#132705 - moncul - Thu Jun 28, 2007 9:25 pm
a (small) step in network security tools for DS :
Here is a port of ptw attack against WEP, this attack seems to be the least ressource/time consuming. More details about how it works here.
I've only used the source provided by the windows port, and parts from aircrack-ng (because there's no "libpcapDS" for parsing capture files).
You might want to try it with the sample file provided by by aircrack-ng in their wiki.Or please use it with your owns caps (remember : only ARP packets with this attack) and tell me if it worked, and how long it takes for which key length. (sometimes it's very very fast, or it may takes 1 minute,...up to seven once for me, or it may just not find the key).
Just launch aircrackDS.nds (after the DLDI patching) and do have a capture file named /ptw.cap
Waiting for your feedback ! (and hoping i'll find a way to implement the dump and play part...i've seen that jsr has already worked on this !)
Here is the file (with source, dirty coding with gotos, i promise the 0.2 will be more clean).
#132714 - felix123 - Thu Jun 28, 2007 9:56 pm
And people said it couldn't be done. Good work.
_________________
Nintendo DS homebrew on Wikipedia
#132715 - dantheman - Thu Jun 28, 2007 9:57 pm
Tested using the sample provided on that wiki, which found the key after about 15 seconds.
I've never used the aircrack program before, so am I right in assuming that this tool just parses the capture file to find the WEP key? I would need to use an external tool to actually get a capture file for my own home network, correct? I'm guessing this is what your final statement is referring to, with "dump and play" functionality not present. It's still a nifty utility nonetheless.
#132718 - moncul - Thu Jun 28, 2007 10:11 pm
| dantheman wrote: |
I've never used the aircrack program before, so am I right in assuming that this tool just parses the capture file to find the WEP key? I would need to use an external tool to actually get a capture file for my own home network, correct? I'm guessing this is what your final statement is referring to, with "dump and play" functionality not present. It's still a nifty utility nonetheless. |
yes, you're absolutely right. The amount of ressources needed by older methods prevented a port to ds. Now we can say that it's "tryable" (this word exists ?), while i think i've just begun the easiest part of the project.
#132719 - Devil_Spawn - Thu Jun 28, 2007 10:25 pm
so.. simply out of interest...... do you think we will ever see a fully functional version that can capture and crack networks
#132774 - Sektor - Fri Jun 29, 2007 6:59 am
There's still the 2mbit speed limit. You won't be able to do a capture of data sent at 11mbit or 54mbit, so that eliminates most wi-fi networks.
_________________
GTAMP.com/DS
#132777 - Devil_Spawn - Fri Jun 29, 2007 8:09 am
but surely it would still be able to capture some packets... in that wifi test app there was a packet capturer of some sort :P
and anywayi thought it was 802.11g combatible.. or was it b?
#132783 - Sektor - Fri Jun 29, 2007 10:51 am
It is partially 802.11b compatible since 802.11b can do 2mbit but the DS can't receive/send faster than that.
_________________
GTAMP.com/DS
#132800 - bigfoot - Fri Jun 29, 2007 3:46 pm
if i get the program it work's on r4ds, kernel 1.10. Got the wepkey which is in the pwf.cap file from the test page.
If i'm using it not correctly please tell me. I really love your app :). One of the best ever
#132805 - moncul - Fri Jun 29, 2007 4:18 pm
i think you mean ptw.cap, and you must have used it correctly (dldi patching not needed on r4ds1.10)
#132806 - Masterofdarkness - Fri Jun 29, 2007 4:25 pm
I don't know how to use this -_-
#132811 - cejay - Fri Jun 29, 2007 6:33 pm
I ran this on my ds lite and had the ptw.cap folder in the same directory on the root of my r4ds card.
Worked fine, and found a key 05: 1F 1F 1F 1F 1F in a few seconds..
did this actually work? i ran without the ptw.cap file and it said /no ptw.cap and recoving WEP and it never ever found anything.
SO is the key above an actual key for the access point my ds can see?
I see a BSSID so i assume thats the mac of the router in my vicinity?
#132832 - felix123 - Fri Jun 29, 2007 10:38 pm
cejay: It's not like that.
Someone captured packets on some network and produced a ptw.cap file.
aircrackDS cracked that file and found the key to be 05: 1F 1F 1F 1F 1F.
aircrackDS can't capture packets yet.
_________________
Nintendo DS homebrew on Wikipedia
#132850 - Kamu - Sat Jun 30, 2007 8:32 am
Very impressive.
Nice work.
#132856 - bigfoot - Sat Jun 30, 2007 3:21 pm
| moncul wrote: |
| i think you mean ptw.cap, and you must have used it correctly (dldi patching not needed on r4ds1.10) |
indeend, i meant ptw.cap :P. Type foult :$. kernel 1.10 has auto patching ;).
Really love your app :D. can't wait to see an update :)
#133113 - _JSR_ - Tue Jul 03, 2007 2:12 pm
Nice :)
For my part, I already port Aireplay (part of Aircrack suite) a while ago but i kept it internal (unless one version that i made public) because of 2mbit limit (for capturing).
But keep the good work, it's very interesting and you learn a lot about Wifi Encryption.
Btw, are you french (free.fr) ? And related to the good french group ;) ?
_________________
DSiP - VoIP for Nintendo DS Blog
#133785 - Bazildon - Sun Jul 08, 2007 6:48 pm
Nice app.
However, i need to know how to create the ptw.cap file. I have 2 other apps that do packet cpature for the ds ("myfirst.nds" & "wifi_lib_test.nds") but neither of these will create a file - they just show the captured frames on screen.
I know wifi_lib_test.nds is version 0.3a and was written by "stephen stair" and i don't know anything about the other one, but i think it is now called blue-something. Sorry i can't give more info on the other programs.
Does anyone know of another DS app to create these files or should i wait for the author of this whizzy new app to add one?
edit:- the first app is called "DSBlue" and you can find details Here second app is "DSWifi" and details can be found Here
#133789 - Sektor - Sun Jul 08, 2007 6:59 pm
You can't create the .cap file on the DS right now (no current apps can do it) and even if someone figures out how to capture the packets and save it in that format, it will only work for networks running at 2mbit.
_________________
GTAMP.com/DS
#133900 - Bazildon - Mon Jul 09, 2007 5:18 pm
I know i can't create the file on the ds, i was just pointing out that there are 2 apps (i know of) that can capture packets - but not save them at the moment. So maybe a quick email round the 3 aurthors could get some colaborative work going...never know it might be simple to mix the apps all together or share some routines and come out with a rather useful app.
Does anyone know a pc app (windoze or linux) that can capture packets in the correct format for this app?
#133946 - Devil_Spawn - Mon Jul 09, 2007 10:07 pm
could anybody explain why the ds cannot collect packets from a network at over 2mbit?
surely it can capture SOME packets, even if it is only a small % of them
#133953 - HyperHacker - Mon Jul 09, 2007 10:21 pm
Speaking of wifi, how do you tell from the wifi lib's AP info what encryption is being used?
_________________
I'm a PSP hacker now, but I still <3 DS.
#134677 - pas - Sun Jul 15, 2007 5:49 pm
May someone answer Devil_Spawn's question ?
Has it to do with the DS not being able to communicate with networks that have a too high Mbit count ? Or may the DS overheat and explode ( ;p) ?
_________________
Starcraft DS ?
#134751 - bigfoot - Mon Jul 16, 2007 11:53 am
don't think it can't connect, since you can also use wifi on a netwerk faster then 2mbit.
Maybe it can't collect the packages fast enough? Just guessing..
#134840 - Xtreme984 - Tue Jul 17, 2007 3:23 pm
well, to crack a WEP encryption code things like Aircrack etc. need several thousands of 'interesting packets', you won't be able to capture them fast enough with your DS to get them all within a decent timeframe, which means it'd take more than a month to get the whole packet collection complete (provided the network is actively used and generating enough packets per day)
don't quote me on this, not 100% sure, but that's how I heard it works
#135338 - NastyNic - Sun Jul 22, 2007 2:37 pm
Hey i want 2 ask if anyone could be so kind and simply answer this noobish question: can this little tool crack wep keys, to let u connect to the protected network for playing games by wifi or CANT it?
thx
#135345 - tepples - Sun Jul 22, 2007 4:43 pm
Can you get the WEP key from the owner of the network? If not, why not?
_________________
-- Where is he?
-- Who?
-- You know, the human.
-- I think he moved to Tilwick.
#143643 - jmm0070 - Thu Oct 25, 2007 12:03 am
i tried it and this is what it showed (my wifi uses no wep tho, just saw if it detected it):
**AircrackDS**
Prasing cap file...
BSSID=00:12:BF:12:32:29
Key Index=0
Recovering WEP KEY...
For BSSID 00:12:BF:12:32:29
Key Index=0 packets=30566
Please be patient...
Key found, length 05: 1F 1F 1F 1F 1F
I just want to know what does this mean and how do i or how will i be able to get the wep key from this? please answer :)
btw, great app ;)
#143655 - dantheman - Thu Oct 25, 2007 1:34 am
This program does not actually capture packets. It's only able to analyze the capture files you capture using a different hardware device like a laptop. You used the sample capture file, and the program succeeded in finding the sample WEP key from it.
#143707 - pas - Thu Oct 25, 2007 2:15 pm
So what about doing a proof of concept package receiver (which takes a month ^^) ?
#143736 - moncul - Thu Oct 25, 2007 7:07 pm
I tried to implement the capturing part during summer.
The problem is i seem not be able to receive WEP-encrypted packets (probably stopped by the hardware).
Here is my last post on the dswifi forum (which is offline) :
| Code: |
i've set W_RXFILTER (0x80D0) to 0xFFFF.
Now i seem to receive all packets if my access point is configured to not use security.
But once i enable WEP on my AP, i only capture beacons again.
So I think it may be the "DS hardware WEP engine" that prevents the lib from getting the "raw no decryptable by hardware" packets.
I tried to disable it (0x0032 set to 0x0000), but this doesn't change anything. |
The pcap file creation does work on DS, but i can't fill it with appropriate packets !
Still i may have a look at Mighty Max work on DStoDS communications and the recently updated gbatek about dswifi to see if i can find help...
#143739 - Mighty Max - Thu Oct 25, 2007 7:48 pm
| moncul wrote: |
I tried to implement the capturing part during summer.
The problem is i seem not be able to receive WEP-encrypted packets (probably stopped by the hardware).
|
Well, the data of packets that are just having a wrong CRC (because of falsely decrypting) should be still be placed in the mac memory. Only the events that indicate the receive (circ-buffer-pointer moves, rx irq) are not triggered.
The irq can be replaced by the rx stat increase irq, which seem to count thrown away frames too, and the location can be calculated.
However, you might get a falsely decrypted packet instead of the raw, as the HW is trying to decrypt it (but fails the CRC check). Since you know the falsely assumed key, you should be able to retrieve the original raw frame.
(Credits of the idea to receive of CRC-corrupt packets in such a way go to Martin from nocash)
_________________
GBAMP Multiboot
#146469 - killermonkey - Tue Dec 04, 2007 5:11 pm
I pretty much understand how this works. but what i dont get is why no matter what i do i still get no /ptw.cap error coming up. Im assuming i cant just create a file called such. So what am i missing? I cant seem to patch the nds for my supercard 2, but the nds file is small enough and seems to run ok without patching. How do i get it to work and not just tell me theres no ptw.cap file?
#146473 - mute - Tue Dec 04, 2007 6:09 pm
anything in the works on capturing packets? i was just looking into this stuff for PCs last week at a friends house (he wasn't home). i ended up finding a key.txt on his desktop though which saved me the trouble. good b/c my laptops chipset doesn't work with any capturing programs... =]
the 2mbps stuff must be misunderstandings. and i doubt it'll take a month. there are methods of making the AP's send more data. one PC app uses this, although i didn't read into it to see what it is, nor do i remember the app.
but anyway... any progress?
#146474 - Sektor - Tue Dec 04, 2007 6:14 pm
| killermonkey wrote: |
| I pretty much understand how this works. but what i dont get is why no matter what i do i still get no /ptw.cap error coming up. Im assuming i cant just create a file called such. So what am i missing? I cant seem to patch the nds for my supercard 2, but the nds file is small enough and seems to run ok without patching. How do i get it to work and not just tell me theres no ptw.cap file? |
This program doesn't capture packets. You have to use a program on a PC/Mac/PDA to capture the packets and create the ptw.cap file and of course you could just crack it on that same machine, copying the file to DS would not be practical. This is just proof that the DS is capable of cracking WEP.
_________________
GTAMP.com/DS
#146507 - dantheman - Wed Dec 05, 2007 3:02 am
#148932 - fatman999 - Sat Jan 12, 2008 5:10 am
well, you could use the dummy file creator to make huge files and send them to anywhere to slow down the wifi traffic enough
_________________
http://teamuba.googlepages.com - my site
#149073 - Potent1 - Mon Jan 14, 2008 7:52 pm
Would all of this even be worth it? Or should I just get a laptop? So far it really doesn't seem practical, no offense.
_________________
Games n Music Homebrew:
http://hbnds.biohazardteam.org/
#149107 - pas - Tue Jan 15, 2008 2:41 pm
Since there is a source out, why don't try different developer to make this baby work ? It is too much for one only so why don't form a uber-team ?
_________________
Starcraft DS ?
#150300 - norpingo - Fri Feb 01, 2008 6:39 pm
pls help,what file should i rename to the ftw.cpa or something????
#150302 - norpingo - Fri Feb 01, 2008 6:56 pm
the ds blue thing someone told about before,the packet capture,how does it work i just get a list of all routers near me but how do i get a wpe key out of that??
#150303 - norpingo - Fri Feb 01, 2008 7:09 pm
sorry for posting 3 times idk how to edit yet,but i mean i get a list of weird codes and stuff how do i get wep key out of it (using ds blue)
#150321 - dantheman - Fri Feb 01, 2008 11:38 pm
You cannot capture packets on the DS. You must create the ftw.cap file using something else like a laptop, then transfer it to your card to let your DS decode it. This is mostly a demo and isn't very useful due to this.
#150336 - norpingo - Sat Feb 02, 2008 10:24 am
hmm,i dont rlly understand what ya saying(kinda n00b in this),but im using r4ds and i got a ptw.cap txt file(looks like it but called c-file)and a ptw.cap,aricrack ds now says:
parsing cap file...
recovering WEP KEY...
but nothing happens,and when i drag both ptw.cap files into the aircrack thing called wzcook(icon) it just says ssid/wep key and than it says that its stored in c:/ wepkey or something but the txt just says ssid and wep key but doesnt give numbers(i know ssid but i need wepkey)
sorry if my english sucks
#162094 - Mohammad - Mon Aug 25, 2008 7:13 pm
sorry to bring back an old topic, but has there been any progress with this? Also so this "blueDS" app is open source as well. I've been trying to google this, but what exactly is "ptw.cap" is the sniffing that is done by blueDS actually the same stuff that goes into the cap file? Or is does an application process parts of this before it saves the file? If not, then is it posable to merge both of them together? Also if it isn't why can't the DS save it? I need to recover my old router password because it won't reset from some reasson, so I'm more then happy to leave it on all night, or longer... Also it would be mighty convenient when I'm on the road ^_^