|
-
August 31st, 2006, 06:51 AM
#28
i still thinking about publish a tutorial called " Introduction to unsecure a Wireless Network".
the only secure pass protection can i see is WPA-PSK, the air crack software also say support a cracking module for this protocol encryption:
/*
* 802.11 40/104 bit WEP / WPA-PSK Key Cracker
*
* Copyright (C) 2004,2005 Christophe Devine
Code:
struct WPA_hdsk
{
uchar stmac[6]; /* supplicant MAC */
uchar snonce[32]; /* supplicant nonce */
uchar anonce[32]; /* authenticator nonce */
uchar keymic[16]; /* eapol frame MIC */
uchar eapol[256]; /* eapol frame contents */
int eapol_size; /* eapol frame size */
int keyver; /* key version (TKIP / AES) */
int state; /* handshake completion */
};
and the resource for crack:
Code:
int crack_wpa_thread( void *arg )
{
char essid[36];
char key1[128], key2[128];
uchar pmk1[128], pmk2[128];
#ifdef __i386__
uchar k_ipad[128], ctx_ipad[40];
uchar k_opad[128], ctx_opad[40];
uchar buffer[128], sha1_ctx[40];
uchar wrkbuf[640];
uint i, *u, *v, *w;
#endif
int slen, cid = (long) arg;
/* receive the essid */
memset( essid, 0, sizeof( essid ) );
if( safe_read( mc_pipe[cid][0], (void *) essid, 32 ) != 32 )
{
perror( "read failed" );
kill( 0, SIGTERM );
_exit( FAILURE );
}
slen = strlen( essid ) + 4;
while( 1 )
{
/* receive two passphrases */
memset( key1, 0, sizeof( key1 ) );
memset( key2, 0, sizeof( key2 ) );
if( safe_read( mc_pipe[cid][0], (void *) key1, 128 ) != 128 ||
safe_read( mc_pipe[cid][0], (void *) key2, 128 ) != 128 )
{
perror( "read passphrase failed" );
kill( 0, SIGTERM );
_exit( FAILURE );
}
key1[127] = '\0';
key2[127] = '\0';
#ifdef __i386__
/* MMX available, so compute two PMKs in a single row */
memset( k_ipad, 0, sizeof( k_ipad ) );
memset( k_opad, 0, sizeof( k_opad ) );
memcpy( k_ipad, key1, strlen( key1 ) );
memcpy( k_opad, key1, strlen( key1 ) );
memcpy( k_ipad + 64, key2, strlen( key2 ) );
memcpy( k_opad + 64, key2, strlen( key2 ) );
u = (uint *) ( k_ipad );
v = (uint *) ( k_ipad + 64 );
w = (uint *) buffer;
for( i = 0; i < 16; i++ )
{
/* interleave the data */
*w++ = *u++ ^ 0x36363636;
*w++ = *v++ ^ 0x36363636;
}
shammx_init( ctx_ipad );
shammx_data( ctx_ipad, buffer, wrkbuf );
u = (uint *) ( k_opad );
v = (uint *) ( k_opad + 64 );
w = (uint *) buffer;
for( i = 0; i < 16; i++ )
{
*w++ = *u++ ^ 0x5C5C5C5C;
*w++ = *v++ ^ 0x5C5C5C5C;
}
shammx_init( ctx_opad );
shammx_data( ctx_opad, buffer, wrkbuf );
memset( buffer, 0, sizeof( buffer ) );
/* use the buffer, luke */
buffer[ 40] = buffer[ 44] = 0x80;
buffer[122] = buffer[126] = 0x02;
buffer[123] = buffer[127] = 0xA0;
essid[slen - 1] = '\1';
hmac_sha1( (uchar *) key1, strlen( key1 ),
(uchar *) essid, slen, pmk1 );
hmac_sha1( (uchar *) key2, strlen( key2 ),
(uchar *) essid, slen, pmk2 );
u = (uint *) pmk1;
v = (uint *) pmk2;
w = (uint *) buffer;
*w++ = *u++; *w++ = *v++;
*w++ = *u++; *w++ = *v++;
*w++ = *u++; *w++ = *v++;
*w++ = *u++; *w++ = *v++;
*w++ = *u++; *w++ = *v++;
for( i = 1; i < 4096; i++ )
{
memcpy( sha1_ctx, ctx_ipad, 40 );
shammx_data( sha1_ctx, buffer, wrkbuf );
shammx_ends( sha1_ctx, buffer );
memcpy( sha1_ctx, ctx_opad, 40 );
shammx_data( sha1_ctx, buffer, wrkbuf );
shammx_ends( sha1_ctx, buffer );
u = (uint *) pmk1;
v = (uint *) pmk2;
w = (uint *) buffer;
/* de-interleave the digests */
*u++ ^= *w++; *v++ ^= *w++;
*u++ ^= *w++; *v++ ^= *w++;
*u++ ^= *w++; *v++ ^= *w++;
*u++ ^= *w++; *v++ ^= *w++;
*u++ ^= *w++; *v++ ^= *w++;
}
essid[slen - 1] = '\2';
hmac_sha1( (uchar *) key1, strlen( key1 ),
(uchar *) essid, slen, pmk1 + 20 );
hmac_sha1( (uchar *) key2, strlen( key2 ),
(uchar *) essid, slen, pmk2 + 20 );
u = (uint *) ( pmk1 + 20 );
v = (uint *) ( pmk2 + 20 );
w = (uint *) buffer;
*w++ = *u++; *w++ = *v++;
*w++ = *u++; *w++ = *v++;
*w++ = *u++; *w++ = *v++;
*w++ = *u++; *w++ = *v++;
*w++ = *u++; *w++ = *v++;
for( i = 1; i < 4096; i++ )
{
memcpy( sha1_ctx, ctx_ipad, 40 );
shammx_data( sha1_ctx, buffer, wrkbuf );
shammx_ends( sha1_ctx, buffer );
memcpy( sha1_ctx, ctx_opad, 40 );
shammx_data( sha1_ctx, buffer, wrkbuf );
shammx_ends( sha1_ctx, buffer );
u = (uint *) ( pmk1 + 20 );
v = (uint *) ( pmk2 + 20 );
w = (uint *) buffer;
*u++ ^= *w++; *v++ ^= *w++;
*u++ ^= *w++; *v++ ^= *w++;
*u++ ^= *w++; *v++ ^= *w++;
}
#else
/* not x86, use the generic SHA-1 C code */
calc_pmk( key1, essid, pmk1 );
calc_pmk( key2, essid, pmk2 );
#endif
/* send the passphrase & master keys */
if( safe_write( cm_pipe[cid][1], (void *) key1, 128 ) != 128 ||
safe_write( cm_pipe[cid][1], (void *) key2, 128 ) != 128 ||
safe_write( cm_pipe[cid][1], (void *) pmk1, 32 ) != 32 ||
safe_write( cm_pipe[cid][1], (void *) pmk2, 32 ) != 32 )
{
perror( "write pmk failed" );
kill( 0, SIGTERM );
_exit( FAILURE );
}
}
}
so, when i probe for myself crack my psk protocol crypt using aircrack for example this not able to attack these encryption type.
:|
you'll see:
psk and wep components are "redundant" code encryption like RC4 and old RC2 for infineon Sicrypt base smart card and include poliinterpolation for sha-1 mounted on 128 bits base char, text ok but in the source code NOT exist marks for this decrypt phase.
So i implemented for myself that and the result is a non linear base cryptography, how i can able to decrypt that in efficient times?
easy, i take the jhon cracker source and combined aircrack (ivs compatible ) with my develop of smart card RC2/RC4 cracking code and i are able to pretend decrypt that.
Good post, i seriously think to write the anti post for this.
greetz
AzRaEL
[NuKE] high council
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote