[kismac] Re: TKIP
- From: Chris Weiss <chris.weiss@xxxxxxxxx>
- To: kismac@xxxxxxxxxxxxx
- Date: Wed, 19 May 2004 16:20:25 -0700
Priceless.. I can only imagine what the laundry list of hacks looks
like at events like DefCon and such.
On Wed, 19 May 2004 14:36:53 -0700, Joseph W. Sullivan <sullivan@xxxxxxx> wrote:
>
> Thought the group might be interested in this.
>
> From: Paul Kedrosky <pkedrosky@xxxxxxxxxxx>
> Date: May 16, 2004 9:21:41 AM PDT
> To: dave@xxxxxxxxxx
> Subject: for IP: And a Mac Sniffer in a Pear Tree ...
>
> The following is a laundry list of just some of the wireless network
> attacks
> and shenanigans that went on at this week's Networld + Interop trade
> show in
> Las Vegas. It is from an AirDefense press release
> (http://www.airdefense.net/newsandpress/05_13_04.shtm):
>
> - 189 separate attacks on different devices
> - 112 separate MAC spoofing attacks
> - 89 Denial of Service attacks
> - 42 authentication attacks, likely due to brute force attacks or
> misconfigured clients
> - 20 separate AirSnarf attacks
> - 4 separate Hotspotter attacks
> - 3 large Ad-Hoc mesh networks were re-established on day two with an
> average of 10 stations connected.
> - Another association was made with the Sear Service Toolbox (SST-PR-1)
> and
> the - network was attacked twice
> - One Virtual Routing Redundancy Protocol (VRRP) attack, a routing tool
> attack to redirect traffic
> - 165 BlueJack attacks
> - 12 Blue Snarf attacks
>
>
>
> On May 19, 2004, at 10:16 AM, j.cooper1@xxxxxxxxxxx wrote:
>
> > I found a network that happened to be a Hidden SSID with WEP enabled..
> > I know this was talked about recently. Anyway, after about 5 hours
> > and 90k in packs I got the SSID. Though it could of been because of
> > the what I will talk about next..
> >
> > A strange thing happened during this time. I had the console opened
> > at this time and the console showed these messages..
> >
> > 2004-05-17 13:44:19.239 KisMAC[326] WARNING!!! Received a Probe flood
> > from 00:0B:BE:B2:6D:77. This usually means this computer uses a cheap
> > stumbler such as uStumbler, Macstumbler, or NetStumbler
> > 2004-05-17 13:45:16.429 KisMAC[326] ATTENTION Received a
> > De-authentication frame. You might want to check for other WiFi
> > people.
> > 2004-05-17 13:45:17.321 KisMAC[326] Detected WPA response for
> > 0C:0B:BE:B2:6D:77
> >
> > The MAC address showed up while scanning as <no ssid>, and a probe. I
> > am assuming this is the wardriver, right?
> >
> > Does this mean KisMAC detectes attacks buy other Wardrivers? If so
> > what other attacks can KisMAC detect?
> >
> > The last message about WPA, do anyone know what this is?
> >
> > one last thing..
> >
> > Now to my real question.. So now I have been scanning for about 15
> > hours over three days, and have collected 350k packets 43k in data
> > packets and 12k Weak IVs.
> >
> > I try and run every attack on it and nothing seems to work
> >
> > Kismac didn' show who the vender was, but ethereal did, and it
> > happened to be Cisco. So I went to Ciscos web site read about there
> > wireless routers. Cisco has this thing called TKIP.
> >
> > TKIP is:
> > TKIP (Temporal Key Integrity Protocol, also known as WEP key
> > hashing)-This feature defends against an attack on WEP in which the
> > intruder uses the unencrypted initialization vector (IV) in encrypted
> > packets to calculate the WEP key. TKIP removes the predictability that
> > an intruder relies on to determine the WEP key by exploiting IVs.
> >
> > Could this be the reason why I can crack the WEP? You would think
> > there would be no WeakIV packets if it was turned on right? Do I just
> > need to collect more WeajIV packets? Any Ideas on how to get more
> > info about what type of "encryption" is used or If it is standerd WEP?
> >
> > Jeff
> >
> >
>
Other related posts:
