[kismac] Re: TKIP

  • From: "Joseph W. Sullivan" <sullivan@xxxxxxx>
  • To: kismac@xxxxxxxxxxxxx
  • Date: Wed, 19 May 2004 14:36:53 -0700

Thought the group might be interested in this.

From: Paul Kedrosky <pkedrosky@xxxxxxxxxxx>
Date: May 16, 2004 9:21:41 AM PDT
To: dave@xxxxxxxxxx
Subject: for IP: And a Mac Sniffer in a Pear Tree ...

The following is a laundry list of just some of the wireless network attacks
and shenanigans that went on at this week's Networld + Interop trade show in
Las Vegas. It is from an AirDefense press release
(http://www.airdefense.net/newsandpress/05_13_04.shtm):

- 189 separate attacks on different devices
- 112 separate MAC spoofing attacks
- 89 Denial of Service attacks
- 42 authentication attacks, likely due to brute force attacks or
misconfigured clients
- 20 separate AirSnarf attacks
- 4 separate Hotspotter attacks
- 3 large Ad-Hoc mesh networks were re-established on day two with an
average of 10 stations connected.
- Another association was made with the Sear Service Toolbox (SST-PR-1) and
the - network was attacked twice
- One Virtual Routing Redundancy Protocol (VRRP) attack, a routing tool
attack to redirect traffic
- 165 BlueJack attacks
- 12 Blue Snarf attacks

On May 19, 2004, at 10:16 AM, j.cooper1@xxxxxxxxxxx wrote:

I found a network that happened to be a Hidden SSID with WEP enabled.. I know this was talked about recently. Anyway, after about 5 hours and 90k in packs I got the SSID. Though it could of been because of the what I will talk about next..

A strange thing happened during this time. I had the console opened at this time and the console showed these messages..

2004-05-17 13:44:19.239 KisMAC[326] WARNING!!! Received a Probe flood from 00:0B:BE:B2:6D:77. This usually means this computer uses a cheap stumbler such as uStumbler, Macstumbler, or NetStumbler
2004-05-17 13:45:16.429 KisMAC[326] ATTENTION Received a De-authentication frame. You might want to check for other WiFi people.
2004-05-17 13:45:17.321 KisMAC[326] Detected WPA response for 0C:0B:BE:B2:6D:77

The MAC address showed up while scanning as <no ssid>, and a probe. I am assuming this is the wardriver, right?

Does this mean KisMAC detectes attacks buy other Wardrivers? If so what other attacks can KisMAC detect?

The last message about WPA, do anyone know what this is?

one last thing..

Now to my real question.. So now I have been scanning for about 15 hours over three days, and have collected 350k packets 43k in data packets and 12k Weak IVs.

I try and run every attack on it and nothing seems to work

Kismac didn' show who the vender was, but ethereal did, and it happened to be Cisco. So I went to Ciscos web site read about there wireless routers. Cisco has this thing called TKIP.

TKIP is:
TKIP (Temporal Key Integrity Protocol, also known as WEP key hashing)-This feature defends against an attack on WEP in which the intruder uses the unencrypted initialization vector (IV) in encrypted packets to calculate the WEP key. TKIP removes the predictability that an intruder relies on to determine the WEP key by exploiting IVs.

Could this be the reason why I can crack the WEP? You would think there would be no WeakIV packets if it was turned on right? Do I just need to collect more WeajIV packets? Any Ideas on how to get more info about what type of "encryption" is used or If it is standerd WEP?

Jeff


Other related posts: