[kismac] Re: weak IVs
- From: Brad Knowles <brad.knowles@xxxxxxxxx>
- To: kismac@xxxxxxxxxxxxx
- Date: Mon, 12 Jul 2004 16:50:38 +0200
At 4:28 PM +0200 2004-07-12, Lasse Jespersen wrote:
Thanks for this information.. I already saw weplab, but I havent used
it yet. I understand you generated a lot of traffic to get this many
packets? I generated only some 8000 in about 24 hours.
Are these just the weak IVs, or all packets in total? IVs are
rotated frequently enough that I'd be surprised if a totally idle
network didn't generate more than 8000 packets in a 24-hour period of
At that rate, it
would take me 6 months, and I dont have any means of generating traffic
on the network.
There's lots of ways to cause traffic to be generated, even if
you're not on the network in question.
You could generate de-authenticate packets for spoofed MAC
addresses, which would force the client to re-authenticate. If the
AP is not closed to unknown MACs, you could do this for randomly
generated MACs instead of the real ones you see (less chance of
people noticing that they're getting knocked off the network
frequently). If the AP is publicly visible, all you have to do is
generate probe packets, which could come from spoofed addresses
(making it less likely that they'd be able to be traced back to you).
Your worst case scenario is if the AP is not advertised, closed
to unknown MACs, and WPA/802.11x protected (as opposed to plain WEP),
in which case you have to spoof the MACs that you see. Even then,
you could inject random garbage from those MACs, and you should see
lots of reply packets from the AP(s) in question.
The problem with generating active traffic versus doing pure
passive sniffing is that they might have wireless network monitoring
systems that could detect your radio transmission fingerprint (thus
identifying the manufacturer of your chipset and perhaps the specific
version of the chipset and possibly the firmware version, which might
tell them what brand, model and serial number range you have for your
equipment), and potentially being able to triangulate your position
based on the time delay and signal strength seen by multiple
monitoring stations (the same way that mobile phone networks locate
Brad Knowles, <brad.knowles@xxxxxxxxx>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
Other related posts: