WEP Cracking

WEP is infamously known as the broken wireless security protocol. A design flaw was discovered in 2001 and after several cascading discoveries it's now possible to crack a WEP protected network within minutes. WPA is the successor to WEP and features a better but not perfect security protocol.

Background

There are now many sources that describe the vulnerability in detail and APR replay to generate traffic, but this is a short summary. For an throughout explaination on how WEP is implemented and the vulnerabilities, see the link below.

• (In)security of the WEP algorithm

Sections:

• WEP encryption: 24-bit unencrypted initialization vector + 104-bit key (13 characters/bytes), 128-bit key -> Used to generate RC4 cipher stream -> XOR the message -> Encrypted packets
• ARP replay: On the basis that the first 12-bytes of ARP packets always stays the same -> Capture one ARP packet -> Inject back to into the network to stimulate traffic -> 10-20000 packets enough ARP packets and initialization vector
• Key crack: Find initialization vector collisions where two ARP ciphertexts are the same (2^24 possibilities) -> XOR back first 12-bytes -> Small piece of the pseudo-random RC4 stream cipher is revealed -> use the collected data to gain a factor for statistical attacking each byte in the final 104-bit (13 character) key -> Try key to verify decryption of captured encrypted packets

References

• How to Crack a Wi-Fi Network's WEP Password with BackTrack
• SpoonWEP for Noob
• Part 10: WPA-PSK Cracking with a dictionary attack in Backtrack 3
• Cracking WEP Using Backtrack: A Beginner’s Guide
• Remote-Exploit Backtrack
• Cracking WPA FAST with video cards