Brute Force WEP cracker

Martyr

before anyone starts telling me why a brute force wep cracker is useless, i have to stress the point of the excercise was to create a comparison of speeds between FPGA, PS3 and regular x86 cpus

i'll be testing a GPU version shortly, but here are some results,
jc-wepcrack + pico-wepcrack/PS3 results were in presentation by d.hulton at schmoocon last year.

PC
jc-wepcrack (C)
1.25 Ghz G4 ~150,000/sec
3.6 Ghz P4 ~300,000/sec

~42 Days to break 40-bit

FPGA
pico-wepcrack
LX25 ~12,000,000/sec
15 Cluster ~180,000,000/sec

~25 Hours to break 40-bit
~100 minutes on clster

PS3
cbe-client (C)
1 SPU 3.2 Ghz ~241,000/sec/sec
6 SPU 3.2 Ghz ~1,446,000/sec

~8.8 Days to break 40-bit

x86 ASM + C

wepcx
1 AMD64 3200+ 2.0 Ghz ~1,500,000
1 INTEL Q6600 2.4 Ghz ~7,400,000/sec (4 cores)

~8.3 Days to break 40-bit
~40 Hours to break 40-bit

wepbf
1 AMD64 3200+ 2.0 Ghz ~570,000/sec
1 INTEL Q6600 2.4 Ghz ~1,000,000/sec

~21.9 Days to break 40-bit
~12.5 Days to break 40-bit


jc-wepcrack/pico
wepbf
cbe-client
wepcx

Cantab.

Average Joe wrote: »

before anyone starts telling me why a brute force wep cracker is useless, i have to stress the point of the excercise was to create a comparison of speeds between FPGA, PS3 and regular x86 cpus

i'll be testing a GPU version shortly, but here are some results,
jc-wepcrack + pico-wepcrack/PS3 results were in presentation by d.hulton at schmoocon last year.

PC
jc-wepcrack (C)
1.25 Ghz G4 ~150,000/sec
3.6 Ghz P4 ~300,000/sec

~42 Days to break 40-bit

FPGA
pico-wepcrack
LX25 ~12,000,000/sec
15 Cluster ~180,000,000/sec

~25 Hours to break 40-bit
~100 minutes on clster

PS3
cbe-client (C)
1 SPU 3.2 Ghz ~241,000/sec/sec
6 SPU 3.2 Ghz ~1,446,000/sec

~8.8 Days to break 40-bit

x86 ASM + C

wepcx
1 AMD64 3200+ 2.0 Ghz ~1,500,000
1 INTEL Q6600 2.4 Ghz ~7,400,000/sec (4 cores)

~8.3 Days to break 40-bit
~40 Hours to break 40-bit

wepbf
1 AMD64 3200+ 2.0 Ghz ~570,000/sec
1 INTEL Q6600 2.4 Ghz ~1,000,000/sec

~21.9 Days to break 40-bit
~12.5 Days to break 40-bit


jc-wepcrack/pico
wepbf
cbe-client
wepcx

Looks good. But why?!

Nice bit of kit you've got there. You must have spent several days on that lot? What FPGA are you using?

Have you got any base-line figures to compare your results with?

Martyr

curiosity mainly, and i've very little else to do.(well, i am learning about wireless security too)

there are various people exploring the use of FPGA/ASICs,CELL B.E (part of PS3), GPU's and other forms of programmable hardware with modern cryptography.

Copacobana + openciphers are 2 such projects, but these cost alot of money which i cannot possibly afford to finance.

all i'm doing is writing the equivilant code for x86/x64 hardware and testing its speed..i'd like to write code for the LX-25 or LX-50 but i don't have access to either, and probably won't anytime soon.

i've implemented some other algorithms too, MD4 which does about 150,000,000 k/s on q6600, MD5 runs at about 88,000,000, SHA-1 at about 52,000,000..

the purpose of course is to crack crypto.

probe

http://www.cyberciti.biz/tips/howto-crack-wirless-wep-104.html

For people who might think their WEP security is "adequate for the purpose" having read the timings cited above... :-)

.probe

Cantab.

3 seconds and 1 minute of data on a Pentium mobile eh?

Imagine the email correspondance you could collect in, for example, an airport terminal.

Martyr

probe

Diminishing the point of the excercise and showing the futility of brute force attacks on some WEP devices doesn't really help.

Did you look at the code?

Doubt it..you'd have read about WEP being cracked in under a minute using 40,000 packets..the point of the excercise in the first place - a hardware comparison.

Did you just think to yourself "here is another opportunity to sell myself as a security consultant"? - nice.

Few questions:

Do you understand why some WEP attacks run faster than brute force?
(without searching)

Have you any solutions to preventing WEP based attacks except recommending everyone use WPA, even when some devices can't support it?
(without searching)

Have you any idea how many companies have already asked these questions and implemented solutions?
(you can search that one)

I'd rather you explain WEP based attacks in detail, rather than quote other peoples work with additional links to information easily found from a google search, but I've a feeling you don't know.

Most here on the security forum are well aware that WEP isn't secure, - some of us have known for the last 7 years.

When i said "learning about wireless security" that equates, writing code - understanding and improving current known attacks, then presenting the results..

I've only been researching wireless security for the last year, but aware of the problems for alot longer.When it was published in the media that default wep keys to netopia routers provided by eircom could be found using a simple key generator, the first thing that Conor Flynn from RITS said was:

"WPA2 (Wi-Fi Protected Access) is the only protocol that should be considered by any service provider. WEP is a predictable and easily-broken protocol. There are software tools online that will crack any WEP key in the space of two minutes."

Which completely missed the point of the key generator and details of the flaw which he probably didn't even understand anyway.

So when the Thomson routers being supplied by BT were found to exhibit the same problems, i never bothered discussing it, because the default keys were WEP based - but the problem also affected WPA devices - Conor had little to say...

Is it possible to have a serious discussion on how to crack WEP faster? - building on current attacks?

So far, my impression is that you see an opportunity to make money from peoples lack of knowledge in an area such as computer security, then seek to exploit that weakness for profit..which really isn't any different to a 419 scammer in principle.

I'm referring to your posts on MFA by the way - you don't really understand this technology as much as you'd like people to believe.
It appears you just want to sell it, and that is perfectly fine, except you're not solving anything.

Imagine the advertisement:

"It will solve all of your security problems, you'll never have to worry about idiot overpaid employees losing their laptops again, not when they're carrying the PacoKey"

right out of a sci-fi film like total recall or robocop.

Remember all the ads on tv years ago for Daz?, claiming that "new ultra" Daz was better..and so on.

probe

Average Joe wrote: »

probe

Diminishing the point of the excercise and showing the futility of brute force attacks on some WEP devices doesn't really help.

Please read my posting again…

You began by explaining the purpose of your exercise – ie “to create a comparison of speeds between FPGA, PS3 and regular x86 cpus” – which I naturally took on board.

My observation was basically saying that people shouldn’t assume they are “secure” if they operate on the basis that their neighbour isn’t going to spend 40 hours trying to crack their wep key. It could take a lot less time – depending on luck and the hardware and software they are using.

.probe

probe

Cantab. wrote: »

3 seconds and 1 minute of data on a Pentium mobile eh?

Imagine the email correspondance you could collect in, for example, an airport terminal.

In airports and hotels, most connections don’t have WEP security. While you might authenticate your logon using SSL, you are working in clear text once the logon process is completed.

WEP crackability is more of an issue when you are in the privacy of your own home or apartment, or in the office, and a tech savvy neighbour/someone in the car park monitors your network traffic for no good reason. That is one of the ways they used to steal the 45 million credit card numbers and related data from TJX* by accessing customer records TJX had no right to keep in the first place.

While probe is not advocating Wifi eavesdropping, and has not done it himself, in a typical hotel or airport set-up it is possible to sniff the internet traffic of others internet users in your vicinity using wifi, capturing their email and other login credentials unknown to them (and potentially using them forever and a day afterwards to snoop on their emails etc.)

Which is why probe invariably uses a VPN connection at airports and hotels and on other untrustworthy networks.

.probe

*http://www.informationweek.com/news/security/cybercrime/showArticle.jhtml?articleID=201400171

Martyr

Which is why probe invariably uses a VPN connection at airports and hotels and on other untrustworthy networks.

what VPN client for Windows would you recommend?

probe

Average Joe wrote: »

what VPN client for Windows would you recommend?

There is one built into Windows which is probably secure enough for this purpose.

Go into networking > set up a new connection > connect to your workplace

type of menu sequence from memory - depends on which Windows version you are using.

.probe