ParMan Posted August 16, 2011 Share Posted August 16, 2011 I might be way of on this but i was wondering if it would work. say you want to crack a WPA or WPA2 key. the network has an access point and 3 clients. You get your PC to act as a fake access point. Then you sent death packets to the clients to get them to disconnect from Access point. Then have your Fake access broadcast "I am your Access Point"... if the client tries to connect to you wouldn't the client send you the access key. Which you could use to connect to the real access point? Quote Link to comment Share on other sites More sharing options...
Sparda Posted August 16, 2011 Share Posted August 16, 2011 They key is used to create challenge response style authentication. The actual key is never transmitted. Quote Link to comment Share on other sites More sharing options...
ParMan Posted August 16, 2011 Author Share Posted August 16, 2011 if you sent the exact information that you capture from the client to the real access point. Then the access points sends you the response. The response is sent from you to the real client. the client replies back to the fake access point. then you reply back to the real access point. so on and so forth till its completed? Quote Link to comment Share on other sites More sharing options...
Sparda Posted August 16, 2011 Share Posted August 16, 2011 Then you are replaying encrypted information, you are acting as a repeater, having access to nothing. Quote Link to comment Share on other sites More sharing options...
digip Posted August 16, 2011 Share Posted August 16, 2011 WPA requires a 4 way handshake to authenticate yourself, and is also what you need in order to crack it, so no, you can't just intercept the key in the open. Doesn't work like that. As for WEP, you can inject and replay arp packets, which cause the router to continually increase the number of IVS going back and forth with the client(s), and in turn, after 10,000 to 20,000 captured IVS of data, you can then crack it with aircrack. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted August 16, 2011 Share Posted August 16, 2011 (edited) As for WEP, you can inject and replay arp packets, which cause the router to continually increase the number of IVS going back and forth with the client(s), and in turn, after 10,000 to 20,000 captured IVS of data, you can then crack it with aircrack. Umm, you can actually crack WEP with a capture that contains very few IVS of data. There is a video in the securitytube that demonstrate this. Edited August 17, 2011 by Infiltrator Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted August 17, 2011 Share Posted August 17, 2011 Umm, you can actually crack WEP with a capture that contains very few IVS of data. There is a video in the securitytube that demonstrate this. More IVs the faster cracking. Also the more accurate. You still need like 40,000 I think. Quote Link to comment Share on other sites More sharing options...
Hyperant Posted August 17, 2011 Share Posted August 17, 2011 I like it, the more packets you have the faster you can crack the key, but in order to get more packets you need to sniffer for longer, so what do you do, get less packets and take longer to crack, or wait longer for the packets ad spend less time cracking, :| the decisions i tell you, how do you expect people to work with these decisions, Quote Link to comment Share on other sites More sharing options...
digip Posted August 17, 2011 Share Posted August 17, 2011 Umm, you can actually crack WEP with a capture that contains very few IVS of data. There is a video in the securitytube that demonstrate this. You can, but only if the password is weak. Usually, aircrack can start cracking 5000 data packets and up, but more than likely will need more than 10,000 data packets. More IVs the faster cracking. Also the more accurate. You still need like 40,000 I think. The most you should need is 20,000 data packets(which I assume has more than enough IVS) and often work between the 10-20,000 range. Anything over 20,000 data packets should yield a result, depending on the level of encryption in the key, might take over 40,000. I always get IVS and DataPackets mixed up, but what I stated in the thread above, I was referring to DataPackets. The number of IVS in those data packets would be considerably higher. http://www.aircrack-ng.org/doku.php?id=faq#how_many_ivs_are_required_to_crack_wep How many IVs are required to crack WEP ? WEP cracking is not an exact science. The number of required IVs depends on the WEP key length, and it also depends on your luck. Usually, 40-bit WEP (64 bit key) can be cracked with 300,000 IVs, and 104-bit WEP (128 bit key) can be cracked with 1,500,000 IVs; if you're out of luck you may need two million IVs, or more. There is no way to know the WEP key length: this information is kept hidden and never announced, either in management or data packets; as a consequence, airodump-ng can not report the WEP key length. Thus, it is recommended to run aircrack-ng twice: when you have 250,000 IVs, start aircrack-ng with ”-n 64” to crack 40-bit WEP. Then if the key is not found, restart aircrack-ng (without the -n option) to crack 104-bit WEP. The figures above are based on using the Korek method. With the introduction of the PTW technique in aircrack-ng 0.9 and above, the number of data packets required to crack WEP is dramatically lowered. Using this technique, 40-bit WEP (64 bit key) can be cracked with as few as 20,000 data packets and 104-bit WEP (128 bit key) with 40,000 data packets. PTW is limited to 40 and 104 bit keys lengths. Keep in mind that it can take 100K packets or more even using the PTW method. Additionally, PTW only works properly with selected packet types. Aircrack-ng defaults to the PTW method and you must manually specify the Korek method in order to use it. Quote Link to comment Share on other sites More sharing options...
digip Posted August 17, 2011 Share Posted August 17, 2011 I like it, the more packets you have the faster you can crack the key, but in order to get more packets you need to sniffer for longer, so what do you do, get less packets and take longer to crack, or wait longer for the packets ad spend less time cracking, :| the decisions i tell you, how do you expect people to work with these decisions, Through injection and arp replay,you can increase the packets and IVS in a manner of minutes. If the AP is vulnerable and your injection is working, you should be able to crack wep in under 5 minutes. Its one of the reasons people are told, don't use WEP, it can be cracked too easily. Quote Link to comment Share on other sites More sharing options...
ParMan Posted August 17, 2011 Author Share Posted August 17, 2011 Then you are replaying encrypted information, you are acting as a repeater, having access to nothing. That make since. Thanks for the info. Quote Link to comment Share on other sites More sharing options...
Rodrigo Graça Posted September 7, 2011 Share Posted September 7, 2011 Through injection and arp replay,you can increase the packets and IVS in a manner of minutes. If the AP is vulnerable and your injection is working, you should be able to crack wep in under 5 minutes. Its one of the reasons people are told, don't use WEP, it can be cracked too easily. Can you help me? How can i inject packets? Please reply to this topic: http://forums.hak5.org/index.php?showtopic=20929 Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted September 8, 2011 Share Posted September 8, 2011 (edited) Can you help me? How can i inject packets? Please reply to this topic: http://forums.hak5.org/index.php?showtopic=20929 In order to do packet injection you need a wireless card that is capable of doing packet injection. The best one out there, is the ALFA awus036h Edited September 8, 2011 by Infiltrator Quote Link to comment Share on other sites More sharing options...
psydT0ne Posted September 8, 2011 Share Posted September 8, 2011 I'm finally starting to get into wifi security after putting together some useful kit, (budget constraints). Im slowly working my way through things and ive found working through an ebook copy of Hacking Exposed WiFi 2010 is really a great help in explaining all the security aspects and in and outs of all the details. I thoroughly recommend it as a primer if you like on eerything you need to know. Its awesome. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted September 8, 2011 Share Posted September 8, 2011 I'm finally starting to get into wifi security after putting together some useful kit, (budget constraints). Im slowly working my way through things and ive found working through an ebook copy of Hacking Exposed WiFi 2010 is really a great help in explaining all the security aspects and in and outs of all the details. I thoroughly recommend it as a primer if you like on eerything you need to know. Its awesome. What part of Australia are you from? Quote Link to comment Share on other sites More sharing options...
nopenopenope Posted September 8, 2011 Share Posted September 8, 2011 i typically think 12000 IVs is enough to start cracking, that's gotten me the best time between sniffing and cracking and if the AP is close enough usually 2 minutes will do the trick. p.s. 2WIRE routers ARE TERRIBLE Quote Link to comment Share on other sites More sharing options...
Rodrigo Graça Posted September 9, 2011 Share Posted September 9, 2011 @soka80 i dont know why i can't inject packets, so see this screenshot Quote Link to comment Share on other sites More sharing options...
nopenopenope Posted September 9, 2011 Share Posted September 9, 2011 you haven't captured nearly enough IV's, you need to check on the aircrack website if your wireless card is capable of packet injection and going into monitor mode. keep on reading, your getting closeish Quote Link to comment Share on other sites More sharing options...
digip Posted September 9, 2011 Share Posted September 9, 2011 You are doing it wrong. First, make sure your card is associated with the AP, I think its arpeplay -1. In doign so, you should see the letters opn or open next to it in airodump and say associated under aireplay. Then, do aireplay -3, and the iv's will jump, takes about 3-5 minutes and you should have enough to start cracking. Quote Link to comment Share on other sites More sharing options...
psydT0ne Posted September 12, 2011 Share Posted September 12, 2011 What part of Australia are you from? Mackay in Queensland dude...you? Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted September 12, 2011 Share Posted September 12, 2011 Mackay in Queensland dude...you? I'm from Darwin, brooo! Quote Link to comment Share on other sites More sharing options...
joeypesci Posted September 18, 2011 Share Posted September 18, 2011 @soka80 i dont know why i can't inject packets, so see this screenshot http://www.youtube.com/watch?v=ROGjDcUdsLg Me WEP cracking my own test router. Injection included. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.