Difference between revisions of "WEP Cracking"

From ivc wiki
Jump to navigationJump to search
Line 4: Line 4:
There are now many sources that describe the vulnerability in detail and APR replay to generate traffic, but this is a short summary. For an throughout explaination on how WEP is implemented and the vulnerabilities, see the link below.
There are now many sources that describe the vulnerability in detail and APR replay to generate traffic, but this is a short summary. For an throughout explaination on how WEP is implemented and the vulnerabilities, see the link below.


* [http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html (In)security of the WEP algorithm]
* '''[http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html (In)security of the WEP algorithm by Nikita Borisov, Ian Goldberg, and David Wagner]'''


Sections:
Sections:

Revision as of 23:25, 25 August 2009

WEP is infamously known as the broken wireless security protocol. A design flaw was discovered in 2001 and after several cascading discoveries it's now possible to crack a WEP protected network within minutes. WPA is the successor to WEP and features a better but not perfect security protocol.

Background

There are now many sources that describe the vulnerability in detail and APR replay to generate traffic, but this is a short summary. For an throughout explaination on how WEP is implemented and the vulnerabilities, see the link below.

Sections:

  • WEP encryption: 24-bit unencrypted initialization vector + 104-bit key (13 characters/bytes), 128-bit key -> Used to generate RC4 cipher stream -> XOR the message -> Encrypted packets
  • ARP replay: On the basis that the first 12-bytes of ARP packets always stays the same -> Capture one ARP packet -> Inject back to into the network to stimulate traffic -> 10-20000 packets enough ARP packets and initialization vector
  • Key crack: Find initialization vector collisions where two ARP ciphertexts are the same (2^24 possibilities) -> XOR back first 12-bytes -> Small piece of the pseudo-random RC4 stream cipher is revealed -> Use the collected data to gain a factor by statistical attacking each byte in the final 104-bit (13 character) key -> Try key to verify decryption of captured encrypted packets

References