Home page logo

pen-test logo Penetration Testing mailing list archives

RE: Wireless Scanning
From: "Jerry Shenk" <jshenk () decommunications com>
Date: Tue, 28 Sep 2004 16:00:44 -0400

I'd agree....at least kindof.  Most current APs avoid the weak IVs and
even before, it took a LOT of traffic to get enough weak IVs to crack
the key.  In the lab, I could crack the key in 4 hours but that's not a
real-world scenario.  If you have an AP with old firmware and there is a
location where somebody can sit for days or maybe weeks to collect the
traffic, it is certainly possible.  Some "good" locations might be an
adjoining building, a car in a nearby parking lot or maybe a high point
nearby that can host a high-gain antenna.

To say that it "doesn't exit" is a bit strong I'd say.  I certainly
agree that some of the reports I've read where people can crack the key
in seconds isn't exactly accurate.  Ok, it takes a few seconds but only
after days of collecting them.

The weak keys doesn't have anything to do some other methods of cracking
the key....like using repetitive characters, sequential characters or
something like that.

I think any security issue requires a bit of risk analysis.  If you're
the CIA....ah, let's not go with wireless at all....not even with NO
weak packets.  There are people who have the CPU power and the desire,
I'd guess that they would crack your key.  And if they've been
collecting traffic for a week, they can now decrypt it all.  On the
other hand, if you're a home owner on a ranch in the middle of Wyoming
with 150,000 acres of wilderness all around you and a neighbor 10 miles
away...I'd say WEP would be just fine for you;)

-----Original Message-----
From: Jason T [mailto:security () jason id au] 
Sent: Monday, September 27, 2004 6:10 PM
To: 'Lodin, Steven {D106~Indianapolis}'; 'Carney, Mark'; 'Pen-Test'
Subject: RE: Wireless Scanning

Just a comment on using a WEP cracking programs.  I heard from Keith
who is an expert wireless teacher saying that WEP cracking in the wild
doesn't exist in most cases.  

In early 2002 all vendors saw the weak IV as an attack.  So they changed
firmware to no longer support those weak IV's.  If you want to crack WEP
will most likely be on an AP that has a firmware version prior to 2002.

Any comments on this?


-----Original Message-----
From: Lodin, Steven {D106~Indianapolis} 
[mailto:steven.lodin () ROCHE COM] 
Sent: Tuesday, 28 September 2004 12:38 AM
To: Carney, Mark; Pen-Test
Subject: RE: Wireless Scanning

(Trying not to steal the thunder, just to whet your appetite. 
 You can send me a zinger if I messed up :-)

Look for a new Auditor version (looks like it will be labeled 
Auditor 3) to come out in the next few of weeks.  There will 
be a couple of new tools.

From the author of Auditor:

"Aircrack is a better WEP cracker like Airsnort."
"The second one is named chopchop and is an active WEP 
decrypting attack."
"P.S. A WPA preshared password cracker is also on the way."


For those of you using Auditor, did you donate?  We did.


-----Original Message-----
From: Carney, Mark [mailto:Mark.Carney () fishnetsecurity com]
Sent: Friday, September 24, 2004 11:56 AM
To: Chuck Fullerton; RoF () yahoo; Pen-Test
Subject: RE: Wireless Scanning


I would suggest the following toolsets/tools for 802.11 and 

1) Auditor Security Collection
2) Knoppix STD Distro


802.11 --
1) Kismet
2) NetStumbler
3) Wellenreiter
4) asleap (if client is running Cisco LEAP)
5) AirSnort, Webattack, or dwepcrack (if client is running WEP)
6) Macchanger (to spoof mac address)
7) AirTraf

BlueTooth --
1) sdptool
2) pand
3) l2ping
4) btscanner
5) Redfang
6) BlueSniff

Ethical Hacking at the InfoSec Institute. All of our class 
sizes are guaranteed to be 12 students or less to facilitate 
one-on-one interaction with one of our expert instructors. 
Check out our Advanced Hacking course, learn to write 
exploits and attack security infrastructure. Attend a course 
taught by an expert instructor with years of in-the-field pen 
testing experience in our state of the art hacking lab. 
Master the skills of an Ethical Hacker to better assess the 
security of your organization.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]