Difference between revisions of "WEP Cracking"

From ivc wiki
Jump to navigationJump to search
Line 1: Line 1:
WEP is infamously known as the broken wireless security protocol. A design flaw was discovered in 2001 and after several cascading discoveries it's now possible to crack a WEP protected network within minutes. WPA is the successor to WEP and features a better but not perfect security protocol.
== Background ==
There are now many sources that describe the vulnerability in detail and APR replay to generate traffic, but this is a short summary.
* '''WEP encryption''': 24-bit counter (unencrypted) + 104-bit key, 128-bit key -> use to generate RC4 cipher stream -> XOR the message -> Encrypted packets
* '''ARP replay''': On the basis that the first 12-bytes of ARP packets always is the same -> Capture one ARP packet -> Inject back to into the network to force data traffic to happen -> XOR back first 12-bytes of each ARP/data packet -> After 10-20000 packets, enough small piece, 12-bytes, of the pseudorandom RC4 stream cipher is gathered
* '''Key crack''': Perform statistical analysis on the collected data to find each byte in the final key -> Try to decrypt captured data to verify key
== References ==
== References ==
* [http://lifehacker.com/5305094/how-to-crack-a-wi+fi-networks-wep-password-with-backtrack How to Crack a Wi-Fi Network's WEP Password with BackTrack]
* [http://lifehacker.com/5305094/how-to-crack-a-wi+fi-networks-wep-password-with-backtrack How to Crack a Wi-Fi Network's WEP Password with BackTrack]

Revision as of 22:24, 25 August 2009

WEP is infamously known as the broken wireless security protocol. A design flaw was discovered in 2001 and after several cascading discoveries it's now possible to crack a WEP protected network within minutes. WPA is the successor to WEP and features a better but not perfect security protocol.

Background

There are now many sources that describe the vulnerability in detail and APR replay to generate traffic, but this is a short summary.

  • WEP encryption: 24-bit counter (unencrypted) + 104-bit key, 128-bit key -> use to generate RC4 cipher stream -> XOR the message -> Encrypted packets
  • ARP replay: On the basis that the first 12-bytes of ARP packets always is the same -> Capture one ARP packet -> Inject back to into the network to force data traffic to happen -> XOR back first 12-bytes of each ARP/data packet -> After 10-20000 packets, enough small piece, 12-bytes, of the pseudorandom RC4 stream cipher is gathered
  • Key crack: Perform statistical analysis on the collected data to find each byte in the final key -> Try to decrypt captured data to verify key

References