WEP cracking with Multiple Access points
Results 1 to 10 of 10

Thread: WEP cracking with Multiple Access points

  1. #1
    Junior Member
    Join Date
    Jun 2006
    Posts
    8

    WEP cracking with Multiple Access points

    I was thinking about setting up a wireless network with multiple access points, all using the same WEP key.

    My question is, would it be easier for an attacker using a program like Airsnort or Aircrack to get my WEP key if there are more Access Points sending IVs? Put another way, is it possible to clump together separate APs and process their IVs as one lot?

    I plan on monitoring the network for active attacks, however it's the passive ones I'm concerned about.

    Thanks for any help,
    Brett

  2. #2
    Junior Member
    Join Date
    May 2005
    Posts
    11
    Hi,

    I think Aircrack will crack each AP separately if they have differents SSIDs.

    My advice is to change from WEP to WPA. Because now days WEP is easily cracked.
    -

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    More APs means less users per AP.. Hence less IVs..

    But it's moot anyway. Even with a few users your WEP key is easily cracked.

    I plan on monitoring the network for active attacks, however it's the passive ones I'm concerned about.
    Indeed. There's no way to detect a passive wifi sniffer.

    I suggest to use WPA instead of WEP and use a VPN tunnel for added protection.



    How do you plan to detect active attacks? What software would you be using?
    Remember that there are always attacks possible at the radio level. You'll have a hard time detecting those.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    Junior Member
    Join Date
    Jun 2006
    Posts
    8
    I havent yet thought about what software I would be using, it shouldn't be too hard to write something to monitor for many deauthenticate packets in a short period of time.

    What I wanted to know was, say an attacker captures 100000 IVs from one Access point, 100000 from another, etc., would they add up to enough to get my WEP key? Or would the fact that they came from different access points mean that the attacker could only use 100000?

    I plan on using a VPN as well as this.

  5. #5
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Please note that you don't have to send deauth packets.. Your attacker can get all the IVs s/he needs by just passively (not sending anything) sniffing your wireless traffic. Cracking is done offline anyway so there's no way to detect this type of attack.

    Even MAC address filtering won't help you, just as its easy to sniff the wireless traffic, you'll also see the 'allowed' MAC addresses (those are the ones that are actually communicating).

    Passively sniff the WiFi traffic, crack the key, change the MAC to one allowed and enter the network. Noway to detect it.. Unless it happens at 'odd' times (non-office hours).

    What I wanted to know was, say an attacker captures 100000 IVs from one Access point, 100000 from another, etc., would they add up to enough to get my WEP key? Or would the fact that they came from different access points mean that the attacker could only use 100000?
    AFAIK you cannot 'add up' the IVs. But it's pretty easy to get 1000000+ IVs on even a moderately used WiFi network. So I haven't looked at it in more detail.
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  6. #6
    Senior Member
    Join Date
    Dec 2004
    Posts
    320
    If you insist on using WEP, at least try to use the 104-bit version rather than the 40-bit one. It will depend on if your hardware will support it, but most cards/APs nowadays are able to use the more secure 104-bit version.
    The fool doth think he is wise, but the wiseman knows himself to be a fool - Good Ole Bill Shakespeare

  7. #7
    Banned
    Join Date
    Jul 2004
    Posts
    297
    Originally posted here by dmorgan
    If you insist on using WEP, at least try to use the 104-bit version rather than the 40-bit one. It will depend on if your hardware will support it, but most cards/APs nowadays are able to use the more secure 104-bit version.
    One thing to keep in mind, the 104-bit verion does take 1 million or more iv frame packets to break the key. depending on how close they can get to one of your AP's, this can be done in under an hour. Most people would not go through this trouble unless they are after something on the otherside of the network. In which case wpa2 is your only real option.
    I do understand you'll be monitoring for injection, but it will appear as traffic coming from one of your own stations should someone start injecting packets.

    edit: Oh yeah and while aircrack can only crack on ssid at a time, airodump can capture anything in the 802 spectrum as well as only a specific channel or even just from a specfic mac address of an ap. Which makes it easy to see which ap has activity and catch that packet needed for injection.

  8. #8
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    I don't think there's a way that an attacker could easily know that the several APs have the same WEP key, so they'd need to crack them separately.

    If they did magically know that they had the same WEP key, yes it would make it easier as they could combine the IVs. However aircrack probably won't normally do this (combine IVs from different BSSIDs), so I imagine they'd need to knock up their own software to do it.

    Slarty

  9. #9
    Banned
    Join Date
    Jul 2004
    Posts
    297
    I don't beleive it would take too much to write a sript that did a search and replace on the mac addresses in a capture file. But without the knowledge that all the keys are the same I dont see why anyone would at all.

  10. #10
    Junior Member
    Join Date
    Jun 2006
    Posts
    8

    Smile

    The fact that all the SSIDs are the same might tip them off. Thanks for all your help, much appreciated.

    Brett

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides