Penetration Testing mailing list archives

Re: Wireless Pentest Question

From: Brandon Kovacs <liljoker771 () gmail com>
Date: Mon, 7 Feb 2005 12:00:42 -0500

Yes...

IP Address of gateway: Use Ettercap
Create Traffic- ICMP Ping Flood Tool
WEP Key being used: Aircrak or Snort

Hope that helps, collecting enough WEP IV's in aircrack can take some
time, you will need approx. 200k-500l; depending on the amount of
traffic is on the network, that is where the ICMP ping flood tool
comes in. Aircrack will crack the WEP key in a few seconds, if you
tell it how long the WEP key is, it will do it faster, otherwise you
will need to wait a few more seconds

-Brandon Kovacs


On Mon, 07 Feb 2005 07:06:22 -0500, Joshua Wright <jwright () hasborg com> wrote:

Arvind,

Arvind Sood wrote:

 The problem relates to creating traffic on a wireless network in case
you dont find a lot of traffic for a good capture. Is there any way
you can create traffic on a WEP network without knowing
- the IP Address (address range) the Access Point and wireless clients
are using
- the WEP key being used (makes sense - that is why you are running a WEP crack)


Besides aireplay (not sure why you are getting a SEGFAULT, it worked OK
for me - maybe check the Aircrack documentation?), you could use
WEPWedgie.  This tool was written by Anton Rager a few years ago, and
allows you to inject packets into the network after determining PRGA
from the WEP challenge/response mechanism.
http://www.sf.net/projects/wepwedgie/

The current version relies on the Airjack drivers for operation, meaning
you'll have to run it on a Linux 2.4 kernel system.  I wrote a small
patch to add an option to send ICMP echo requests to the broadcast
address (since you might not know any internal addresses), which is
available at http://home.jwu.edu/jwright/code/ww-broadcasticmp.diff.

Unfortunately, Airjack has some timing issues which makes it somewhat
ineffective for injecting large quantities of packets, but this will get
you started.  While at Shmoocon (you guys rock!) I started re-writing
WEPWedgie to port it to a more reliable packet injection framework (and
code cleanup) for another project, I'll make that available when I get
it finished.

Good luck,

-Josh
--
-Joshua Wright
jwright () hasborg com
http://home.jwu.edu/jwright/

pgpkey: http://home.jwu.edu/jwright/pgpkey.htm
fingerprint: FDA5 12FC F391 3740 E0AE BDB6 8FE2 FC0A D44B 4A73

Today I stumbled across the world's largest hotspot.  The SSID is "linksys".



-- 
-Brandon

Current thread:

Wireless Pentest Question Arvind Sood (Feb 05)
- RE: Wireless Pentest Question Harshul Nayak (Feb 07)
  - Re: Wireless Pentest Question Erik Winkler (Feb 07)
- Re: Wireless Pentest Question Joshua Wright (Feb 07)
  - Re: Wireless Pentest Question Brandon Kovacs (Feb 07)
- Re: Wireless Pentest Question Berdt van der Lingen (Feb 08)