Attacking WEP
How WEP Works
Wireless Equivalent Privacy (WEP) uses the following process:
CRC-32 Checksum: It calculates a 32-bit integrity check value (ICV) for the data, which is then added to the data frame.
Initialization Vector (IV): WEP combines a 24-bit arbitrary number known as the Initialization Vector (IV) with the WEP key. The WEP key and IV together form the WEP seed.
RC4 Algorithm: The WEP seed is used as input for the RC4 encryption algorithm, generating a keystream. This keystream is bit-wise XORed with a combination of the data and ICV to produce the encrypted data.
MAC Frame: The IV field (IV + PAD + KID) is added to the ciphertext to create a MAC (Message Authentication Code) frame.
Security issues with WEP
WEP suffers from several significant flaws that undermine its ability to provide robust security:
No Defined Key Distribution Method: WEP relies on Pre-Shared Keys (PSKs), which are typically set once during installation and seldom changed. The lack of a secure method for distributing encryption keys makes it vulnerable.
RC4 Vulnerabilities: RC4 was designed for a more randomized environment than WEP provides. Since the same key is often reused in WEP, attackers can monitor traffic, analyze plaintext messages, and compute the key.
Passive Data Analysis: Attackers can capture wireless traffic passively and use public tools to crack WEP keys.
Weak Key Scheduling Algorithms: WEP's key scheduling algorithms are susceptible to various attacks, making it an insecure choice for wireless security.
Cracking WEP keys
Aircrack-ng has a nice guide for this here.
Just remember that a NIC supporting monitor mode is needed.
Last updated