[kismac] Re: WPA Data Packets

  • From: Erik Winkler <ewinkler@xxxxxxxxx>
  • To: kismac@xxxxxxxxxxxxx
  • Date: Fri, 16 Jun 2006 09:40:42 -0400

Actually, you can use the passphase to decrypt captured packets using airdecap-ng (part of the aircrack-ng suite) as I did with a test capture from my home network.

airdecap-ng -e 'the ssid' -p passphrase  tkip.cap
Total number of packets read           258
Total number of WEP data packets         0
Total number of WPA data packets        72
Number of plaintext data packets         0
Number of decrypted WEP  packets         0
Number of decrypted WPA  packets        43


On Jun 15, 2006, at 7:06 PM, Robin L Darroch wrote:

The good thing about WPA is that it appears not to have the kind of weaknesses that WEP has: a thousand authentication handshake packets will not make it any easier to crack than just one, and if the passphrase (verbatim) isn't in the dictionary file, then you won't crack it.

Use a passphrase like:

"Hello, my name is Steve and if you want to use my network without asking, you can BUGGER 0FF!!"

... and essentially there's no way (currently known) of breaking in unauthorised. This may change if we ever get genuine light-based computing (some theories suggest that quantum effects may allow for phenomenally fast cracking of existing encryption algorithms), but I think you're pretty safe for the time being.

What's more, even if the key is ever cracked, you can't use it to go back and decrypt packets captured earlier from that network, because it's only the initial layer of encryption rather than the only one.

So once you were able to get that was a dictionary attack successful?

I have collected over 1500 data packets yet kismac still says I need more?


On Jun 14, 2006, at 5:50 AM, Erik Winkler wrote:

For WPA dictionary attacks, you need to capture the authentication handshake between a valid client and the access point. I have done this for wireless assessments by sending a deauthentication packet targeted to the specific client BSSID. Once the client disconnects and reconnects to the AP, you have your WPA handshake.


On Jun 14, 2006, at 12:59 AM, Daren wrote:

So what is the min # of data packets before you can start a bruteforce wordlist attack?

PS has anyone successfully been able to break a wpa with a wordlist attack....using Kismac that is.


---------------------------------------------------------------------- ---
Robin L. Darroch - PO Box 2715, South Hedland WA 6722 - +61 421 503 966
robin@xxxxxxxxxxxxx - robin@xxxxxxxxxxx - robin@xxxxxxxxxxxxx

Other related posts: