I am looking for case studies on cracking WEP. Anyone interested in suppling some info?
How long on average did it take to retrieve a key?
How long was the key?
What OS did you use?
What specific hardware/antenna?
Any stumbling blocks?
same question here?
I've found that it takes me somewhere around 3 hours to crack a 40 bit (aka 56 bit) WEP key.
I'm running Linux (RedHat distro.) using a Linksys wireless card.
The biggest stumbling block I had was in actually getting airsnort to work properly.
I forgot to add that it took about 3 hours when one of the hosts on the wireless network was being ping flooded.
Here are my notes w/ v 0.1.0
I'm update once I try 0.2.0
laptop = NEC Versa 6060 32 MB ram
NOTE: Disable COM and LPT and SOUND in BIOS to free up IRQs!!!
Included kernel = 2.4.2-2
Included PCMCIA = 3.1.22
Using NAI sniffer to "ping flood" a wireless device to generate a huge traffic volume.
took about 8 hours to crack 128 bit key
collected about 2000 interesting packets to do this (stopped to crack approx every hour)
RedHat 7.2 (distribution)
Linksys wireless card
On average it has take 40 hours to crack 40 bit WEP. I'm generating packets from 2 laptops (Linksys and Compaq WL-110). I'm using fping in non-stop mode to ping the WAP. It has taken many millions of packets to get 4,000 interesting packets.
I need to play around with how to best generate packets from a ping flood. Any suggestions on how to do this without a sniffer?
Maybe I'm missing something here, but wouldn't the case study be more effective if either the average packets per second generated by the ping flood were included for a time to traffic ratio, or if it were using networks without artificially generating traffic? Seems to me that the time needed to crack WEP using these methods is a little misleading for application in a real-world scenario, because if the attacker could generate that kind of traffic they would already be beyond breaching WEP.
I'm in the midst of an internal debate about the use of WEP. One faction (mine) recommends forbidding WEP (since we require all wireless traffic to be FIPS PUB 140-2 or AES encrypted & we use VPN from device to the inside net). The other faction recommends requiring the use of WEP.
The principal reason the other side gives for using WEP is to prevent denial of service attacks.
In my reading to check the accuracy of their statements, I found this chain. My question is revolves around that fact that most of the reports here are ping-flooding an AP that is using WEP.
Is the claim that WEP prevents locating an AP incorrect? Seems to me that if I could find an AP and ping-flood it, with or without WEP, I could lauch DOS independent of WEP.
In general, I would be interested in the most recent methods of cracking WEP with Airsnort or anything else. And hard measurement results.
If this is off-topic, I will gladly move the discussion elsewhere.
WEP in no way prevents the location of an AP. An AP using WEP will still send its ESSID in the clear from time to time. Unless you can associate with the AP, which implies you already know the key, you can't ping it however. Ping floods are useful for generating traffic for the purpose of testing airsnort.
DoS attacks against 802.11b are numerous and none of them can be prevented by using WEP. See http://802.11ninja.net for more info on some of the latest DoS and advanced attacks on 802.11
I got AirSnort 02.1.b to crack a 40 bit key after collecting 3693 interesting packets out of a total of just over 10,000,000 encrypted packets. The 40 bit crack breath was set at 12.
It took 6 hours to generate the packets, by running approx 250 concurrent PINGs on a W2K Pro client station.
The PING (ping -t-f 192.168.1.1) targeted a Linksys AP - model BEFW1154_v2 (firmware 1.42.7).
The W2K client station used an Orinoco Gold card in a PCI adapter (firmware 7.28).
The capture machine ran RedHat Linux 7.3 on a Pentium 3 - 500 Mhz, using a Cisco Aironet 350 PCI card (firmware 4.25.30).
At these firmware levels, both the Orinoco and the Linksys AP generate sequential IV numbers. Before starting the Airsnort capture, I reloaded the firmware on both devices, so the IVs started out initialized to 00:00:00.
I would like to know if someone has already guess the WEP key during a communication between 2 cisco aironet (bridge) with the new dynamic WEP (128).
If you have references, adress, ...
Has anyone found interesting packet on a Cisco 350?
I have sniffed one for about three hours and have not found one?
I will continue to do so and let you all know if I find something.
UPDATE TO LAST POST
To my knowledge Cisco has removed all interesting IV's. This is very good for us good guys. Kind of stinks for the bad guys. My words of advice get smarter and find more holes so we can all learn! If any one knows what level of code Cisco removed there interesting IV's please let me know.
So how does one crack a WEP using WinXP?
How long on average did it take to retrieve a key? 2.5 hrs
How long was the key? 64bit
What OS did you use? Debian
What specific hardware/antenna? Orinoco chipset 6.16 firmware. Compaq WL110
Any stumbling blocks? getting all the components working together.
I constantly pinged the ap and sent a 40 meg file between to computers. I generated 2.5 million packets and had 3692 interesting IV's
Can I say something....If we want to crack or gte some WEP keys, we want to do it in 10, 20 or 30 minutes...Who have the fucking time to wait for 40, 50, 60 or 70 hours...Unless I am unemployed....Can't AirSnort do something cracking in 5 or 10 minutes time??????
Linksys wpc11 v4
-instead of using massive amounts of pings, I did something much easier, I sat there and transfered files between my home PC and my Brothers PC and read everything on my laptop.
This took me about 25 minutes with these stats....
it was a 10 number code(which I think is 128 bit)
I am pumped because I am going to be able to get my damn schools WEP code and surf from school again. =)
How long on average did it take to retrieve a key?
How long was the key? 128bit
What OS did you use? WIN XP
What specific hardware/antenna? DLink dwlg650+
Any stumbling blocks? Getting the correct drivers working for my card.
I downloaded some files off bit torrent and had 2770 interesting packets