[kismac] Re: weak IVs

  • From: Brad Knowles <brad.knowles@xxxxxxxxx>
  • To: kismac@xxxxxxxxxxxxx
  • Date: Mon, 12 Jul 2004 16:50:38 +0200

At 4:28 PM +0200 2004-07-12, Lasse Jespersen wrote:

 Thanks for this information.. I already saw weplab, but I havent used
 it yet. I understand you generated a lot of traffic to get this many
 packets? I generated only some 8000 in about 24 hours.

Are these just the weak IVs, or all packets in total? IVs are rotated frequently enough that I'd be surprised if a totally idle network didn't generate more than 8000 packets in a 24-hour period of time.

                                                         At that rate, it
 would take me 6 months, and I dont have any means of generating traffic
 on the network.

There's lots of ways to cause traffic to be generated, even if you're not on the network in question.

You could generate de-authenticate packets for spoofed MAC addresses, which would force the client to re-authenticate. If the AP is not closed to unknown MACs, you could do this for randomly generated MACs instead of the real ones you see (less chance of people noticing that they're getting knocked off the network frequently). If the AP is publicly visible, all you have to do is generate probe packets, which could come from spoofed addresses (making it less likely that they'd be able to be traced back to you).

Your worst case scenario is if the AP is not advertised, closed to unknown MACs, and WPA/802.11x protected (as opposed to plain WEP), in which case you have to spoof the MACs that you see. Even then, you could inject random garbage from those MACs, and you should see lots of reply packets from the AP(s) in question.

The problem with generating active traffic versus doing pure passive sniffing is that they might have wireless network monitoring systems that could detect your radio transmission fingerprint (thus identifying the manufacturer of your chipset and perhaps the specific version of the chipset and possibly the firmware version, which might tell them what brand, model and serial number range you have for your equipment), and potentially being able to triangulate your position based on the time delay and signal strength seen by multiple monitoring stations (the same way that mobile phone networks locate your position).

Brad Knowles, <brad.knowles@xxxxxxxxx>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

    -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
    Assembly to the Governor, November 11, 1755

  SAGE member since 1995.  See <http://www.sage.org/> for more info.

Other related posts: