You're the man Josh! Thanks for the advice! Cheers, Matt
On 10/22/10 1:04 PM, Joshua Wright wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 10/21/2010 10:23 PM, Matt Neely wrote: >> Anyone have any advice on attacking a WEP network using 802.1X >> authentication? From reviewing a packet capture it appears like the >> network is specifically using PEAP. For PEAP I'd usually use OpenRADIUS >> with the WPE patch and a fake AP. But the AP I have on hand does not >> support enterprise authentication with WEP. >> >> Any thoughts, advice or pointers? > Standard WEP cracking still applies, but you have to limit your packet > capture to one AP<->STA connection (wlan.addr eq [clientmac]) and within > one login sesssion (look for unencrypted EAP frames to identify > reauthentication exchanges). > > Despite being called "dynamic WEP", keys are not dynamically rotated, so > as long as the user is connected to the AP you can collect packets and > use them with aircrack-ng to recover the WEP key. From there, you can't > connect to the network easily, but you can decrypt all the traffic with > airdecap-ng or Wireshark. > > Also, consider using the Aireplay-ng chopchop attack to decrypt some > traffic, then use the keystream (.xor file) data with airtun-ng to > inject some packets of your own (one-way injection only). > > - -Josh > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.10 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkzBxAMACgkQapC4Te3oxYzMtwCgk3CL8vlW0F/T0TK1agVVwISa > 26cAoJI747fAwqV9/Rcl15SF2yDnCdmz > =ffP6 > -----END PGP SIGNATURE----- > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
