OpenWrt Forum Archive

Topic: wep cracking countermeasures

The content of this topic has been archived on 14 Apr 2018. There are no obvious gaps in this topic, but there may still be some posts missing at the end.

Hi there!

There is an idea I came up reading about wep weakness and I thought this might be a good place to share it and learn if it can be acomplished.

I understand that wep attacks are based on brute force against a fair quantity of collected packets of information, either with a passive attack or an active one increasing the traffic on the network.

My question is: what if purposedly the members of a wep network send "poisoned" or bad encrypted packets to other members, in such a way that those packets would be silently ignored ... the attacker could be mis-leaded on his brute force attack?

The poisoned packets could be sent at regular intervals (say.. 1 each random(3~5) seconds or whatever is needed) or as a response for suspicious of traffic increasing requests.

Could something like this make it harder to break wep networks or the attacker would recognize and discard those misleading packets?
Anyone with good background on the topic cares to comment?

Could it be implemented on openwrt or this type of behaviour can only be implemented on the wireless chip?

Thanks for any comments on this idea, at least I'd like to know why it wouldn't work.

I care about wep security since I've learned here that ad-hoc mesh networks with openwrt can't be secured with wpa, so wep and open network are the only options at hand. (Am I wrong?)

I'm pretty sure you can't use WEP in these networks and that you can do WPA, but not WPA2. WEP was broken long ago and I don't think you should consider pursuing "fixing" it by making it broken (sending out false information). You're only going to bog the system down with processing the "poisoned" packets and not to mention taking the radio's bandwidth with what is essentially static. For cracking WEP you collect at least 10000 packets and can crack in ten minutes. I don't know what ratio of bad packets you'd have to make, or if that would do much anyway (you can probably detect which is poisonous anyway when you compare the 10000+).

Thanks for your answer napierzaza!

Could you please tell me more about the setup of ad-hoc with wpa? does it works on kamikaze or whiterussian?

About my proposal, I don't think that lots of those "decoy" packets would be needed, and maybe they could be constructed in such a way that other members of the network could easily identify and ignore them.

I believe a small amount of those packets would be hard to spot while trying to break the key by a brute force or "trial and error" attempt.

napierzaza wrote:

For cracking WEP you collect at least 10000 packets and can crack in ten minutes.

1000 IVS and 2-3 minutes. My record is 34 seconds.

Weedy, are you using an OpenWRT unit to do this? I wanted to experiment with it but I couldn't get it working!

So as you can see Capaz it doesn't take much to crack WEP. Really you should just run using WPA anyhow, especially because WEP also slows your connection more than a WPA. And it doesn't really matter how many fake packets are needed, it will still take processor power and bandwidth, and it will still hackable, maybe it will take 40 seconds.

Ok napierzaza, thanks for the advice, I'd like to take it...

Do you have some additional info about setting up the ad-how mesh with wpa on?

The discussion might have continued from here.