Difference between revisions of "WEP Cracking"

From ivc wiki
Jump to navigationJump to search
Line 19: Line 19:
# Capture one ARP packet
# Capture one ARP packet
# Inject back to into the network to stimulate traffic
# Inject back to into the network to stimulate traffic
# 10-20000 packets enough ARP packets and initialization vector
# Capture 10-20 000 ARP (or other data) packets to build a Initialization Vector table (only 2^24 possibilities)


* '''Key attack''':
* '''Key attack''':
# Find initialization vector collisions where two ARP ciphertexts are the same (2^24 possibilities)
# Find Initialization Vector collisions where two ARP ciphertexts are the same (2^24 possibilities)
# XOR back first 12-bytes using the known plain-text ARP data
# XOR back first 12-bytes using the known plain-text ARP data
# RC4 stream cipher is revealed for that specific IV
# RC4 stream cipher is revealed for that specific IV
# Gather enough collisions -> Use the collected data to build a database of IVs and RC4 stream ciphers to gain a factor by statistical analysis and guess each byte in the final 104-bit (13 character) key
# Find enough collisions
# Try key to verify decryption of captured encrypted packets
# Use the collected data to build a table of IVs and RC4 stream ciphers and use it to gain a statistical factor for the remainder of the missing key bytes, 104-bit (13 character) key


== References ==
== References ==

Revision as of 22:55, 26 August 2009

WEP is infamously known as the broken wireless security protocol. A design flaw was discovered in 2001 and after several cascading discoveries it's now possible to crack a WEP protected network within minutes. WPA is the successor to WEP and features a better but not perfect security protocol.

Background

There are now many sources that describe the vulnerability in detail and APR replay to generate traffic, but this is a short summary. For an throughout explaination on how WEP is implemented and the vulnerabilities, see the link below.

Wep encryption.png

Parts:

  • WEP encryption:
  1. 24-bit unencrypted initialization vector + 104-bit key (13 characters/bytes), 128-bit key
  2. Used to generate RC4 cipher stream
  3. XOR the message
  4. Encrypted network packets
  • ARP replay:
  1. On the basis that the first 12-bytes of ARP packets always stays the same
  2. Capture one ARP packet
  3. Inject back to into the network to stimulate traffic
  4. Capture 10-20 000 ARP (or other data) packets to build a Initialization Vector table (only 2^24 possibilities)
  • Key attack:
  1. Find Initialization Vector collisions where two ARP ciphertexts are the same (2^24 possibilities)
  2. XOR back first 12-bytes using the known plain-text ARP data
  3. RC4 stream cipher is revealed for that specific IV
  4. Find enough collisions
  5. Use the collected data to build a table of IVs and RC4 stream ciphers and use it to gain a statistical factor for the remainder of the missing key bytes, 104-bit (13 character) key

References