WEP And PPTP Password Crackers Released

Jacco de Leeuw writes "SecurityFocus published an article by Michael Ossmann that discusses the new generation of WEP cracking tools for 802.11 wireless networks. These are much faster as they perform passive statistical analysis. In many cases, a WEP key can be determined in minutes or even seconds. For those who have switched to PPTP for securing their wireless nets: Joshua Wright released a new version of his Cisco LEAP cracker called Asleap which can now also recover weak PPTP passwords. Both LEAP and PPTP employ MS-CHAPv2 authentication." Update: 12/22 00:14 GMT by T : Michael Ossmann wrote to point out his last name has two Ns, rather than one.

cut&paste complete article

[nietsch]

I only got some ad for FREE microsof security products (sewage odorizers?) here is the complete article :)
WEP: Dead Again, Part 1 by Michael Ossmann last updated December 14, 2004 Introduction

This article is the first of a two-part series that looks at the new generation of WEP cracking tools for WiFi networks, which offer dramatically faster speeds for penetration testers over the previous generation of tools. In many cases, a WEP key can be determined in seconds or minutes. Part one, below, compares the latest KoreK based tools that perform passive statistical analysis and brute-force cracking on a sample of collected WEP traffic. Next time, in part two, we'll look at active attack vectors, including a method to dramatically increase the rate of packet collection to make statistical attacks even more potent.

Is WEP that bad?

Many security folks and even more wireless folks these days are saying that WEP isn't all that bad. They say that if you use modern equipment that filters weak Initial Vectors (IVs) and change your keys frequently (or at least once in a while), nobody will ever crack your WEP. Sure, maybe some next-generation WEP attacks will arise one day that will change everything, but WEP is okay today for all but the most sensitive networks. Well, that next-generation is already here, heralded by highly functional tools that make WEP look weaker than Barney Fife on guard duty, sleeping on the job.

Let's take a look at some of the new tools that should be in every penetration tester's bag of tricks, rather then delving into the details of why the various attacks work. Time and time again, the industry has shown that it will not reject broken security safeguards until attacks are actually demonstrated in the real world. Here's how to quickly turn some heads.

The way things were

Since the summer of 2001, WEP cracking has been a trivial but time consuming process. A few tools, AirSnort perhaps the most famous, that implement the Fluhrer-Mantin-Shamir (FMS) attack were released to the security community -- who until then were aware of the problems with WEP but did not have practical penetration testing tools. Although simple to use, these tools require a very large number of packets to be gathered before being able to crack a WEP key. The AirSnort web site estimates the total number of packets at five to ten million, but the number actually required may be higher than you think.

The first caveat to this old approach is that only encrypted packets count. As wireless access points transmit unencrypted beacons several times per second, it is easy to be fooled into believing that you have a larger number of useful packets than you really do. If you use Kismet for network discovery and sniffing, it breaks down the packet count for you, displaying the number of "Crypted" packets separately from the total number, as shown below: Figure 1. Kismet in action.

The second thing working against your packet collection efforts is that only certain "interesting" or "weak" IVs are vulnerable to attack. Kismet also tells you how many of these have been gathered, although it may not use the same counting method as the various cracking tools. To make matters more difficult, wireless manufacturers responded to the FMS attack by filtering out the majority of weak IVs that their access points and wireless cards transmit. Unless your target network is using old equipment, chances are you'll have to collect no less than ten million encrypted packets to crack a WEP key using these older tools.

In early 2002, h1kari released a tool called dwepcrack (part of the bsd-airtools package) that improved upon the existing implementations of the FMS attack. Although dwepcrack did a good job of advancing the practical implementation of statistical WEP cryptanalysis, its improvements were only incremental.

Tools that changed everything

On August 8th, 2004, a hacker n