Skip to main content

Wesside-ng

Wesside-ng is an auto-magic tool which incorporates a number of techniques to seamlessly obtain a WEP key in minutes. It first identifies a network, then proceeds to associate with it, obtain PRGA (pseudo random generation algorithm) xor data, determine the network IP scheme, reinject ARP requests and finally determine the WEP key. All this is done without your intervention.

The original wesside tool was written by Andrea Bittau and was a proof-of-concept program to accompany two published papers. The two papers are “The Fragmentation Attack in Practice” by Andrea Bittau and “The Final Nail in WEP's Coffin” by Andrea Bittau, Mark Handley and Josua Lockey. See the the links page for these papers and more. The papers referenced provide excellent background information if you would like to understand the underlying methodologies. The concepts for the fragment attack currently incorporated in aircrack-ng came from these papers.

For you trivia buffs, who knows where the program name “wesside” came from? As it turns out, it comes from tupac the rapper (2Pac / Tupac Shakur).

Wesside-ng has been updated to reflect advances in determining the WEP key. Here are the steps which wesside-ng takes:

Channel hops looking for a WEP network.
Once a network is found, it tries to authenticate. If authentication fails, then the program attempts to find a MAC address currently associated with the AP to spoof.
Once the program has successfully authenticated then it associates with the AP.
After sniffing a single data packet, it proceeds to discover at least 128 bytes of PRGA by sending out larger broadcasts and intercepting the relayed packets. This is what is known as the fragmentation attack. The PRGA is written to the prga.log file.
After it sniffs an ARP request, it decrypts the IP address by guessing the next four bytes of PRGA using multicast frames and the linear keystream expansion technique. By decrypting the ARP request, the network number scheme can be determined plus the source IP of ARP request. This is used to build the ARP request which is used for subsequent injection.
It floods the network with ARP requests for the decrypted IP address.
Launches the aircrack-ng PTW attack to determine the WEP key.
So you may be asking “What is the linear keystream expansion technique?”. The foundation is the fact that packets like an encrypted ARP request can easily be identified combined with the fact that the start of it has known plain text. So the program first obtains the PRGA from known plain text portion of the ARP request. Then it creates a new ARP request packet broken into two fragments. The first fragment is one more byte then the know PRGA and the PRGA is guessed for the extra byte. These guesses are sent and the program listens to see which one is replayed by the AP. The replayed packet has the correct PRGA and this value was included in the destination multicast address. Now that we know the correct PRGA, one more byte can be decrypted in the original ARP request. This process is repeated until the sending IP in the original ARP request is decrypted. It takes a maximum of 256 guesses to determine the correct PRGA for a particular byte and on average only 128 guesses.

There are a few known limitations:

Only open authentication is support. Shared key authentication is not supported.
Only B and G networks are supported.
Fake MAC functionality is broken if there is a lot of traffic on the network.
Please remember that this is still basically a proof-of-concept tool so you can expect to find bugs. Plus you will find features that don't quite work as expected. Consider using easside-ng as an alternative or a companion program. Easside-ng is considered relatively stable software.

Comments

Popular posts from this blog

Test New ALFA-AWUS036H v.2 (1.000mW) VS ALFA-AWUS036H v.1 (500mW)

- Recently emerged the New ALFA-AWUS036H v.2 (1.000mW), and these are the tests. TEST WITH NETSTUMBLER 1) usb da 100mW chipset railink 2) usb da 200mW chipset railink rt73 3) intel 2200 b/g con connettore esterno rp-sma 4) Alfa-AWUS036H 500mW 5) New Alfa-AWUS036H V2 da 1.000mW

TBS5520 Multi-standard TV Tuner USB Box review

Noul TBS5520 Multi-standard TV Tuner USB Box a celor de la TBS se foloseste de RafaelMicro R848 multi-standard tuner si  AVL6882 Demodulator pentru a reda urmatoarele standarde: ETSI EN 302-755 V1.3.1 (DVB-T2/T2-Lite) ETSI EN 300-744 V1.6.1 (DVB-T) ETSI EN 300-429 V1.2.1 (DVB-C) ETSI EN 307-421 V1.2.1 (DVB-S2) ETSI EN 300-421 V1.1.2 (DVB-S) ARIB STD-B31 V1.6-E2 (ISDB-T) ITU-T J.83 Annex B 12/2007 (J.83/B) http://www.tbsdtv.com/products/tbs5520_multi-standard_tv_tuner_usb_box.html Pe aspectul fizic nu insist, sunt destule fotografii pe internet, vreau doar sa punctez cateva aspecte: pentru alimentare este necesar cablu Y USB - este singura modalitate de a furniza energie si de aici avem o limitare in ceea ce priveste functionalitatea cu motor HH mobilitate sporita si posibilitatea alimentarii directe din bateria unui notebook sau chiar conectarea la Tableta Android (de indata ce driverele vor fi gata) “TBS 5520 USB2.0 in warm state” nici rece dar nici fierbin

FTS4BT Wireless Bluetooth® Protocol Analyzer & Packet Sniffer

Complex & Ever Changing Bluetooth is an extremely complex software and hardware technology that is evolving fast. Even the most experienced Bluetooth developers and test engineers are challenged by keeping up with the latest changes from the baseband all the way to the profile level. Interoperability There are now enough Bluetooth-enabled devices on the market to prove that the technology is viable. Commercial success is tied to making sure that your devices interoperate smoothly so consumers can realize the benefits of Bluetooth. Currently Supported Version 2.1+EDR Features: Extended Inquiry Response. Secure Simple Pairing. QoS. Non-Automatically Flushable Packet Boundary Flag. Sniff Subrating. Erroneous Data Reporting. Encryption Pause and Resume. Link Supervision Timeout Changed Event. Security Mode 4. Supports EDR (Enhanced Data Rate): FTS4BT is the only analyzer currently on the market to support Bluetooth v2.1 + EDR. Finger-sized Bluetooth ComProbe: Air sniffing hardware