UPDATE: Slides, paper and code
Andrea Bittau (not blurry in real life) gave a demo of the WEP fragmentation attack. The attack only requires one sniffed packet from the WEPed network unlike replay attacks which usually require you to get an ARP packet. He built a simple tool to sniff a packet and then build packets to create a legitimate connection to the access point. At this point a server on the internet is contacted to flood the network with packets at up to 1400 packets per second. This generates a ton of unique IVs and aircrack is called every 100000 packets till the WEP key is cracked. In the demo it took under 5 minutes for the automated process to complete.
Is this the Arp Spoofing linked on the security section of the site? Any way to get a real translation, ie non Bablefish?
This some crazy biznatch! Automated WEP cracking under 5 mins…wow. Its not really cracking anymore. It takes 5 minutes to get connected sometimes…
I was searching o his site, but didnt find it.
How do we get it? *nux only right?
cya guys!
I was searching o his site, but didnt find it.
How do we get it? *nux only right?
cya guys!
yeah…where is it?
I used to be really interested in this stuff but this is over sensationalised…
There are still only a few ways to crack WEP and all require lots (at least 10000 packets) of data to work reasonably.
Weak keys (airsnort) are old-hat and all modern 802.11 devices avoid them. Aircrack and the new breed use roughly 17 statistical anomolies to improve on the brute force chance of a guessing a key. Their technique isn’t perfect but it does work suprisingly well.
The ARP attack involved waiting for a packet that was the same length as an ARP packet and replaying it to the network. If it was an ARP packet, it would cause the remote host to send an ARP response packet with a unique IV. This can be done repeatedly to get the required 10000-100000 packets for WEP cracking, at which time you run aircrack.
His is just another variation where he injects traffic from the internet to get enough packets to break WEP.
It won’t work if the AP is behind a firewall or NAT router. It won’t work if he can’t determine the networks IP range.
I think he’s combining another attack where you decode the contents of a single packet by sending increasingly longer dummy packets into the network and decode the packet contents one byte at a time. After that you have an IP for the internal network and you can use that to launch an Internet-initiated flood.
I’m pretty sure it would still be better to use the ARP attack over this method, if only because this method requires a host on the Internet which is going to have to flood something, setting off all sorts of alarm bells and big flashing lights.
Who the hell uses WEP anyway these days?
You have given me a very interesting insight. Now I am looking forward to trying it out. Thanks buddy!
http://darkircop.org/frag-0.1.tgz
if you launch it without args it will send arps [no internet host required]. I personally prefer inet flood. If you’re paranoid, you can spoof the inet ip while flooding…
Lots of people still use WEP.(dunno why, ignorance i guess) the worrying thing is……. well known high st banks in the heart of London are still using WEP.
oh and BTW 5 mins doesn’t impress me, my record stands at 3min 28secs for 104 bit WEP.
i love those crappy bthomehubs!! ;-)
@coreUK
Sometimes its for backwards compatibility. If there were a way to put my 802.11B only devices (2 pocket PCs print server and a few other things) on an isolated part of my network for internet only, I would because I wouldn’t mind going N or WPA-PSK and all that