Next revision | Previous revisionNext revisionBoth sides next revision |
supported_packets [2008/08/06 18:27] – created darkaudax | supported_packets [2008/08/09 20:35] – darkaudax |
---|
====== Tutorial: Packets Supported for the PTW Attack ====== | ====== Tutorial: Packets Supported for the PTW Attack ====== |
Version: 1.00 August 6, 2008\\ | Version: 1.02 August 9, 2008\\ |
By: darkAudax | By: darkAudax |
| |
This tutorial is intended to explore this problem in more detail. Hopefully it will allow people to understand when alternate techniques are to be used. | This tutorial is intended to explore this problem in more detail. Hopefully it will allow people to understand when alternate techniques are to be used. |
| |
Another important limitation is that only ARP packets can be used for all WEP lengths. All others are limited to 40 and 104 bit WEP. | Another important limitation is that the PTW attack currently can only crack 40 and 104 bit WEP keys. |
| |
This [[http://www.erg.abdn.ac.uk/users/gorry/course/lan-pages/llc.html|web page]] briefly describes the IEEE 802.3 Logical Link Control. It explains the following terms which are used in the table below: | This [[http://www.erg.abdn.ac.uk/users/gorry/course/lan-pages/llc.html|web page]] briefly describes the IEEE 802.3 Logical Link Control. It explains the following terms which are used in the table below: |
| |
^ Protocol ^ Address Information ^ Packet Information ^ Comments ^ PTW ^ | ^ Protocol ^ Address Information ^ Packet Information ^ Comments ^ PTW ^ |
|Spanning Tree|Destination MAC 01:80:C2:00:00:00|DSAP 0x42, SSAP 0x42, Control Frame Type 0x03|The Spanning Tree protocol is used to prevent routing loops between switches|Yes. Limited to 40bits.| | |Spanning Tree 802.1D (STP)|Destination MAC 01:80:C2:00:00:00|DSAP 0x42, SSAP 0x42, Control Frame Type 0x03|The Spanning Tree protocol is used to prevent routing loops between switches|Yes. Limited to 40bits.| |
|Port Aggregation Protocol (PAgP)|Destination MAC 01:00:0C:CC:CC:CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x0104|Used to bundle porfts on Catalys switches into EtherChannel. Similar to Ethernet bonding in the linux world.|No| | |Port Aggregation Protocol (PAgP)|Destination MAC 01:00:0C:CC:CC:CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x0104|Used to bundle porfts on Catalys switches into EtherChannel. Similar to Ethernet bonding in the linux world.|No| |
|VLAN Trunking Protocol (VTP)|Destination MAC 01:00:0C:CC:CC:CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x2003|Provides information about configured virtual LANs (VLANs)|No| | |VLAN Trunking Protocol (VTP)|Destination MAC 01:00:0C:CC:CC:CC|DSAP 0xAA, SSAP 0xAA, Control Frame Type 0x03, Organization Code 0x00000C, Protocol 0x2003|Provides information about configured virtual LANs (VLANs)|No| |
For PTW we need "key length plus 3 bytes" keystream length. As an example: A 40 bit WEP key is 5 bytes long. So we need "5 bytes plus 3 bytes", thus 8 keystream bytes. Keystream bytes are bytes that we know the unencrypted value. | For PTW we need "key length plus 3 bytes" keystream length. As an example: A 40 bit WEP key is 5 bytes long. So we need "5 bytes plus 3 bytes", thus 8 keystream bytes. Keystream bytes are bytes that we know the unencrypted value. |
| |
For ARP packets, we know 22 keystream bytes. That is why ARP packets can be used to crack any length of WEP key. | For ARP packets, we know 22 keystream bytes. ARPs can be used for 40 and 104 bit WEP cracking. |
| |
For IP packets, we know 9 bytes for sure so 40 bit WEP is no problem. For 104 bit WEP, there are 2 bytes which are completely unknown. These are bruteforced. And one final byte is guessed since there are only three possibilities. | For IP packets, we know 9 bytes for sure so 40 bit WEP is no problem. For 104 bit WEP, there are 2 bytes which are completely unknown. These are bruteforced. And one final byte is guessed since there are only three possibilities. |
| |
| |
| ===== Handy URLs ===== |
| |
| * [[http://www.cavebear.com/archive/cavebear/Ethernet/multicast.html|Multicast Addresses]] |
| * [[http://www.iana.org/assignments/ethernet-numbers|Ether Types]] |
| |