Since there are some flaws in the WEP security standard, it is possible to crack it without using traditional brute-force, this is because of the way WEP handles encryption. The algorithm used by WEP is called RC4 which works by having either a 40-bit or a 104-bit key, and on each of these keys, there is an added 24-bit initialization-vector. This initialization-vector does not go through the same encryption process as the rest of the private or shared keys but is instead transmitted directly. The picture below represents this process.
Since this initialization-vector is sent as plain text, anyone with some simple tools is able to sniff it by listening to the traffic going between the transmitter and the receiver, thereby getting the first three characters of the shared key. When enough of these initialization-vectors are captured it is possible to exploit some of the weaknesses found in the way RC4 handles the encryption, thereby getting the entire private key (Kumkar, Tiwari, Tiwari, Gupta, & Shrawne, 2012, s. 2).
- The process started with choosing which wifi adapter to use, I choose to use wlan0, as it was the only wifi adapter I had installed on the system.2. Then I had to set the chosen adapter to monitoring mode, this will make the adapter listen to all the packets going through the air.
3. Then I wrote “airodump-ng .-w mywep wlan0mon” to specify where airodump should store the captured packets. While this command was running, it outputted the wireless networks in the area to specify which network to attack. I then copied the BSSID of that network. It is also important to note the channel used on the AP!
4. We then turned off monitoring mode on the chosen interface and started it back up with the correct channel specified.
- airmon-ng stop wlan0mon
- airmon-ng start wlan0 4
5. Now it’s time to start capturing initialization vectors. I ran this scan for about 16 minutes to capture enough frames. This process goes much faster if there is some traffic generated from one of the stations on the network.
- airodump-ng --bssid 10:DA:43:08:BF:10 -c 4 -w WEPCrack wlan0mon
6. Then I ran “aircrack-ng -1 WEPCrack-01.cap” to retrieve the key.
Then to test if it worked, I simply tried to authenticate against the network, and the result was a success!
There is no doubt that this is by far the most vulnerable wireless security standard still in operation. Even though this paper has gone into some depth explaining some of the weaknesses in the encryption scheme, it is not necessary to have this knowledge to perform the attack. This attack was easy to perform and will most likely be very successful, that’s why this security standard isn’t recommended and is rarely used.
- Required relatively little knowledge
- High success rate
- No interaction needed between the attacker and the clients on the network
- WEP are rarely used
- Might take some time to acquire the necessary amount of initialization vectors