[kismac] Re: password hash

  • From: Johnny Cache <johnycsh@xxxxxxxx>
  • To: kismac@xxxxxxxxxxxxx
  • Date: Sun, 4 Jun 2006 12:59:06 -0500 (CDT)

It goes like this.

wepkey = nessus_datacom_hash(plaintext_password)

the reason you could break the key so easily is that the
nessus_datacom_hash is rediculously designed and doesnt deserve
to be called a hash at all. the hash has an output space of 21 bits, which
can be trivially brute forced.

If you really want to recover the plaintext password instead of
bruteforcing the 21 bit hash space there are tools available to do it.
one is wep_crack included in wep_tools by tim nesham, though there are
other programs that implement this.

The thing is, even if you run a plaintext password through the algorithm
and get the correct WEP key out, you don't know if it was the -correct-
plaintext password. The whole reason this algorithm is so bad is the
rediculous number of collisions.


On Wed, 31 May 2006, Patrick Cudahy wrote:

> I'm not sure what the plaintext / hex relationship is in WEP, but it
> was a WEP secured router that I cracked with Newsham's and KisMAC
> spit out 5 hex values. I went to connect with airport and put in
> those values and it let me in. I was just wondering if there was
> anyway to get from those hex digits to what the "real" password is.
> -Patrick Cudahy
> On May 30, 2006, at 11:40 PM, themacuser wrote:
> > Or the network key could have just been a hex key? Or it was hashed
> > down from an ASCII value?
> >
> > Anyway, you can just type the hex into the password field of the
> > airport join screen with 0x in front of it
> > 0x1234567890
> >
> > On 31/05/2006, at 9:39 AM, J.T. Thompson wrote:
> >
> >>
> >> what did you exactly crack? a wep password? chances are thats the
> >> password to the network you cracked.. is it like 10 letters long?
> >> wep passwords are normaly 10char long..
> >>
> >
> >

Other related posts: