Attacking WEP

How WEP Works

Wireless Equivalent Privacy (WEP) uses the following process:

  1. CRC-32 Checksum: It calculates a 32-bit integrity check value (ICV) for the data, which is then added to the data frame.

  2. Initialization Vector (IV): WEP combines a 24-bit arbitrary number known as the Initialization Vector (IV) with the WEP key. The WEP key and IV together form the WEP seed.

  3. RC4 Algorithm: The WEP seed is used as input for the RC4 encryption algorithm, generating a keystream. This keystream is bit-wise XORed with a combination of the data and ICV to produce the encrypted data.

  4. MAC Frame: The IV field (IV + PAD + KID) is added to the ciphertext to create a MAC (Message Authentication Code) frame.

Security issues with WEP

WEP suffers from several significant flaws that undermine its ability to provide robust security:

No Defined Key Distribution Method: WEP relies on Pre-Shared Keys (PSKs), which are typically set once during installation and seldom changed. The lack of a secure method for distributing encryption keys makes it vulnerable.

RC4 Vulnerabilities: RC4 was designed for a more randomized environment than WEP provides. Since the same key is often reused in WEP, attackers can monitor traffic, analyze plaintext messages, and compute the key.

Passive Data Analysis: Attackers can capture wireless traffic passively and use public tools to crack WEP keys.

Weak Key Scheduling Algorithms: WEP's key scheduling algorithms are susceptible to various attacks, making it an insecure choice for wireless security.

Cracking WEP keys

Aircrack-ng has a nice guide for this here.

Just remember that a NIC supporting monitor mode is needed.

Last updated