Home page logo

pen-test logo Penetration Testing mailing list archives

Re: Wireless Scanning
From: Max Moser <mmo () remote-exploit org>
Date: Wed, 29 Sep 2004 00:43:58 +0200

Hi Jason, this is bul*sh*t, sorry for that wording, but that is not true and this expert should know it. Maybe he ment, that airsnort cannot do it, but the problem of IV collision is still existing and working.

Aircrack is most advanced tool at the moment for wep key breaking. It
works very well and not depends on the limitations of airsnort. For me
about 500-700MB Data was enough an voila a WEP key comes out. No magic,
and this on all new systems i have testet.

Aireplay implements a way to force the produce of more traffic by reinjecting traffic. (Same as BSD airtools reinj.c did way back).

And there is another one, named chopchop, it does not break the wep key
it just deciphers the wep encrypted data. This is an active attack implementation and is working really well, this is also working in
key rotating environments, however the usability is sometimes not there.
Its not very fast (Around 11seconds for a single packet during my tests) . But its the first version. And if you use some imagination you will find out that "hey, i got cleartext and cypherstream....hmm...lets build ne packets which i could inject". This idea is not implemented yet, but
a small patch and some perl would do the job.

Just a small note, the upcoming auditor security collection will contain all the described tools, inclusive the patched drivers etc so it should be easy for everyone to test it. But i need some more time to round the release up, but next weeks should be the target.

Hope this helps you a bit and remember, client side attacks using hotspotter is allways an option and wep dictionary attack is also possible.



Jason T wrote:

Just a comment on using a WEP cracking programs.  I heard from Keith Parsons
who is an expert wireless teacher saying that WEP cracking in the wild today
doesn't exist in most cases.
In early 2002 all vendors saw the weak IV as an attack.  So they changed the
firmware to no longer support those weak IV's.  If you want to crack WEP it
will most likely be on an AP that has a firmware version prior to 2002.

Any comments on this?


-----Original Message-----
From: Lodin, Steven {D106~Indianapolis} [mailto:steven.lodin () ROCHE COM] Sent: Tuesday, 28 September 2004 12:38 AM
To: Carney, Mark; Pen-Test
Subject: RE: Wireless Scanning

(Trying not to steal the thunder, just to whet your appetite. You can send me a zinger if I messed up :-)

Look for a new Auditor version (looks like it will be labeled Auditor 3) to come out in the next few of weeks. There will be a couple of new tools.

From the author of Auditor:

"Aircrack is a better WEP cracker like Airsnort."
"The second one is named chopchop and is an active WEP decrypting attack."
"P.S. A WPA preshared password cracker is also on the way."


For those of you using Auditor, did you donate?  We did.


-----Original Message-----
From: Carney, Mark [mailto:Mark.Carney () fishnetsecurity com]
Sent: Friday, September 24, 2004 11:56 AM
To: Chuck Fullerton; RoF () yahoo; Pen-Test
Subject: RE: Wireless Scanning


I would suggest the following toolsets/tools for 802.11 and


1) Auditor Security Collection
2) Knoppix STD Distro


802.11 --
1) Kismet
2) NetStumbler
3) Wellenreiter
4) asleap (if client is running Cisco LEAP)
5) AirSnort, Webattack, or dwepcrack (if client is running WEP)
6) Macchanger (to spoof mac address)
7) AirTraf

BlueTooth --
1) sdptool
2) pand
3) l2ping
4) btscanner
5) Redfang
6) BlueSniff

Ethical Hacking at the InfoSec Institute. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors. Check out our Advanced Hacking course, learn to write exploits and attack security infrastructure. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]