there is a video counterpart to this which is in the format of me describing what
i am doing and how to carry out all the actions in this paper from start to
finish. it will be available as soon as i can secure my web site adequately and
will only ever be available to registered taz members. this paper should be
considered the pre-reading for the video tutorial.
this is part one in a two part paper on cracking wep with windows xp. this first
part covers sniffing wireless traffic and obtaining the wep key. part two will
cover associating with a wireless ap, spoofing your mac address, trying to log on
administratively to the ap and further things you can carry out on the wlan once
wired equivalent privacy (wep) is often mistakenly thought of as a protocol
designed to 100% protect wireless traffic, when this is not the case.
as its name suggests it was designed to give wireless traffic the same level of
protection as a wired lan, which when you think about it is a very hard thing to
set out to do.
wep is commonly implemented as a 64 bit or 128 bit encryption. these encryption
strengths can sometimes be referred to as 40 bit or 104 bit due to the fact that
each data packet is encrypted with an rc4 cipher stream which gets generated by an
rc4 key. this rc4 key for say a 64 but wep implementation is composed of a 40 bit
wep key and a 24 bit initialization vector (iv)
however the actual wep part of it is only 40 bits long, the iv taking up the other
24 bits, which is why a 64 bit wep key is sometime referred to as a 40 bit wep
1) initialization vectors are reused with encrypted packets. as an iv is only 24
bits long it is only a matter of time before it is reused. couple this with the
fact you may have 50 + wireless clients using the same wep key and the chances of
it being reused improve even further.
an iv is sent in clear along with the encrypted part of the packet. the reuse of
any encryption element is always a fundamental flaw to that particular encryption
and as an iv is sent in clear this further exposes a significant weakness in wep.
3) the most significant flaw in my opinion is the mass use of the wep key.
everything using that particular ap will need the same wep key hence all the
resultant traffic will be using the exact same wep key as well.
the one not so obvious side-affect of this is when it comes to administering the
network. if you have 60 wireless clients all using the same wep key, do you really
want to go and periodially change them all ..it is easier to leave it as it is. i
sure others are who still use wep.
the institute of electrical and electronic engineers (ieee) defined specifications
defined frequencies and is commonly used to reduce the effects of noise or
interference in the transmission. dsss is also a protocol used to reduce noise
interference by combining the signal with a higher data rate bit sequence
(commonly called a chipping code) which separates the data up in to a logical
sequence and attaches a form of crc to the packet before transmitting.
a point worth noting here is if you have an 802.11b wireless adaptor you will not be able to receive 802.11g traffic. if you do want to get in to wep cracking it is well worth your while investing in a dual band card. i will talk about wireless adaptors more later on.
as i stated before wep very kindly transmits the iv in clear, so if we can run a
mathematical equation against it we can find and decipher the rc4 stream that
encrypted the whole packet in the first place.
must find by running a complicated algorithm against the encrypted packet.
if you think about it like this it may become clearer:
you have an algorithm that is produced by concatenating a randomly generated 24
the iv is the hub of the whole process as this is they only thing that has used
your wep key. if we run a statistical anyalisis against the iv to try and decrypt
the packet, we can find the key used at the begining of the process.
when you try to decrypt them, every time you crack a piece of the algorithm the
corresponding plain text part of the packet is revealed, once the whole packet is
decrypted you know the algorithm used to encrypt that particular packet
This action might not be possible to undo. Are you sure you want to continue?