wpa keyexchange problem

Joachim Schiele js at dune2.de
Thu Jul 7 10:01:23 EDT 2005


On Thursday 07 July 2005 15:19, Joachim Schiele wrote:
> hey ;-)
> just out of interest in the key exchange i've captured my heavy secured ap
> session exchange. the keyword used was "schnuffel" but as a matter of fact
> "attacker" does not work. i think the problem is in the key exchange. i'm
> using tkip and wpa_supplicant together with hostapd.
>
> my configuration in detail at the end of the mail:
> one thing i don't understand is why the snonce and anonce size differs
> while the original has
> 4x16 byte the one i captured has only 3x16 byte ;P

NSA-net
d3ea5466c68827b846d5a0375dda86b7b24c59685e44dba31bcd2dc683f3ba6a
7388234fb19ff4575af62543b0c86f15e510afba9b2b7e93d174227a4ac49ed1

one problem is now resovled. i've simply forgot the last 8 chars and so my 
string was to short, now it's 256bit so 64 chars

the problem with the hexdump still remains and i can't find out what exactly 
i'm heading for. what is the hexdump in the attacker example? there is no 
documentation. i've tried several things but non of these lead to success so 
far.

greets,
joachim

> another question would be:
> did i collect the right package for the hexdump field which is 19 in my
> capture?
>
> thanks for any help
> joachim schiele
>
> ps: the connection is quite stable and working.
>
>
> the ethereal capture is here:
> http://lastlog.de/misc/wpa_cry_for_help.cap
>
> ======= hostapd ===========
> interface=ath0
> driver=madwifi
> logger_syslog=-1
> logger_syslog_level=2
> logger_stdout=-1
> logger_stdout_level=2
> debug=4
> dump_file=/tmp/hostapd.dump
> ssid=NSA-net
> wpa=1
> wpa_psk=94d5d3eb7601d7534e8c4694bd6a6a9b0f64e9cffbce7c021faa5d04ebc77914
> wpa_key_mgmt=WPA-PSK
> wpa_pairwise=TKIP
> wpa_group_rekey=600
> wpa_gmk_rekey=86400
>
> ======= wpa_supplicant ===========
> network={
>         ssid="NSA-net"
>         # key is "schnuffel" without " at the beg and end
>        
> psk=94d5d3eb7601d7534e8c4694bd6a6a9b0f64e9cffbce7c021faa5d04ebc77914 }
>
> ========================== the example comming with attacker
> ======================
> ssid: linksys2
> anonce: 000000000000000000e1ffffffffffffffffffffffffffffffffffffffffffff
> snonce: 15ca4b5992d8208ef572a3b0897c23f37dc403dbf6d9ac25c6f7c28cc019afc9
> host mac: 0030ab209adc
> ap mac: 000c41c15c85
> hexdump:
> 000c41c15c850030ab209adc888e01030079fe01090020000000000000000015ca4b5992d82
>08ef572a3b0897c23f37dc403dbf6d9ac25c6f7c28cc019afc90000000000000000000000000
>000000000000000000000000000000000000000d0282e4c6c2b8a41158ccdd8e6f9fb66001ad
>d180050f20101000050f20201000050f20201000050f2020000
>
> ====== my secured net ;-) =====================================
>
> NSA-net
> anonce: 7388234FB19FF4575AF62543B0C86F15E510AFBA9B2B7E93
> snonce: D3EA5466C68827B846D5A0375DDA86B7B24C59685E44DBA3
> host mac: 000fa380cadf
> ap mac  : 000fa380cb0b
> hexdump:
> 0a59b411db0602d1c0618a4953323ed9963ab18250485c22efa484239aeda7d82824e1907a5
>84e9431fac9c374d482664d50050a1e24f6a414e9b8614c400dc2312e15e1ae9875ab6cf846c
>01baef5599dc357320652a85258a32dfc6a8fc2f59bc73fd0fbd2ddbd68fe5c53e7c6ef152b6
>142e0aa1543afd088d0eec91fd7e66e2549af00df266085a2f91a28f34610402359d5709c29
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.shmoo.com/pipermail/hostap/attachments/20050707/1f19c3fa/attachment.pgp 


More information about the HostAP mailing list