There is a very interesting aspect to Security that is so overlooked and actually looked down on to a degree. That’s salesmanship.  Ok, hate it or think your above it or whatever, unless you are the greatest genius of our time, well you are lost with out it in my opinion.  Too many in our field have this foolish notion that if they can develop high level skills, then everyone else has to come running kissing their butts.  That’s so untrue. We are all people and respond the same way.  Hello, that’s what social engineering is all about and  we should know that basic stuff. Ok, you say your not a salesperson, because you think that term applies to a sleezy guy selling used cars.  Ok, that’s fine, but I see a salesperson as an honest educator, someone that can communicate at any level and does it truthfully.  I challenge anyone here that feels opposite to test me. If 2 people enter a bid for a pentest and both quote the same dollars. The one that can communicate and “sell” will get the job. 

 Ok, what does all this have to do with Spoon wep?  Actually a lot.  After a typical pentest or audit you have to meet with the powers that be. This can be from any where from 2 or 3 people to an entire huge table of people and now its show time!  You can do your high level of blah, blah and confuse everybody, but if you make it simple they will appreciate it so much more. BELIEVE ME! KISS = keep it simple stupid. I have a few times where others that had a connection and brought someone else in to do a pentest for some political reason and they blow it big time. Not because they did a bad job but because they talked way over the heads of the powers that be.  People that are CEOs, etc have big egos and don’t try and make them feel stupid with your super elite hacking skills. If you do, hey I will be happy to pick up your contract, lol. I actually had a CEO punch in the Mac and made him click and own! Did that make an impression on how vulnerable it was?    Be real, be humble and be honest. Learn to make others not threatened.  If you want to be a dick, well do that with your peers, lol. Not your clients!

 So here we are after our pentest and making our presentation.  I love to give real demos. I love to show how quickly I can make myself an Admin with a few quick commands if that applies. If I am testing wifi and I cracked it with simple wep, its so powerful to give a simple demo on how I did it if I can.   The best demo I know of is spoon wep. It’s a gui for aircrack-ng. It really freaks people out rather than typing too many commands in with a console.  Its salesmanship in the highest! Try it if you haven’t.  It’s on Backtrack3.  Let’s say you are using the antenna I mentioned in my post here: http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,2649.msg12433/#msg12433.

Go to to EZpwn and click on spoonwep. Make sure you go into monitor mode. With the antenna I suggested you can simply type in your terminal - iwconfig wlan0 mode monitor. You don’t have to worry about all the airmon-ng stop and start stuff.   You will need to enter the Mac address of the router on the first space of the gui. Discover that Mac with Kismet or Airodump. Entering the client in the second column isn’t as mandatory I have found, if there are clients available it will work just fine.  Let me mention that if there are no clients it can get very unreliable.  If there are clients available you can use just about do  any attack without a client being “checked” in the gui. 

Make sure you clicked on the proper channel that Kismet identified. As far as injection speed goes, If you don’t know, you are best to stick with the default middle range. One card of mine didn’t work until I set it lower. Keep it middle and then turn it up faster, but with the antenna I mentioned the fastest setting seem fine.

So hopefully you have made an amazing demo and displayed how easy it is to crack wep to the corporate powers. Hey, we all like fireworks right?  I should mention that for a real pentest I don’t use this. I feel you need the command line. Why? Because you can tweak how aireplay attacks because you often have a difficult router that will only respond to a certain rate of injection.

PS_ I hope this gets across I just wrote this after a 72 hour non stop audit.

nice write up Kev. I know I dropped you a pm on the site a few days ago about this tool. I played around with it that same day for a little while and got it working perfectly. SpoonWEP is actually quite the tool and can save loads of time during a pentest.

I would add that the biggest most important #1 key to a successful presentation of test results is to know who is sitting at the table and what their technical level is. The technical folks may write you off if they think you are trying to impress them with smoke and mirrors and jazzy demos- they want the tech info. If the audience is mostly xIO's then you have to be able to present to their level and they may only have a 'Hollywood' understanding and will gobble up the demos. Sometimes the best thing to do is cover that in the introductions- ask them what their technical level is if you are unsure. I often will split the presentation up and get the Executive level stuff at the front of the presentation, answer their questions and give them the chance to bow out of the meeting before the geek content hits. Often they will try and hang in because I have kept them up to speed. Others will jump at the chance to move on to other issues in their day confident that they understand the results and the appropriate internal staff are getting the info they need to batten down the hatches.

Seen this before, it is very funny though