[kismac] Wordlists, 104-bit Keys and other questions

  • From: Darren Barnes <dazzyb@xxxxxxxxxxx>
  • To: kismac@xxxxxxxxxxxxx
  • Date: Sat, 28 Feb 2004 10:37:46 -0800

Hi again,

So now I know that getting 0 weak keys is perfectly normal I have another couple of questions. Basically I am trying to prove to my Neighbor that WEP is insecure - however I haven't been able to crack his network so I am not really proving my point very well and he is getting smugger by the day!

So anyway here are a few questions I have:

1. I understand that the wordlist attacks are a powerful and fast way to get the key but one must have a good wordlist to start with. Where are you getting your wordlists? I did see that there is a 500MB password specific one available on a CD from the openwall collection - but you have to pay for it. If I am going to pay money to educate my neighbor I am going to make sure I get the best wordlist out there - just incase. Any recommendations?

2. When a wordlist attack fails, the message that comes up says:

The key could not have been recovered. Possible reasons are: 1. The key was not a 40-bit key. 2. The crypto algorithm is not WEP. 3. Advanced Features like LEAP are activated.

This seems to be a generic message whenever ANY crack attempt fails BUT I want to check that the message "The key was not a 40-bit key" is not valid when using wordlist attacks i.e. wordlist attacks can crack 40-bit or 104-bit depending on which option you choose. Am I wrong? If so, how does one crack a 104-bit WEP network since you cannot bruteforce it and it's not giving me any weak keys.

3. Does the wordlist attack do anything special with the words or does it try an exact match only? I.e. if the wordlist has just the word Eric would it try any of the following:

Eric, eric, ERIC, eRic, eRIC, etc.

then theres number replacement options too i.e.: 3ric. 3RIC, 3r1c, 3R1C, etc.

I am assuming based on the speed with which the wordlist attack goes through words that it is just trying an exact match so if you want all the options above, you have to ensure they are in the file. If I am wrong, I congratulate you on writing very very fast code.

4. Since I know that his network doesn't generate weak keys, I just want to check that Packet Reinjection is of no use to me since a greater number of data packets doesn't help once you have enough to run the wordlist attacks.

5. Anyone with a G5 able to comment on how long the Bruteforce - all chars crack takes?

Thanks all.


Other related posts: