Monday, September 26, 2011

OSWP Part 2

I have almost completed the OSWP course.  I have been watching videos, taking notes and practicing the exploits.  I did hit a snag, however, with my Linksys access point.  Apparently, there is an issue with the shared key authentication of WEP encryption.  You cannot create an XOR file when you are running airodump-ng and executing a de-authentication of a currently associated client using aireplay-ng.  You get a message of "Broken SKA".  It is very frustrating since I assumed it was my version of Backtrack or possibly my drivers for my ALFA (AWUS036H).  However, I found numerous links about the problem:

Of course, cracking WEP by bypassing SKA was one the last steps of the course.  However, I have another access point that I could use: Dlink-655.  I setup the new access point with the same ESSID and the same VICTIM, I mean client.  This time I was successful.  As soon as I de-authenticated the client, the XOR file was created.  I could then use the file to execute a fake authentication with the Wireless network.  The file was created instantly too.  There must be some bug with either airodump-ng or Linksys.  Possibly, it could be a combination that could be producing this weird behavior.  

Anyway, the only thing left in the lab is cracking WPA networks with the dictionary/custom wordlists.  That should be fine.  I also want to use a collaboration of cewl, crunch and the wordlists from Backtrack 5 R1 to use in the field.  I wonder what kind of results I would get during a security assessment.   

Before I forget, if people are having trouble using profile variables to make the commands shorter, I used the ".bashrc" file.  The /etc/profile was not working for me like the videos illustrated.  I just figured it was my fault since I am using Backtrack 5 R1. Fortunately,  I was able to use the variable $ESSID by adding to the file ".bashrc" for example: 
export ESSID=oswpexam


  1. Is there any way to solve the problem of "Broken SKA." At Challenge is not possible to change the router. I need help with this.

  2. Sorry for the late response. I am not sure how much I can say. All I can say is that the OffSec team will not give you something that you cannot overcome. If you really need more help, try the IRC channel or the OffSec forum. They are always willing to help.

  3. Hello,
    Sorry to bump into such an old post.
    I've been investigating this problem for several weeks now and I think I've got to the bottom of it.
    It seems that it's a AP + aircrack combination issue. Specifically: some APs include extra proprietary info on the second auth message which the aircrack is not programmed to recognize. Seems like early AP versions (both hardware and firmware) were more standard compliant and aircrack was not updated/patched accordingly.

    Thus even a pen tester has read somewhere (like in the backtack 5 book) he can crack a d-link dir-615 it will be impossible to do so with the latest versions of the hardware/firmware of that specifically AP.

    I almost went nuts on this one as I followed the exact same steps and had the exact same equipment used throughout the entire .... book. Once I noticed from a picture that the hardware version of the d-link dir-615 was b2 and the firmware was 2.23 the problem became clear to me as I had d-link dir-615 h/w ver H2, f/w 8.02.

    This bug is known:

    I'll try to write a patch for but I guess my best advice until then is to ask the h/w, f/w of the victim AP and not just its model.

    Although WEP is dead and almost nobody uses it anymore this info may prove helpful for researchers/investigators/programmers.

    So now I hope it will be O.K. if I ask you what h/w f/w version of d-link dir-655 did you use?

  4. No problem HellBoy. I assume that would be within the rules. Sorry it took so long to respond too. I just found it and the HW:A2 & FW:1.31. I guess the question is can you crack it with the latest version. I might want to check that later. Will probably end up being in December. Hopefully I answered your question tho.