RE: V/Scan for Wireless LANs

From: Morgan, Andy (Andy.Morganat_private)
Date: Fri Jul 18 2003 - 09:51:26 PDT

Next message: David Nester: "RE: V/Scan for Wireless LANs"

Previous message: Ian Chilvers: "V/Scan for Wireless LANs"
Maybe in reply to: Ian Chilvers: "V/Scan for Wireless LANs"
Next in thread: SKC: "Re: V/Scan for Wireless LANs"
Next in thread: David Nester: "RE: V/Scan for Wireless LANs"
Reply: SKC: "Re: V/Scan for Wireless LANs"
Reply: Nicolas RUFF (lists): "Re: V/Scan for Wireless LANs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ian,

There are some tools that will work to try to find a WEP key but they require a lot of data and time. They exploit known vulnerabilities in the WEP algorithm to find the keys. However it could take as much as 500 meg of data. I don't have the links handy. Sorry.

As far as brute forcing. ok idea but not very doable. to iterate through all cobinations would be 2^128 possibilities which gets you to about 3.4028236692093846346337460743177e+38 possible combinations. If you assumed you could do 1 per second - which would be tough if you wait for DHCP to respond it would take you 10790283070806014188970529154990 years to get through all the combinations. Thats a long time. :) If somebody could check my math that would be great.

Thanks,
afm

-----Original Message-----
From: Ian Chilvers [mailto:Ian.Chilversat_private]
Sent: Fri 7/18/2003 7:18 AM
To: pen-testat_private
Cc:
Subject: V/Scan for Wireless LANs

Hi all

We've been asked to perform a vulnerability assessment for a company that
has a Wireless LAN. The W/LAN is running WEP with a random key generated,
rather than a dictionary word.

Are there any tools out there that can brute force a WEP.

Take this example. A person parks the car in the car park and sniffs the
air waves with a product like NetStumbler. He discovers the W/LAN but with
WEP.

Is there a tool he can use to discover the WEP key (possible by brute force)

If there isn't such a tool, how does this sound for an idea.

Run a app that starts at binary 0's and counts upto 128bits of 1's
For each sequence listen to see if there are any sensible packets or even
send out a DHCP discover request to see if you get a reply. This would then
possibly give you the WEP key.

Any comments

Ian....

---------------------------------------------------------------------------
KaVaDo is the first and only company that provides a complete and an
integrated suite of Web application security products, allowing you to:
- assess your entire Web environment with a Scanner,
- automatically set positive security policies for real-time protection,
and
- maintain such policies at the Application Firewall without compromising busines performance.

For more information on KaVaDo and to download a FREE white paper on Web applications - security policy automation, please visit:
http://www.kavado.com/ad.htm

----------------------------------------------------------------------------

Next message: David Nester: "RE: V/Scan for Wireless LANs"
Previous message: Ian Chilvers: "V/Scan for Wireless LANs"
Maybe in reply to: Ian Chilvers: "V/Scan for Wireless LANs"
Next in thread: SKC: "Re: V/Scan for Wireless LANs"
Next in thread: David Nester: "RE: V/Scan for Wireless LANs"
Reply: SKC: "Re: V/Scan for Wireless LANs"
Reply: Nicolas RUFF (lists): "Re: V/Scan for Wireless LANs"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Jul 18 2003 - 10:27:15 PDT