Fix & Improve WEP attacks

[derv82]

I tried chopchop last night and it didn't work for me.

The chopchop attack succeeded and generated a .xor which was forged into a replayable .cap file.

But the script did not replay the .cap file.

I'm worried other attacks are not working as-expected (e.g. when no clients are connected).

Also, the output of chopchop was terrible -- only showing IVs. Ideally the script would parse the output of aireplay-ng --chopchop, show the current % completed, and any errors/warnings output by the program.

[derv82]

chopchop definitely works for me now (see commit above).

Beefed up process-output parsing so WEP attacks show PPS, detect when we are authenicated/not-auth'd, and shows progress on chopchop attack (percentage).

I need another router that's susceptible to the WEP Fragmentation attack.

And other attacks don't seem to work for me (--caffe-latte, --cfrag).

Only these WEP attacks work against my test router: arpreplay chopchop -p0841

[kimocoder]

There is a bug somewhere after the .xor has been crafted. I'm testing the router I'm shipping you tomorrow and it's vulnarable to all WEP attacks it seems. This is a chopchop attacks, giving error.

[kimocoder]

Another issue is related to all WEP attacks, when turning it over to "aircrack-ng" cracking, the aircrack-ng stops. Then it all stops, stops catching packets and halt. As seen below.

All these are notes for future fixes.

[derv82]

As the commit message says, there was an infinite loop that occurs when a WEP key is found. 😞

Should be fixed now.

...And thanks for the router 🙇

I'll try to reproduce the Error(s) you saw during xor-based attacks.

[kimocoder]

No problem sir, happy to help. Great fix

[derv82]

Alright the commit above should make chopchop more-functional, provides real-time output of the current byte, % completed, etc.

I think WEP attacks are in a good place now. I can revisit this later if people are still seeing problems..

[rentandleave]

The WEP attacks work good. But some times when the number of required IVS are huge , the program hangs when it starts cracking say after 60000 IVS with the --wepca option. I was wondering if it is possible to add a switch to save the captured IVS like the one that existed in the previous version of Wifite.

It will be helpful to have a switch like that , it will come handy.

[derv82]

Apparently there's issues in the current version of aircrack-ng in Kali Rolling (as of today after running apt-get update && apt-get install aircrack-ng: "aircrack-ng is already the newest version").

The issue is that aircrack-ng will randomly segfault (3/5 times) when providing multiple .ivs files to aircrack-ng. 1/5 times it will crack the key. The other 1/5 times it will not find the key.

I checked out the latest version of aircrack-ng (1.2 rev 60e0a710) and this bug has been fixed (5/5 times the new version the cracked key).

If I add support for retaining previously-captured .ivs files and using them when cracking, then anyone that is not using the latest version of aircrack-ng will hit this segfault (and probably won't ever crack the .ivs files).

I'll look at adding a --keep-ivs option so people can opt-in to the feature.

[kimocoder]

The package (aircrack-ng v1.2) is waiting to be pulled to Kali repos. It will happen anytime. Status may be seen here

[derv82]

Tried to get it working. Made a bunch of other changes; hopefully didn't break anything.

Really long GIF showing IVS being retained after stopping & restarting an attack (@ 16740 IVs):