• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

PSA: WEP128 laughably easy - alternates in a WDS environment??!!

B

bobdole369

Diamond Member
SO I had some time and I figured I'd try to pentest my WEP128 key at work. WOW. 15 minutes and I had it. Key was 13 chars, and "complex" that is it had a series of numbers in the middle of a backwards product name and then a female name on the end. (in the form of cart2761hannA )

Soooo with that in mind:

Using 2x Buffalo whr-hp-g54's. in WDS (one connected to network, one is a repeater).

Are there any fairly low cost AP's that would do WDS with WPA or WPA2 encryption? I don't know if the limitation to use WEP only with WDS is a Buffalo thing or a standards thing or what.

I basically need a number of APs that I can roam with and not have this glaring easy to penetrate security hole here.

(to paraphrase George Carlin may Joe Pesci rest his soul) - Using WEP128 is akin to locking you up and throwing away the key. Right out front. Where your friends can find it.
 
That router can also have tomato installed on it also, although I'm not sure what enccryption it can do while in WDS mode.
 
bobdole369 said:
It's looking like DD-WRT also requires WEP encryption for WDS.
Click to expand...
Nope. At least on Broadcom hardware, you can run WPA-PSK/AES on WDS mode. But not WPA2, for some reason.

I'm running some Netgear WNR834Bv2 N routers in WDS (with DD-WRT), but before that, I had a Linksys WRT54Gv2 and a Motorola WR850Gv2 in WDS, using moto firmware 6.x which supported WDS, and the Linksys newer stock firmware, which supported Lazy WDS.

Edit: I meant also that I was running WPA encryption on those two WDS chains.
 
Last edited:
bobdole369 said:
It's looking like DD-WRT also requires WEP encryption for WDS.

http://www.dd-wrt.com/wiki/index.php/WDS_Linked_router_network

See I'm not looking to bridge LAN's. I have a number of AP's that allow access to the same LAN and roaming between them. If I set up one as a CB then I get a nice broadcast storm.
Click to expand...

The page you link to lists your router under the working Broadcom devices. The sentence above that section:

Broadcom Based Devices

In regards to integration with DD-WRT, it is confirmed working with WEP, WPA, and WPA2.
Click to expand...

Not sure if that means through WDS or not.
 
Last edited:
OK, I've got a couple spare ones at home so I'll give DD-WRT on the buffalos a shot. THanks ATN!!!

Failing that - Tomato (never actually used Tomato, kinda hoping it goes this way so I can get that merit badge. )
 
WEP is beyond laughable. With a copy of Backtrack you can crack it in minutes. Hell, by this point it's so automated that you don't even need to type commands into the command line anymore.
 
gsaldivar said:
WPA also has well-known weaknesses.

http://www.wpacracker.com/index.html

http://infoworld.com/t/data-security/amazon-ec2-enables-brute-force-attacks-the-cheap-447
Click to expand...

"WPA-PSK networks are vulnerable to dictionary attacks, but running a respectable-sized dictionary over a WPA network handshake can take days or weeks. WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords. While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes, for only $17. "


If you call a dictionary attack a "Well-known weakness", I guess.
 
WEP is beyond laughable. With a copy of Backtrack you can crack it in minutes. Hell, by this point it's so automated that you don't even need to type commands into the command line anymore.
Click to expand...

I knew there were holes and it had been compromised, but I didn't realize it only took minutes to own your WEP key. It is very nearly automated as ichy says.

No reason to use WEP as far as I'm concerned, it offers nothing in the way of security.
 
WPA and WPA2 are only vulnerable if they are the "PSK" or preshared key style. But then again - we sort of knew that. Its weak only that a human writes the password and it is likely to be weak.

radius protected and rotating key pairs (e.g. cisco enterprise stuff) is not at all vulnerable this way.

but because not all types of WPA appear to be vulnerable in this way.
Click to expand...
 
bobdole369 said:
I knew there were holes and it had been compromised, but I didn't realize it only took minutes to own your WEP key. It is very nearly automated as ichy says.

No reason to use WEP as far as I'm concerned, it offers nothing in the way of security.
Click to expand...

The hardest part of cracking WEP is finding a wireless adapter that works properly with the various tools in Backtrack. That and getting a strong enough signal. If you've got a working wireless adapter and decent signal strength then breaking WEP is child's play. It's kind of fun to show people how it's done, and for them to see how little security WEP provides.
 
ichy said:
The hardest part of cracking WEP is finding a wireless adapter that works properly with the various tools in Backtrack. That and getting a strong enough signal. If you've got a working wireless adapter and decent signal strength then breaking WEP is child's play. It's kind of fun to show people how it's done, and for them to see how little security WEP provides.
Click to expand...

Sadly in a lot of cases that little bit of security is enough because it's usually quicker to drive an extra 100ft down the road and find an unprotected AP.
 
gsaldivar said:
It's a weakness not because of the attack method, but because not all types of WPA appear to be vulnerable in this way.
Click to expand...

TKIP is the weakness in most WPA installations, and given time, it can be infiltrated without bruteforcing the password.

A PSK will only ever be as secure as itself. It is neither a strength or a weakness.
 
VirtualLarry said:
"WPA-PSK networks are vulnerable to dictionary attacks, but running a respectable-sized dictionary over a WPA network handshake can take days or weeks. WPA Cracker gives you access to a 400CPU cluster that will run your network capture against a 135 million word dictionary created specifically for WPA passwords. While this job would take over 5 days on a contemporary dual-core PC, on our cluster it takes an average of 20 minutes, for only $17. "


If you call a dictionary attack a "Well-known weakness", I guess.
Click to expand...

It's much cheaper if you use the EC2/CUDA Multiforcer brute force.
 
The card built into the dell laptop happens to be fully bt4 supported so... Awesome.

I just visited my neighbor and advised him to change his wpa2 key. I had it in 38 hours total time with pyrit and a gts250 + q6600. Most of that time was finding an importing dictionaries, once I started the attack it was just a few hours. He wasn't *that* creeped out cuz he knows what I do.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top