Re: V/Scan for Wireless LANs
From: slugbait (slugbait_at_severus.org)
Date: 07/19/03
- Previous message: Nicolas RUFF (lists): "Re: V/Scan for Wireless LANs"
- In reply to: Ian Chilvers: "V/Scan for Wireless LANs"
- Next in thread: Bartholomew, Brian J: "RE: V/Scan for Wireless LANs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 18 Jul 2003 18:43:53 -0400 To: Ian Chilvers <Ian.Chilvers@prolateral.com>
You might also want to check out BSD-Airtools and the related docs from
h1kari:
http://www.dachb0den.com/projects/bsd-airtools.html
Someone mentioned another of h1kari's tools, reinj.c, in a previous
response. My advice to "professional" testers is to be careful when
using it. It works VERY well, but can cause cheap (Linksys, D-Link,
etc) WAPs to choke and die, and has even caused my Aironet-350 to flake
out a few times. If your contract or test plan excludes DoS, you might
end up in some hot water.
Another warning about reinj.c: It works by sniffing for WEP packets
that are of certain sizes and are either broadcast (arp) or addressed to
a specific host (TCP acks). If it sees a packet that matches, it will
re-transmit the packet a few times to test, then will begin flooding the
wireless network with a replay of the captured packet. If the captured
packet happens to be a TCP ack from somewhere on the Interweb, you might
end up ack-flooding an innocent server at a very high rate. Not a big
deal, but this could also get you in hot water if an over-zealous admin
complains.
All the non-pros can disregard the warnings :P
slugbait
Ian Chilvers wrote:
> Hi all
>
> We've been asked to perform a vulnerability assessment for a company that
> has a Wireless LAN. The W/LAN is running WEP with a random key generated,
> rather than a dictionary word.
>
> Are there any tools out there that can brute force a WEP.
>
> Take this example. A person parks the car in the car park and sniffs the
> air waves with a product like NetStumbler. He discovers the W/LAN but with
> WEP.
>
> Is there a tool he can use to discover the WEP key (possible by brute force)
>
> If there isn't such a tool, how does this sound for an idea.
>
> Run a app that starts at binary 0's and counts upto 128bits of 1's
> For each sequence listen to see if there are any sensible packets or even
> send out a DHCP discover request to see if you get a reply. This would then
> possibly give you the WEP key.
>
> Any comments
>
> Ian....
>
>
>
> ---------------------------------------------------------------------------
> KaVaDo is the first and only company that provides a complete and an
> integrated suite of Web application security products, allowing you to:
> - assess your entire Web environment with a Scanner,
> - automatically set positive security policies for real-time protection,
> and
> - maintain such policies at the Application Firewall without compromising busines performance.
>
> For more information on KaVaDo and to download a FREE white paper on Web applications - security policy automation, please visit:
> http://www.kavado.com/ad.htm
> ----------------------------------------------------------------------------
>
>
>
>
---------------------------------------------------------------------------
----------------------------------------------------------------------------
- Previous message: Nicolas RUFF (lists): "Re: V/Scan for Wireless LANs"
- In reply to: Ian Chilvers: "V/Scan for Wireless LANs"
- Next in thread: Bartholomew, Brian J: "RE: V/Scan for Wireless LANs"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
