of a con on the manufacturers and sellers part.

So now my question, all of the ones I've decrypted in the past have been 10 digits/figures long Ive just decrypted one that is 26 digits/figures long. I always use the option of a 64 bit key decryption with aircrack and this one decrypted via that as well. Why is it so long in comparison to the others and why did it decrypt with the 64 bit assumption ?

I had always intended to go from 64 to 128 then 512 as regards decryption but have never had to. My next challenge is the WPAs - easy enough to get the data the decryption is the hard part - I'm only getting use to Backtrack and I dont want any dictionarys - I know where to get them myself thanks. I'm enjoying the challenge in that frustrated kind of way :)
acantho
Experienced User
Experienced User
 
Posts: 97
Joined: Sat Apr 10, 2010 6:32 pm
Blog: View Blog (0)


Re: WEP key lenghts

Post by Goatboy on Wed Jun 23, 2010 4:34 pm
([msg=40684]see Re: WEP key lenghts[/msg])

This is one area I can't help in. Sadly, I don't have a card capable of monitor/passive mode or injections. I'm broke =(

This has led to tons of reading about the subject but very little practical exercise. I just got a "new" laptop a few days ago that was broken, and while I was repairing it I discovered it had a nice Atheros chip in it with monitor and injection support! Sadly, the card had to stay in the "new" laptop or else it would not work (if I replaced it with mine).

I ended up giving it to my girlfriend as a graduation present (just an hour ago, actually) so I'll have to ask her politely if I can commit evil deeds with it :twisted:
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2813
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)


Re: WEP key lenghts

Post by acantho on Wed Jun 23, 2010 4:52 pm
([msg=40687]see Re: WEP key lenghts[/msg])

Its an Atheros AR5600G card I've got in mine, good as it can go in to monitor mode if you use something like commview for collecting packets.
I also have a USB ALFA AWUS036H which has a much greater range, but I cant seem to get it in to monitor mode - I only got it as I know it works with Backtrack, but under Windows using commview it wont go in to monitor mode and it wont do the deauth so it most certainly wont be able to inject packets, though I prefer to collect them passively - thats legal here injecting aint.

Still to try the Alfa with Backtrack - but I think I might have to change from the driver I got with the installation disk.
THis one was about £35 but you can pick up ones for about £10 not sure how good they are though. Assuming the prices are more or less the same in the US.

-- Wed Jun 23, 2010 10:58 pm --

The ALFA usb wifi card works fine with Backtrack 4 :D you need to start networking then stop the card then bring it back up again to bring it out of "monitor dissabled" mode and put it in to "sniffing" mode.

Just need to figure a way of doing that via Windows, though I should really just concentrate on doing it via Backtrack - I have the card and BT to learn this amonst other things ! But commview is such an easy to use prog that it makes monitoring and capturing WEP, or WPA packets so simple and easy.
acantho
Experienced User
Experienced User
 
Posts: 97
Joined: Sat Apr 10, 2010 6:32 pm
Blog: View Blog (0)


Re: WEP key lenghts

Post by FunctionCreep on Wed Jun 23, 2010 10:05 pm
([msg=40708]see Re: WEP key lenghts[/msg])

So now my question, all of the ones I've decrypted in the past have been 10 digits/figures long Ive just decrypted one that is 26 digits/figures long. I always use the option of a 64 bit key decryption with aircrack and this one decrypted via that as well. Why is it so long in comparison to the others and why did it decrypt with the 64 bit assumption ?


This has me puzzled beyond explanation. The 64-bit WEP can hold a maximum of 10 char. hex key and the 128-bit can hold a maximum of 26 char. hex key. The encryption is weaker when using 64-bit for that reason. 4 binary bits make up a hexadecimal character. The user actually only chooses the 40-bit and with the added 24-bit IV you get to the total of 64-bit. So mathematically speaking 40-bit can only hold 10 hexadecimal characters. So if you tried to crack a 128-bit WEP with 64-bit cracking as your choice NORMALLY(and that's a tricky word) you wouldn't have gone far.Is there any chance you forgot to set -n 64 and it defaulted to 128? I'll be looking into this more later on.

My next challenge is the WPAs - easy enough to get the data the decryption is the hard part - I'm only getting use to Backtrack and I dont want any dictionarys - I know where to get them myself thanks. I'm enjoying the challenge in that frustrated kind of way


Well if you enjoy getting frustrated you're in for a treat. Failed crack attempts at WPA's are not that uncommon due to strange password etc.
"I hope for nothing. I fear nothing. I am free." ~ Nikos Kazantzakis
User avatar
FunctionCreep
Experienced User
Experienced User
 
Posts: 92
Joined: Tue May 18, 2010 6:19 pm
Blog: View Blog (0)


Re: WEP key lenghts

Post by acantho on Thu Jun 24, 2010 2:05 am
([msg=40717]see Re: WEP key lenghts[/msg])

ooops ! I should have double checked. I went back and re-ran the packets through aircrack 64-bit = fail, 128bit= success :oops:

It must have been on the default of 128bit as you say.

I've failed a few attempts at the WPA already, am I correct in thinking you only need enough packets to get the EAPOL key exchange, so in reality only 4 packets are needed ? In some ways that makes it easier than WEP decryption, well elss time consuming in gathering data at least.
I'm thinking there must be a prog that goes through a pword bit by bit -trying evey space against every possible character, but the computing power required must be emense - certainly behoynd anything I or other mere mortals have access to.
acantho
Experienced User
Experienced User
 
Posts: 97
Joined: Sat Apr 10, 2010 6:32 pm
Blog: View Blog (0)


Re: WEP key lenghts

Post by FunctionCreep on Thu Jun 24, 2010 12:09 pm
([msg=40743]see Re: WEP key lenghts[/msg])

acantho wrote:am I correct in thinking you only need enough packets to get the EAPOL key exchange, so in reality only 4 packets are needed ?


Yes that's correct. The thing is that you need to capture a full handshake and that can sometimes be frustrating to achieve. Remember you can use aireplay-ng --deauth here, but again I have had cases that if someone wasn't already connected to the wifi there was no chance in hell I could capture anything useful. If you do manage to get the handshake though you are good to go and start cracking.

acantho wrote:I'm thinking there must be a prog that goes through a pword bit by bit


I know I've read somewhere about a program that did bit by bit. It could have been just some preliminary source code though. It's been sometime I've played with wireless and I can't locate the link to that though.
"I hope for nothing. I fear nothing. I am free." ~ Nikos Kazantzakis
User avatar
FunctionCreep
Experienced User
Experienced User
 
Posts: 92
Joined: Tue May 18, 2010 6:19 pm
Blog: View Blog (0)


Re: WEP key lenghts

Post by Shadow Ozera on Mon Aug 09, 2010 12:39 am
([msg=43444]see Re: WEP key lenghts[/msg])

How can you tell if your card has injection capabilities?
Shadow Ozera
New User
New User
 
Posts: 28
Joined: Wed Jun 16, 2010 8:52 pm
Blog: View Blog (0)


Re: WEP key lenghts

Post by Goatboy on Mon Aug 09, 2010 3:26 am
([msg=43445]see Re: WEP key lenghts[/msg])

Shadow Ozera wrote:How can you tell if your card has injection capabilities?

http://www.aircrack-ng.org/doku.php?id=injection_test

Google is an amazing tool.

By the way, I got an ALFA AWUS036H while I was at DefCon. It was recommended by many people over the newer model (which has support for N and is twice as powerful in terms of mW) so I took their word for it. I paid a bit much for it, but that came with the ability to return it immediately if I needed to. I have to say, it was worth every cent. The thing works perfectly with BackTrack, and I don't think I needed to compile any drivers under Ubuntu. Windows support is a little iffy (the CD that came with it had the drivers, but they didn't work) but hey, that's not surprising.

I haven't been able to do too much with it yet. Tried it out at the mall, saw some interesting traffic under Wireshark. I've been collecting packets from my house for a bit now, but there's so little traffic that it's going to take a long time before I see any results. Luckily, we have a great variety of connections: WEP, WPA, Open, and Hidden. I already unmasked the hidden one (quite a handy feature) but the signal was so weak that I couldn't actually connect. I'll post back soon if I get anything.

Next stop: Coffee shop.
Assume that everything I say is or could be a lie.
1UHQ15HqBRZFykqx7mKHpYroxanLjJcUk
User avatar
Goatboy
Expert
Expert
 
Posts: 2813
Joined: Mon Jul 07, 2008 9:35 pm
Blog: View Blog (0)



Return to Networking

Who is online

Users browsing this forum: No registered users and 0 guests