Active Topics

 



Notices


Reply
Thread Tools
Estel's Avatar
Posts: 5,028 | Thanked: 8,613 times | Joined on Mar 2011
#1131
No, I was injecting @ 500 packets/s. IVs capture ration was ~86/s, varying.

Anyway, as I've said in edit to latest post, even with 500k IVs aircrack-ng was unable to crack network WEP.

It would be great, if someone could confirm/deny this, by cracking WEP network without any client connected (this is a *must* requirement, as we do not want some 'legit' packets getting injected by accident resulting in ''legit' response, generating more 'legit' packets etc.) and via interactive injection.

/Estel
__________________
N900's aluminum backcover / body replacement
-
N900's HDMI-Out
-
Camera cover MOD
-
Measure battery's real capacity on-device
-
TrueCrypt 7.1 | ereswap | bnf
-
Hardware's mods research is costly. To support my work, please consider donating. Thank You!

Last edited by Estel; 2012-01-15 at 01:01.
 
Posts: 2,076 | Thanked: 3,268 times | Joined on Feb 2011
#1132
For me with wifite running at 300-400pps is better. With signal around 80 I get ~200 ivs/sec usually. With signal 60-70 even up to 280-300 ivs/sec. Also 40 seconds is quite long. Normally starts flooding at 10-15 seconds from start
 
Posts: 105 | Thanked: 87 times | Joined on Jun 2011 @ Unknown
#1133
Originally Posted by Estel View Post
No, I was injecting @ 500 packets/s. IVs capture ration was ~86/s, varying.

Anyway, as I've said in edit to latest post, even with 500k IVs aircrack-ng was unable to crack network WEP.

It would be great, if someone could confirm/deny this, by cracking WEP network without any client connected (this is a *must* requirement, as we do not want some 'legit' packets getting injected by accident resulting in ''legit' response, generating more 'legit' packets etc.) and via interactive injection.

/Estel
I can confirm unable to crack WEP with interactive injection (I stoped using it long ago as never worked for me)

I personaly prefer the normal packet injection way as I never missed to crack a WEP key with 40k IVs in min. 8min to a max. of 20min.
 

The Following User Says Thank You to g0r For This Useful Post:
Estel's Avatar
Posts: 5,028 | Thanked: 8,613 times | Joined on Mar 2011
#1134
Originally Posted by szopin View Post
For me with wifite running at 300-400pps is better. With signal around 80 I get ~200 ivs/sec usually. With signal 60-70 even up to 280-300 ivs/sec. Also 40 seconds is quite long. Normally starts flooding at 10-15 seconds from start
Sorry, but how is this wifite post related to faircrack? number of IVs gathered per second depends on many factors, and tool used is least important (if not of zero importance, as all of those tools are [less or more] user frontends for aircrack parts - even wifite is technically a frontend...). Having N900 close enough to AP you can capture 99% of packets transmitted by router, which would be probably around 400-500 pps.

No offense, but I don't see the point in comparing capture ration in wifite, faircrack, cleven or whatever. They're all talking to the same tool, and depending on ambient circumstances.

/Estel

// edit

Unless we count it at "wifite interactive injection works well and it's FOSS, so lets check how they implemented it code-wise and re-use implementation method in faircrack"
__________________
N900's aluminum backcover / body replacement
-
N900's HDMI-Out
-
Camera cover MOD
-
Measure battery's real capacity on-device
-
TrueCrypt 7.1 | ereswap | bnf
-
Hardware's mods research is costly. To support my work, please consider donating. Thank You!

Last edited by Estel; 2012-01-15 at 17:48.
 

The Following User Says Thank You to Estel For This Useful Post:
StefanL's Avatar
Posts: 298 | Thanked: 341 times | Joined on Aug 2010 @ This world :)
#1135
Originally Posted by Estel View Post
So, now feature requets:

1. Would it be possible to add management of replay-*.cap files, that are created while injecting (both normal, interactive, or just capturing arp)? After some time of usage, they're trashing a lotta hell of space (be it bytes or just names) in place where they're saved, require manual deletion.
K, can add to my list.

Originally Posted by Estel View Post
2. If we're talking about replay-*.cap management, would it be possible to allow using already saved ones against network? Would require listing them, and, after selecting one, a button to inject with it (could, for example, inject the network that is currently captured via airodump-ng).
K, can add to my list.

Originally Posted by Estel View Post
3. minor thing - it seems that default time for "scan" set to 5 seconds is a little to low - most of the times it's not enough to even properly scan whole 1-13 channel range. I think that 10 seconds is good thing for default (personally, I almost always use 15 sec, but it's for, ekhm, 'debugging' purposes).
Yep, fully agree with your assessment, can add to my list.

Originally Posted by Estel View Post
4. You probably knew that I would aks about it - what about reaver/walsh support?
Already posted reply under the original post
__________________
My phone evolution: Nokia 7610 (RIP), N82 (RIP), BB9000 (RIP), N900, BB9760 (RIP), N8, BB9900, N9 64GB
Working : Python Gorillas (Maemo5) Faircrack0.50 Update (Maemo5)
Not so much : WPScrack (Maemo5)
 

The Following User Says Thank You to StefanL For This Useful Post:
StefanL's Avatar
Posts: 298 | Thanked: 341 times | Joined on Aug 2010 @ This world :)
#1136
Originally Posted by Estel View Post
No, I was injecting @ 500 packets/s. IVs capture ration was ~86/s, varying.

Anyway, as I've said in edit to latest post, even with 500k IVs aircrack-ng was unable to crack network WEP.

It would be great, if someone could confirm/deny this, by cracking WEP network without any client connected (this is a *must* requirement, as we do not want some 'legit' packets getting injected by accident resulting in ''legit' response, generating more 'legit' packets etc.) and via interactive injection.

/Estel
Aircrack-ng is not perfect, and still has a lot of limitations. Some of them include the type of packets captured when doing the PTW attack (default for fAircrack), length of WEP key (only handles 64bit and 128bit), etc.
__________________
My phone evolution: Nokia 7610 (RIP), N82 (RIP), BB9000 (RIP), N900, BB9760 (RIP), N8, BB9900, N9 64GB
Working : Python Gorillas (Maemo5) Faircrack0.50 Update (Maemo5)
Not so much : WPScrack (Maemo5)

Last edited by StefanL; 2012-01-15 at 06:50.
 

The Following User Says Thank You to StefanL For This Useful Post:
Posts: 2,076 | Thanked: 3,268 times | Joined on Feb 2011
#1137
Originally Posted by Estel View Post
No, I was injecting @ 500 packets/s. IVs capture ration was ~86/s, varying.

Anyway, as I've said in edit to latest post, even with 500k IVs aircrack-ng was unable to crack network WEP.

It would be great, if someone could confirm/deny this, by cracking WEP network without any client connected (this is a *must* requirement, as we do not want some 'legit' packets getting injected by accident resulting in ''legit' response, generating more 'legit' packets etc.) and via interactive injection.

/Estel
Confirmed. Though my router seems to send out spurious data (defense mechanism ???). Anyway, I tried sending packets of different lengths, gathering 50000 at one time and stopping. There was also 250K ivs from previous attempts to see if more data would come in handy. Results:

cap file 1 - 250k (length unknown, provided by 2 runs of wifite) - fail
cap file 2 - 50k, length 112 - fail
cap file 3 - 50k, length 86 FromDS: 1 - fail
cap file 4 - 50k, length 86 ToDS: 1 - fail
cap file 5 - 50k, length 352 (strangely enough bigger packets should result in lower ivs/sec, yet got 250ivs/s here vs 140-180 at previous) - fail
capture 6 - 50k, length 86, FromDS: 1 - success

Funny thing: getting all the 500k together results in the key NOT being found, so quantity < quality.
Combination of cap files - result
6 - OK
5,6 - OK
4,5,6 - OK
3,4,5,6 - OK
2,3,4,5,6 - Fail
1,2,3,4,5,6 - Fail
2,4,5,6 - OK
1,2,5,6 - Fail
(no combination without the 6th file worked)

Seems the ratio of spurious data to good data cannot be too big. (btw, wifite uses 'aireplay -2 -b xx:xx -h yy:yy -T 1 -F -p 0841 wlan0' which doesn't require input and probably starts injecting with first packet caught, so probably a hit-or-miss solution)
Also strange thing, Source MAC when the packet shows up for confirmation very often differs from BSSID by 1 (that is XX:YY...:F6 vs XX:YY...:F5), capture 6 that got it had different MAC here. Needs more testing as maybe some combination of packet length/ToDS/FromDS/Source/Dest will result in more frequent capture of valid IVS.

Oh yeah, no wireless clients were involved as I just changed to WEP and no other device would have the password, so this is confirmed.


EDIT: As to speed comparisons: try running some programs in the background while injecting. Having brogue (SDL game) in the background got the speeds to 80-100. Without it 160-200. Each of the frontends uses up memory/CPU. Most economic will win. (and no, placing N900 next to the router doesn't work that way

Last edited by szopin; 2012-01-15 at 14:05.
 

The Following 2 Users Say Thank You to szopin For This Useful Post:
Posts: 529 | Thanked: 194 times | Joined on Aug 2010 @ UK
#1138
thanks for the update but im having some issues , every option under the decrypt tab does work , matter what i select it just opens an the closes straight away !!
i was on 0.45 before and they all worked fine any ideas whats wrong and how to solve this !!!
__________________
METASPLOIT INSTALL N900
Keep the forums clean
Dont forget to say thanks
 
StefanL's Avatar
Posts: 298 | Thanked: 341 times | Joined on Aug 2010 @ This world :)
#1139
Originally Posted by stevomanu View Post
thanks for the update but im having some issues , every option under the decrypt tab does work , matter what i select it just opens an the closes straight away !!
i was on 0.45 before and they all worked fine any ideas whats wrong and how to solve this !!!
Which options are you referring to (WEP/WPA/..)? Please give me a bit more info to troubleshoot.
__________________
My phone evolution: Nokia 7610 (RIP), N82 (RIP), BB9000 (RIP), N900, BB9760 (RIP), N8, BB9900, N9 64GB
Working : Python Gorillas (Maemo5) Faircrack0.50 Update (Maemo5)
Not so much : WPScrack (Maemo5)
 
Posts: 529 | Thanked: 194 times | Joined on Aug 2010 @ UK
#1140
every option dude

only option in wep tab that works is clear , rest nothing

all options under WPA dont work

all option under libDb dont work either ....

EDIT

im gunna redownload files and do a clean install see if that helps will report back in min ...

EDIT2 WPA decrypt is not working when i try an use dictionary it just opens and closes , also libDb stuff doesnt seem to be working still !!"


Originally Posted by StefanL View Post
Which options are you referring to (WEP/WPA/..)? Please give me a bit more info to troubleshoot.
__________________
METASPLOIT INSTALL N900
Keep the forums clean
Dont forget to say thanks

Last edited by stevomanu; 2012-01-15 at 16:20.
 
Reply

Tags
aircrack, aircrack-ng, epicfacepalm, pen testing, rtfm dude!


 
Forum Jump


All times are GMT. The time now is 15:57.