Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Instructions for Cracking Wep

Instructions for Cracking Wep



|Views: 558|Likes:
Published by api-3737648

More info:

Published by: api-3737648 on Oct 15, 2008
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as TXT, PDF, TXT or read online from Scribd
See more
See less





cracking wep with windows xp pro sp2

there is a video counterpart to this which is in the format of me describing what
i am doing and how to carry out all the actions in this paper from start to
finish. it will be available as soon as i can secure my web site adequately and
will only ever be available to registered taz members. this paper should be
considered the pre-reading for the video tutorial.

this is part one in a two part paper on cracking wep with windows xp. this first
part covers sniffing wireless traffic and obtaining the wep key. part two will
cover associating with a wireless ap, spoofing your mac address, trying to log on
administratively to the ap and further things you can carry out on the wlan once
authenticated successfully.

what is wep:

wired equivalent privacy (wep) is often mistakenly thought of as a protocol
designed to 100% protect wireless traffic, when this is not the case.
as its name suggests it was designed to give wireless traffic the same level of
protection as a wired lan, which when you think about it is a very hard thing to
set out to do.

lan s are inherently more secure than wireless lan s (wlan) due to physical and
geographical constraints. for an attacker to sniff data on a lan they must have
physical access to it
which is obviously easier to prevent than to prevent
access to traffic on a wlan.
wep works at the lower layers of the osi model, layers one and two to be exact, so
it therefore does not provide total end to end security for the data transmission.
wep can provide a level of security between a wireless client and an access point
or between two wireless clients.
wep standards:

wep is commonly implemented as a 64 bit or 128 bit encryption. these encryption
strengths can sometimes be referred to as 40 bit or 104 bit due to the fact that
each data packet is encrypted with an rc4 cipher stream which gets generated by an
rc4 key. this rc4 key for say a 64 but wep implementation is composed of a 40 bit
wep key and a 24 bit initialization vector (iv)

hence the 64 bit rc4 key,

however the actual wep part of it is only 40 bits long, the iv taking up the other
24 bits, which is why a 64 bit wep key is sometime referred to as a 40 bit wep

this resultant cipher is xor d with the plain text data to encrypt the whole
\ufffd \ufffd
packet. to decrypt the packet the wep key is used to generate an identical key
stream at the other end to decrypt the whole packet but more about this later on,
i will also go over the iv s in more detail later on as well.
failures of wep:
we have heard everyone say wep is easy to crack and should not be used, can be
cracked in 10 minutes etc but why is this?
well in my opinion wep is seriously flawed for the following reasons:

1) initialization vectors are reused with encrypted packets. as an iv is only 24
bits long it is only a matter of time before it is reused. couple this with the
fact you may have 50 + wireless clients using the same wep key and the chances of
it being reused improve even further.
an iv is sent in clear along with the encrypted part of the packet. the reuse of
any encryption element is always a fundamental flaw to that particular encryption
and as an iv is sent in clear this further exposes a significant weakness in wep.

as more rc4 cipher steams are found and more iv s are deciphered and the closer we
get to discovering the wep key.
this is what forms the foundation of wep cracking.
2) the algorithm used to encrypt a wep hash is not intended for encryption
purposes. the original purpose of the cyclic redundancy check (crc-32) was to
detect errors in transmission, not to encrypt data.

3) the most significant flaw in my opinion is the mass use of the wep key.
everything using that particular ap will need the same wep key hence all the
resultant traffic will be using the exact same wep key as well.
the one not so obvious side-affect of this is when it comes to administering the
network. if you have 60 wireless clients all using the same wep key, do you really
want to go and periodially change them all ..it is easier to leave it as it is. i

am guilty of doing this on a network i used to administer a few years ago as i am

sure others are who still use wep.
wireless standards:
the institute of electrical and electronic engineers (ieee) defined specifications

for wireless traffic back in 1997. the protocol they came up with is the 802.11
nowadays 802.11 has many different implementations for wireless traffic. the most
common ones are:
1) 802.11
this specifies that the wireless traffic will use the 2.4ghz frequency
band utilizing either frequency hoping spread spectrum (fhss) or direct sequence
spread spectrum (dsss). the fhss is a protocol whereby the traffic hops to pre-

defined frequencies and is commonly used to reduce the effects of noise or
interference in the transmission. dsss is also a protocol used to reduce noise
interference by combining the signal with a higher data rate bit sequence
(commonly called a chipping code) which separates the data up in to a logical
sequence and attaches a form of crc to the packet before transmitting.

2) 802.11a
this provides data transmission in the 5ghz band at a rate of
anything up to 54mbps. unlike the original 802.11 specification this uses
orthogonal frequency division multiplexing (ofdm) to encode the traffic instead of
fhss or dsss. ofdm is a method of transmitting digital data by splitting it up in
to smaller chunks and transmitting them at the same time but on different
frequencies, which is why the data transfer rate is quite good.
3) 802.11b
came along in 1999 with the intention of allowing wireless
functionality to be similar to that provided by ethernet. it transmits data in the
2.4ghz band at 11mbps using dsss only. is sometimes called wi-fi.
4) 802.11g
this works in the 2.4 ghz band at a rate of 20mbps or more and came
along in 2003. it uses ofdm like 802.11a and transmits data in a very similar way.
however unlike 802.11a it is backward compatible with 802.11b.

a point worth noting here is if you have an 802.11b wireless adaptor you will not be able to receive 802.11g traffic. if you do want to get in to wep cracking it is well worth your while investing in a dual band card. i will talk about wireless adaptors more later on.

how do we crack wep:
well cracking wep is fairly easy to understand if you have followed what i
explained above. we briefly touched on iv s and wep encryption and how they tie in
together. to put it very simply, if you can decipher the iv algorithm you can
decrypt or extract the wep key.

as i stated before wep very kindly transmits the iv in clear, so if we can run a
mathematical equation against it we can find and decipher the rc4 stream that
encrypted the whole packet in the first place.

the wep key is the missing value [key] from this mathematical equation. remember
the ap or the client has this key to use when decrypting the packet and is what we

must find by running a complicated algorithm against the encrypted packet.
if you think about it like this it may become clearer:
you have an algorithm that is produced by concatenating a randomly generated 24

bit iv with your wep key
you also have an rc4 key stream - the two are then
hashed together to encrypt the packet.

the iv is the hub of the whole process as this is they only thing that has used
your wep key. if we run a statistical anyalisis against the iv to try and decrypt
the packet, we can find the key used at the begining of the process.

when you try to decrypt them, every time you crack a piece of the algorithm the
corresponding plain text part of the packet is revealed, once the whole packet is
decrypted you know the algorithm used to encrypt that particular packet

a crude
way of describing it but as simple as i can make it.
any attacker can passively collect encrypted data, after a while due to the
limitations explained earlier; two iv s that are the same will be collected. if
two packets with the same iv are xor d, an xor of the plain text data can be
revealed. this xor can then be used to infer data about the contents of the data
the more identical iv s collected the more plain text data can be revealed. once
all the plain text of a data packet is known, it will also been known for all data
packets using the same iv.
so before any transmission occurs wep combines the keystream with the payload

Activity (13)

You've already reviewed this. Edit your review.
1 hundred reads
1 thousand reads
mistdina liked this
boyqte6846 liked this
Mate Gojakovic liked this
Lynx liked this
Roselito A. Bato liked this
sajidkhan liked this
sriram170 liked this
untukaku liked this

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->