Description: This is the first challenge in a series of interesting ones I plan to post in this video series. All you have to do is crack the WEP key, decrypt the Data packet and post it here. The trace file contains the shared key challenge text and response, and a data packet.
Watch the video for rest of the information!
Packet Trace can be downloaded here: http://code.securitytube.net/Challenge-1-Easy
Tags: wi-fi , challenge , WEP , megaprimer ,
Hello Again -
your book when release ? ( Wireless Pentesting With Backtrack : Begineers Guide )
Thanks .
Good Job .......
Wow! I guess is this only WEP but I am stuck stiff :( People post some hints or at least what you are trying!
With one packet? C'mon Vivek - a clue here!
Hint: Everything you need is on Backtrack! :)
I know that you did explain all the attacks in your megaprimer, but all the cracking stuff was with high amount of packets. in the WEP cracking videos you explain the algorithm... Maybe we should recreate the full scenario with airbase and replay packets, but the problem is that i dont have a iphone... :( just kidding. Greetings from México
The second packet is malformed. I've downloaded the file twice. Has anyone else noticed this or is it something to do with my internet connection?
Can't find a way with my RC1 BT4 and a single packet. Discounting aircrack as the man states it requires a ton of packets. Considered packetforge, but as I don't have the key in the first place, I can't generate what we need!
Tried a few of the low hanging fruit keys like 00:11:22:33.... etc, but no joy.
Either this is ridiculously simple and you are tricking me, or your idea of 'easy' and mine is a world apart! I give up - I'm throwing in the towel. I'm just not intelligent enough to work out the methodology here.
Please share the solution with us once someone gets it.
@Dr.Ed.Caracas This is the point of the exercise, sometime its easier than you think to crack WEP and maybe you don't need to wait that long. Here is a sample scenario - a Client only gives you 1 minute to gather traffic, maybe you don't get enough packets for aircrack-ng to do its magic, then what do you do?
@Ignatius The file looks ok to me my friend. I just downloaded it.
@Blackmarketeer You are very very close to the solution :) Don't give up now. As i said everything you need is on BT4!
ok... i tryed to decrypt the packet with the aircrack suite... I will not say the name of the attack, because maybe its a spoiler...
When I try to use the ********(count the number of stars) attack the suite says: "The ******** attack appears to have failed...."
Am I on the right track? or completely wrong?
don´t know ...
Maybe i need a capuccino or an espresso...
I didn't have a coffee since long so excuse my tired nerves but but its an RC4 Encryption. We have the Challenge in Plain Text and Response as Encrypted. Now, how to extract the key .. I am thinking on this track... Don't know where it leads me to ...
im just trying the (-r) option... but doesnt seem to work :(
Please do not spoil it, as i didn't have time to try it yet neither watch the videos. I'll return back home after 2 hours so please please do not spoil it, i'll do it when i get back.
No spoilers! Some of you are on the right track. Think beyond aircrack-ng! When I show you the solution, many of you will kill yourself :)
Don't think complex, simplify! That's my last hint for the day. When I wake up tomorrow, this will hopefully be solved :)
Ha! I am so glad that I am not the only one with no clue where to start. Tried a lot of tools in BT4 and BT5. No success. Yet.... ;)
We have this information with us,
- Challenge Packet (Plain Text: AP to Client)
- Encrypted Packet (Response: Client to AP)
- Broadcast Packet (ARP from Client)
How on earth am I gonna get multiple ARP packets for Weak IV? Or, as the title says "No Patch for Stupidity" is it that the key is "AB:CD:EF:AB:CD".
If we are all being smart so, who's gonna think about the stupidity in this challenge?
-(:?)
My last attempt is to bruteforce it :(
You have to watch the whole series once again :)
This is a good test for re-evalute you knowledge, and how to learn to think. Ocamm's razor is one of the basic rules in hacking (imho).
Now imagine how the challanges will look on higher levels.
p.s. Please send your results to the email vivek provided you, so other will have the chance to try out their wi-fi kung fu.
this video series are the best in the world :O
scratches noggin and looks for his dictionary...
I have a suggestion for prizes....your new book!
ok so you can get the first 128 bytes of the keystream and decrypt the data packet, but how to get the key without doing any sort of bruteforce?
and also where is the tool to do the xor.. the online xor calculators are crap!!!
I give up :( need watch the videos again for better understands >>> Vivk thanks 4 ur time
stupidity probably means very weak password?
it's late here just got a hunch and figured i'd give it a shot:
password
welcome
securitytube
vivek
pwned
I will take a further look tomorrow morning but would be fun if it was this easy/obscure lol
Hint 1: This is not an encryption algorithm challenge! I am not wanting you to go on the chase with Fuhrer, Shamir, Martin, PTW or KoreK :) This is level 1, think simple.
Hint 2: Here is a real life scenario: You are called in to do a pentest on a WEP network at local store. You laugh it off, get over confident, hit the club, over sleep the next day and reach late. The store is about to close and by the time you boot up BT and just start your packet captures, they shut off the AP for the day :) All you manage to get is 1 encrypted data packet! You chat with the store owner and you realize he is the type who might end up using short, easy to remember passwords on his Facebook account. You have till next day morning to send in your report.
Hint 3: Everything you need is on BT4.
Hint 4: Every pentest is different and the solution to the problem is not a generic one. Might work sometimes, might not in most cases.
I will give you till the weekend to crack this. Many of you are almost there! Keep trying. Sometimes the solution does not have to be novel and beautiful, it just has to work :)
thank you so much
I've been trying some ASCII code passwords in Wireshark to decrypt the file, but I haven't had any luck as of yet.
be smart ;)
you cant do this using 1 packet only
(There Is No Patch For Stupidity!)
thank you very much
I give up. The only solutions seems to be to bruteforce the password but I have better things to do (assignments) than try find a WEP bruteforce program and crack this pcap file.
Great idea with the challenges Vivek. Can't wait till the next one. I'll be checking securitytube hourly now.
I may give this a shot over the weekend, sounds like a good challenge Vivek! If I can't attempt it, seeing the results here will be interesting!
Having spent a few hours on this, and a sleepless night, I have to agree that it's probably a brute force job to get the key and decrypt this.
A few interesting things jump out:
We can hazard a reasonably guess as to what the data payload is, because it's heading off to the the broadcast address.
One of the flags in the radio tap header from the client to the AP has WEP set to false - but I'm inclined to think this is of no concern.
The header for the WEP key index is 0, so any keys generated with a tool like WEP_Keygen should be the first key produced (but we don't know the key length - so this is probably of limited use other than to tell us not to waste time trying 2,3 & 4 of the 40 bit keys)
Tried generating keys for common stupid passwords like 'dlink' 'password' 'stupid' 'qwerty' 'asdfgh' 'wireless' and the like, none bite.
Tried common patterns like AB:CD:EF:AB:CD etc - none bite
Getting desperate I tried the DECRYPT program with a massive common password list, but it appeared to run too fast to be true and declared: "Could not find a key for ...."
Either I'm miles off on my thinking, or the real result of this challenge is it does not matter how easy the passphrase is - it is reasonably secure if nobody can guess it, and they can't get enough packets to use aircrack-ng!
As I give up with this and go back to @dayjob I am left with the though that what is obvious to one man - may be completely illogical to another!
I just know when Vivek reveals the answer I'm going to have very sore shins from kicking myself.
All the common 'stupid' words I can think of, passed through
@Blackmarketeer you have just explained everything I have tried but i didnt want to post up on here just incase I am beginning to think that WEP encryption is set on the AP but no key was set not sure if this can work without a WEP key
--Chard
Also what I found was that if you right click in the middle window in Wireshark and go to Protocol Preferences > Ignore the Protection Bit > Yes - With IV, the data packet turns into a LLC (Logical-Link Control) packet and the 2nd Authentication Packet is a Malformed Packet not sure if im on the right lines here but its just what I have discovered
--Chard
I bet Vivek is laughing is head of at all of us! I hope he does not poke too much fun at us, otherwise I'll poke fun at him for not setting the clock to the correct time zone in any of his videos!
@Blackmarketeer You are really close, just not using the right combination of tools
Hint 5: What is the next best thing to a Bruteforce Attack? Remember BT ships with a list of .... :) Also, there are other tools to decrypt packets other than Wireshark :) We used one of them in a video in this series.
Hi, I haven't watched all courses yet and I haven't tried to crack WEP using just one packet, but I wonder could this be done by running aircrack-ng and wordlist (dictionary) ?
there is airdecap but how can u pass it a wordlist??? this is so friustrating
@nikola.mrantinic ... almost there my friend :)
@tomfromdelmonte Don't be frustrated buddy! This is the Navy Seals training bootcamp for Wi-Fi Security :) Trudge on.
I don't have enough time right now to devote myself to this, and as I said I'm new in these things, and I haven't watched tutorial about WPA cracking ( I watched youtube video about it couple weeks ago)...and as far as I could remember there isn't reason why WEP couldn't be cracked same as WPA or I am wrong ?
@nikola.mrantinic and @Vivek-Ramachandran I have tried using aircrack-ng with all the dictionary lists available in BT4 and had no luck aircrack-ng asks for 4 IVs
(I just changed my nickname form nikola.mratinic to nYxY) ... I believe you should try to crack WEP in same way as WPA (if that is possible, and as far as I can remember from watching that video there is no need for collecting IVs)
HINT: Look for something other than Aircrack-NG in the Air**** suite and see if you can use it somehow with the lists you talk about :) Don't get hung up on Aircrack-NG
This is the last and final hint, no more :)
airdecap-ng looks great for dealing with it and we've used it before in the series, but the format it wants the key in (no colons :) with the -w switch is a royal pain in the backside.
I don't see any options to read from a file to do a dictionary attack with it - unless airoscript can be used in some way?
Perhaps this really will come down to RTM - but my version of BT (RC1) has a ton of tools missing that appear in RC2. I don't really want to upgrade as it will break a stack of stuff I use for other tests.
I'm giving up on this and declaring myself too stupid to patch, too stupid to figure it out :-)
http://www.aircrack-ng.org/doku.php?id=airbase-ng
This attack obtains the wep key from a client. It depends on receiving at least one ARP request or IP packet from the client after it has associated with the fake AP.
Only just finished work, please dont give the answer yet! Need a little time to get a look at the video and download the file, see what the challenge is...
Aircrack is out of the question even though it supports dictionary attacks it requires a minimum of 4 packets and we have only 3. Airdecap will only accept the key in its hex format so how can we run a dictionary list through a key generator and feed it to airdecap? i think u have to use a pipe but imnot sure if there is a tool to generate WEP keys using a wordlist as input. Aswell as that im using backtrack5 and im not quite sure where everything is!
You can probably do something piping data into xargs with airdecap provided you generate a list of keys without colons from a dictionary file. Personally I can't see Vivek making it this complex or messy, or dependent on certain lists in certain versions of backtrack. It's going to be much simpler than this and I can't wait for the answer myself.
I keep going back and having another look - but reading through all the man pages for the various air* tools gives nothing obvious away.
The output from wep_keygen is too messy as it is and would require either SED, AWK or multiple cuts to get at the keys. There is no man page for it to suggest you can feed it with a dictionary to produce output.
I hope Vivek will give a practical demonstration with the file he provided to put this to bed over the weekend :-)
i know.. i literally couldnt sleep last night, i got out of bed twice to go and try stuff on the computer, my wife was not impressed.
what tool will generate a list of 10 character long strings using 0-9 and a-f character set only
Absolute Last and Final Hint!
No tool on BT will work as-is, you may need a simple script on top of it. It took me 15 lines of code on top of a tool.
You need not dive deep into how WEP cracking is done.
Why some basic scripting? In most penetration tests you will never get ideal circumstances . You will always have to push the limits with whatever you have! :)
Also, most of you are so close to the solution, it would be sad to give up now.
I can vouch that I cracked the WEP key for a large manufacturer in the US a long time back using this technique and that's the reason why I posted this challenge :) It is a real practical scenario where I could not get the default tool settings to crack the key!
To add to the comment above, that was a legal pentest I was talking about where I had full permission :) so please don't try this on networks you dont own or have permissions for :)
@tomfromdelmonte I almost made the same mistake last night too..;) I couldn't sleep and remembered the challenge, that didn't help xD figured it would be something in plain sight/text;) I couldn't help thinking of Vivek laughing as everybody would take out the blow torches and heavy machinery when the key was left under the doormat :D
Scripting?! ive been putting off learning python for a long time. Since i dont even know how to use a scripting language i guess thats meout of the challenge unless i can learn python overnight.
I can sort of see what needs to be done and im pretty sure you need to automate the passing of different keys to airdecap-ng (which should automatically generate a file of unecrypted packets when it receives the correct key).
But then isnt that just the same as a bruteforce attack?
I took a break from studying to look at this and my first thought was chopchop but then you said KoreK was not part of the solution so after reading I'd have to write a script, I think I'll have to wait for the solution. After June 5, I should have time to take on the next challenges.
In the meantime, I think you're going to have to re-think what is "easy" for most people. :) You're way ahead of us Vivek.
Part of the complexity of this challenge is that the packet capture is in DLT_IEEE802_11_RADIO (Radiotap) format. There are older tools that are very effective at attacking small quantities of WEP packets, but they only deal with DLT_IEEE802_11 packet captures.
The easy solution is to leverage Scapy to re-write the packet capture into the format that works for us. This is what I did:
$ scapy
>>> packets=rdpcap("Challenge-1-Easy")
>>> wrpcap("Challenge-1-Easy-DLT_IEEE802_11.pcap",packets[2].payload,105)
I'm typing those Scapy statements from memory, please forgive a typo or two. The packets[2].payload reference is the 3rd packet capture in the Challenge-1-Easy file, skipping to the first payload which is the beginning of the IEEE 802.11 header. The "105" is the link type number for packet captures with no header information.
The output file will work with a variety of tools that allow you to enumerate through dictionary files without having multiple packet capture files to reference. These tools may not be native to Backtrack, but should be in your WiFi hacking arsenal anyhow (WepAttack, wep_crack, etc.)
-Josh
Damn. As I can't write code yet I won't be able to beat this challenge, I guess.
I'd got as far as this, but I've not had chance to format/clean up the output of airdecap-ng to look for decrypted wep packets. Hopefully I'll get a little more time this evening.
If anyone else wants to play with it run it with
./script < your.word.list.here
but set the location of your capture file in the penultimate line rathter than '/home/challanges/1.pcap'
#!/bin/bash
FILENAME=$1
count=0
cat $FILENAME | while read LINE
do
let count++
output=$(wep_keygen $LINE | awk -F'^0: ' '{ print $2 }' | sed -e '/^$/d' | sed 's/://g')
echo "TRY $count WORD USED $LINE KEY:$output"
airdecap-ng -w $output /home/challanges/1.pcap
done
Not sure if this will or will not help - but it feeds airdecap-ng with colon free 40bit keys generated with wep_keygen from a dictionary file.
Well as seen as though I have zero programming skills I guess I am just going to have to wait for the solution. For those that know what they are doing good luck, BTW one of my initial thoughts was to create something that regenerated the same data packet in the pcap file to generate enough for a successful crack.
Thanks for the challenge Vivek, I am looking forward to the solution and the next challenge
--Chard
@all, programming or scripting in some fashion is ESSENTIAL. learn it, even if it's just tweaking someone else's script. we all started somewhere.
@joswr1ght Hope you are doing great! Good point! Many of the older WEP cracking tools are worth their weight in gold! but have been long forgotten.
You can use Josh's suggestion or continue with just using Backtrack and the tools on it.
@Blackmarketeer You are almost there!
Also, as Andrew said - knowing basic scripting is a must at the very least.
I am just about to record the solution to this challenge. I can post it tonight if you guys want :) Let me know!
I am also preparing the next challenge :)
I think you should post it as soon as you've finished it! Come on man, get that solution on line - I'm curious to see how you've cracked it - but not so keen how stupid I'm going to feel......
I'm really looking forward to the solution. I am new to wireless hacking and have watched the whole series of these videos a couple times (even more since this challenge came out). This challenge has had my brain working overtime the past 2 days.
Great work Vivek and I can't wait for the next one...
Ok, I give up... :( ..In the Caribbean when you keep doing something and keep getting nowhere its described as "Spinning top in Mud" .... I think I am at that stage right now :(
At least challenge re-enforces the importance of being able to use a scripting language and also being able to create/modify your tools for a given purpose. Im very keen to see the solution now so Vivek, if u wouldnt mind!?
I realized that programming and scripting are very important to the world of Security could someone point me in the right direction of where to get started im guessing Python would be a good place to start
Cheers
--Chard
black marketeer im running your script now using the darkc0de.lst wordfile. I think the actual key is going to be something easy to remember like 11:22:33:44:55 instead of a randomly generated WEP_keygen type thing. either way, its my last shot, just going to leave it running...
I had actually tried a number of 11:22:33 and DEAD CAFE type strings, but I suspect it's one I've *not* tried :-)
It will be howlingly simple - but only if you have the word/pattern in a list to try!
Well, I've just tried it against a list of 106,172 well known passwords, words, phrases and ESSID's and it's "nice try - but no cigar" :-(
If this is 'Level 1', I can't imagine what the rest of the levels will be like.
@Vivek- Since you mentioned it requires some modification of existing tools to solve this one, how about a megaprimer on scripting (Python?) as it pertains to security? Several people (including myself) have limited scripting/programming experience and for challenges like this, would love to know more!
Thanks!
I'm with L00py on that one. You made these videos very easy to understand for me, so I would absolutely look forward to some scripting basics from you too.
This exchange of ideas has been a fascinating insight into how I must start to think! Like many, I know a little Bash but no Perl, Python etc. If this is level 1, it'll be interesting to see what the higher levels are like.
Finally, I'm pleased to see a "big gun" here if joswr1ght is THE Josh Wright! It's possible that there are other experts in the field of wireless security and pen testing here but I don't recognise them. If so, I apologise for my error.
i give up 5 hrs ago :(
tomfromdelmonte, any luck with the darkc0de list? If that doesn't work, John the Ripper has a smaller wordlist in /pentest/passwords/john/ that may have the magic key! Trying blackmarketeer's script on it now!
Programming and scripting is one of the most important thing in security world. You dont have to be able to write complex apps but some level of programming skils must exist.
I would suggest python, bash, and C. For system, and networking. For web apps I think I don't have to mention what is important :)
folks - don't rely on *my* script! It may not even work properly! It was just meant as a 'something like this' kind of thing.
+1 for some videos on scripting. Vivek has produced some really excellent material on assembly which brought back happy memories from my 8 bit days in the 80's - and proved that learning machine code with old z80s and 6502s was worth it - but a series that looked at scripting in a generic sense, before honing in implementation in shell, Perl, Python etc, rather than just one language. All scripting is pretty much the same and looking at core concepts first, and then showing how it is used in various languages would really help people out.
I must mention the excellent Indian National Programme on Technology Enhanced Learning - they have a brilliant youtube channel with hundreds of University quality lectures covering lots of core subjects including software engineering and networking. Here is a link: http://www.youtube.com/user/nptelhrd
Solution Posted for Challenge 1: http://www.securitytube.net/video/1859 ! Please post your comments / feedback on the video solution :) Many of you were so close :)
Blackmarketeer - sorry if it seemed like I was putting you on the spot :) I, like many others here, have a limited knowledge of bash scripting and not much other experience in the way of coding. That said, your script looks good to me! It seems to run the output of wep_keygen through airdecap. (I tried it on the jtr wordlist and am crunching through the darkc0de list now)
I thought about using xdd or hexdump on the wordlist, to just generate a new raw hexadecimal file for use with airdecap-ng, but cannot figure out how get the output to keep the line breaks from the original document.
Got the solution but not running BT I didn't have the right dictionary. Maybe next time
My script would never have cracked this as it was not keying on the 40-bit ASCII key, but the first 40 bit key. Had I have got that right *and* had the later darkc0de.lst it would have (eventually) worked in a roundabout way.
Not being the most logical thinker it never occurred to me to use Python as I don't know much about it. I know Perl, but it's time to open a book and have a look at Python. Much that I love Perl, it can be such a kludge with using modules to provide basica functionality and asking for advice usually means getting abused by the more experienced Perl community.
I also did not understand how the chosen word was transcribed into hex string - but I have it now :-)
As Vivek points out, you learn more by trying and failing that not trying at all and this has been a brilliant learning opportunity.
Vivek - I'd love to see you set up a forum here so people could chat and share ideas. I know there are other forums for this kind of thing, but this portal is friendly with nobody attacking one another - it is a unique and friendly place to be. It would be ace if you could provide that with a 'ask Vivek' section that could form a FAQ on general security issues.
Thanks again for all the fun!
The next challenge has been posted: Know Thy Packets:
http://www.securitytube.net/video/1862 All the best!
I will try my best to get some forums up by June! :) Regarding Python programming here are 2 great links:
MIT: http://www.securitytube.net/video/610
Offensive Python for Web Hackers: http://www.securitytube.net/video/1142
Enjoy!
I admit I was not successful in solving this challenge which reminded me of an important lesson in pentesting: know your tools.
I went about the test differently than Vivek's solution by using a different tool: WepAttack (http://wepattack.sourceforge.net/). WepAttack is a dictionary attack implementation against WEP networks and hasn't seen any maintenance since 2002 but remains a useful tool. In this particular situation, the challenge does not have the "4 IV minimum" requirement that Aircrack-ng demands while implementing the offline dictionary attack. Reading from a dictionary word list, WepAttack uses each word is used to compute 4 potential keys: 40-bit key, 104-bit key, 40-bit Neesus Datacom key and 104-bit Neesus Datacom key.
WepAttack has a small problem in the Makefile which prevents you from building it properly. Downloading the source and compiling will result in this error:
root@bt:~# wget -q http://bit.ly/kbPPrA
root@bt:~# tar xfz WepAttack-0.1.3.tar.gz
root@bt:~# cd WepAttack-0.1.3
root@bt:~/WepAttack-0.1.3# make
[output trimmed]
gcc: log.omodes.o: No such file or directory
make: *** [wepattack] Error 1
See the log.omodes.o? That's from a missing space in the Makefile. Open the Makefile, jump to line 24 and add a space after "log.o" before the backslash, save and exit, then build using "make".
root@bt:~/WepAttack-0.1.3/src# ./wepattack
WEPATTACK by Dominik Blunk and Alain Girardet - Version 0.1.3
usage: wepattack -f dumpfile [-w wordfile] [-m mode] [-n network]
-f dumpfile network dumpfile to read
(in PCAP format as TCPDUMP or ETHEREAL uses)
-w wordlist wordlist to use (default: stdin)
-m mode run wepattack in diffente modes (default: all)
values: 64, 128, n64, n128
-n network network number to attack
-? Shows this help
Since WepAttack is an old tool, and it doesn't include support for the RadioTap libpcap capture type. As I posted earlier, we can easily strip out this header for the interesting packet in the challenge capture using Scapy:
root@bt:~# scapy
INFO: Can't import PyX. Won't be able to use psdump() or pdfdump().
WARNING: No route found for IPv6 destination :: (no default route?)
Welcome to Scapy (2.1.0)
>>> p = rdpcap("Challenge-1-Easy")
>>> wrpcap("out.dump", p[2].payload,105)
>>>
Now, "out.dump" will work with WepAttack to implement our wordlist attack.
This is where I went wrong. Vivek told us all that we needed for the challenge was on Backtrack 4, and I knew the wordlists were in /pentest/passwords/wordlists. I used WepAttack with the out.dump capture and each wordlist as shown:
root@bt:~# WepAttack-0.1.3/src/wepattack -f out.dump -w /pentest/passwords/wordlists/darkc0de.lst
Extraction of necessary data was successfull!
Founded BSSID:
1) 00 21 91 D2 8E 25 / Key 0
1 network loaded...
Accepting wordlist data...
key no. 10000: 1 ADELINDE
key no. 20000: 1 GREVENKAMP
But, after exhausting the wordlist, it did not recover the password entry.
What I forgot was that, as far as password lists go, the darkc0de.lst file is pretty crappy. Filled with garbage and a mix of Windows and Unix formatted lines, you shouldn't rely on it without filtering out the non-printable characters and making the formatting consistent. Vivek's Python code did a great job of doing this.
Which brings me to my point: know your tools. I know how WepAttack works, but I relied on password files from Backtrack 4 which I did not know. Had I brought the capture file to my own Linux pentest box and used my personal "~/dict/wordlist" file, I would have gotten the right password and all would have been well. Sadly, I got hung up on the files on Backtrack, and didn't complete the challenge.
So, thanks Vivek, for the interesting challenge, and for reminding me to rely on what I know works on pentests. If you are relying on tools that you aren't 100% sure about, how will you know the difference between a non-vulnerable system and a tool failure?
-Josh
Josh,
Thanks for the excellent explanation!
WepAttack is an awesome tool and its sad that it and many others are no longer actively maintained. As you've shown, one could have used it over airdecap-ng as it supports wordlists by default. I am sure almost all of us overlooked this tool as a possible weapon in our arsenal.
The darkc0de.lst file is a royal pain! The reason I added the final twist is that in one pentest my dictionary attack failed miserably because of the non-printable characters in the file :) I knew people would take the file for granted and not to do a quick sanity check. I had done the same mistake a while back.
Part 33: Cracking PEAP with Asleap is online now!
http://www.securitytube.net/video/2039
Look forward to your comments!
Dear Friends,
We have finally launched our own certification courses:
Here is the intro video to SecurityTube Certifications:
http://www.securitytube.net/video/2255
Also, launch video for SecurityTube Wi-Fi Security Expert (SWSE) Certification:
http://www.securitytube.net/video/2256
Look forward to hearing from you all!
Vivek
when i first saw this i though 2 solutions both based on bruteforce..
1st:
my first though was to take the data of the authentication response, xor it with the authentication request and find the 128 bytes keystream for the iv "0x3a6f63", after that i could take the iv, add a random 5 bytes password and then generate a new 128 bytes keystream if my new keystream was equal to the old one, then my random 5 bytes password is the real password which our teacher used :) and thats what i tried with my code(http://pastebin.com/SDRXgMws) but it doesnt seems to work :/ i saw the solution video and it seems that the real pass is "tudes" but still my code doesnt work.. i would be greatful if some could review my code i think that my mistake is in the way of reading the random bytes from file, but i tried to use a string defined with iv/pass (its called password and its in comment tags) but still my keystream doesnt match ..
2nd:
just take the iv of the encrypted packet 0xc9b15f and add a random 40 bit key so the result would be the hex key "0xc9b15f0r0a0n0d0m" while the random pass is "0x0r0a0n0d0m" and generate an rc4 keystream and then xor it with the encrypted data of the packet, the result will be an (hopefully) unencrypted data packet and an unecrypted icv, after that we must use the cr32 algo to create a new icv if the new icv is equal with the old one, then we have the right key :) code(http://pastebin.com/3qy2HX4Z) unfortunately the 2nd code doesnt work too.. (the crc32 functions in the 2nd code arent written by me)
sorry for double posting but i dont know how to edit my post :P the second right code is here: http://pastebin.com/sUS6Qref
i may name this 2 source codes "airuseless" :P