i have been doing a lot of reading about the vulnerability of WEP where you can crack the private shared key. can someone tell me if my logic is correct...

the key is acquired because the IV are in plain text. if you spoof specific packets to the router you can unencrypt certain parts of the encrypted message. for example, the encrypted text=plaintext xor key... if you know the beginning of a packet, ex. a specific request, and you konw the encrypted text, you can figure out what the key is.

why is it that the more IVs you acquire, the easier it is to decrypt? is that just specific to the statistical algorithm doing the decrypting (ex. aircrack)?

can anyone get into more detail? or is this the basic idea?

WEP is pretty easy to break from what I have read. Basically all you have to do is run a number cracker against it. In time the cracker will find the key.

WEP is good for .. basically, imho, what it was designed to do, and that is to make it "more than casually difficult" for someone to "borrow" your wireless connection and thus, perhaps, tap into your internal network.

A good friend of mine had an expensive twelve-string guitar in a cardboard case secured with one of those tiny locks. It was, he said, "to keep the honest people out." Good point. That's what WEP is for, too.

It is not sufficient as a means to secure your communications, and it does not eliminate the fundamental requirement that is inherent in any wireless networking: that "the fact that someone is present on your network" is not sufficient to establish that "he is authorized to be there."

Lots of computer crimes are committed by automated cat-burglars. They drive around, mapping network availability, and test to see if they can break in. But they are also strictly opportunists, and frankly, they're surrounded by sitting ducks. It may be that the presence of WEP makes your network "not worth messing around with." Your "duck" is showing some signs of being awake.

i was asking more about why it is unsecure... and i figured it out if anyone is curious...
rc4 is what takes the encryption key and the IV (initialization vector) and makes it as long as the packet, then the packets are xored with the output of rc4.

encrypted=unencrypted (xor) rc4(IV, key)
or
e=u (xor) rc4(iv,k)

now, if you get 2 packets which use the same IV, you can figure thing out about each other
e=u (xor) rc4(iv,k)
e'=u' (xor) rc4(iv,k)
now, you can xor those and the rc4 part drops out
e (xor) e' = (u (xor) rc4(iv,k)) (xor) (u' (xor) rc4(iv,k))
e (xor) e' = u (xor) u'

now, lost of packets have know beginnings, if the beginning of packet u was 'PASSWORD:' you can work backwards to get u'. from there you can go back another step to get the key value.

I don't believe it's that simplistic. For the attack your suggesting you'd need to flood the network until you had IV collisions with packets that you know the data. Spoofing won't work because you'd need to know the WEP key in order to inject valid packets. There are some replay type attacks that simply reinject certain captured packets back into the network thousands of times and try to get identical responses from the network.

One of the keys to the FMS-type passive attacks is that most WEP packets include a 3 byte SNAP header as the first encrypted part of the packet and has a known value of 0xAA, so you know the plaintext of the first byte of the PRGA. One of the identified weaknesses comes from the fact that for certain IVs (known as weak IVs) 5% of the time the swap operation is performed in the RC4 algorithn, it will leave a byte of the password unchanged. So for each time you have an IV collision, there is also a 5% chance that it will reveal a byte of the password.

That's also only looking at some of the older attacks. The newer KoreK "chopchop" attack only needs a single packet which it then modifies a single bit in the packet (bit-flipping) and then replays that into the network. To be honest I don't fully understand how that attack works but it can extract the key in several seconds...doh!

//Disclaimer: I'm not a crytographer or a mathematician, so its possible that parts of that are incorrect. I did however stay at a Holiday Inn Express last night.

---EDIT---
I just came across this walkthrough of the attack while looking up what made certain IVs weak. It's from a book that gives one of the better descriptions about WEP/RC4 and it's weaknesses:
http://www.informit.com/articles/art...seqNum=11&rl=1

Here's the paper on weak IVs:
http://marcel.wanda.ch/Archive/WeakKeys

i think we may be talking about different attacks. the one i am researching (aircrack) just needs a certain ammount of IV's and it uses the collided ones to find the key. is there any implamentation of the one you are talking about - the one you can crack in seconds? thanks

I believe there are 2 implemented as part of Aircrack. The newer one is part of aireplay and uses the active "bit-flipping" attack (this is based on KoreKs chopchop attack) and is exceedingly fast. Info on this is available on the Netstumbler forums.

The passive attack (I think that's the one you are using) I believe is based off KoreKs first generation attack (aka "chopper"). I haven't read that much on chopper, but I believe it's a broader exploitation of FMS. It uses several different attacks, including ones that attack the first and second output bytes instead of just the first and uses some statistical analysis of IVs (described here) to cut the number of IVs needed. As a result the two byte attacks increase likelihood of revealing bytes from the key to 13% (a further extension increases it to 15% but I'm not sure how that works).

These might be helpfull reads:
http://www.netstumbler.org/showthrea...9&page=2&pp=15
http://www.netstumbler.org/showpost....2&postcount=35
http://asi.insa-rouen.fr/~lfallet/do...a/aircrack.pdf

i was talking about the passive attack that sends a bunch of ACK packets... i was just reading on your previous link

http://www.informit.com/articles/art...7666&seqNum=13

that it was saying it can crack it in a couple of seconds because it has so many IV's.. its not taking into account the time getting those IV's.. anyways, i was reading somewhere that it is a problem of base n with something about how many IV's you have... thats why there is the statistical procedures used.. i dont know, i just started researching this, i may be completly wrong..

From what I understand cracking WEP relies on a few fundamental weaknesses.

You originally asked why the more IVs (initialization vectors) you see the easier it is to crack, the thing is there aren't enough possible IVs to prevent duplication, so if the AP sends enough traffic, it will duplicate IVs. A busy AP can send and receive several packets per second, and all APs will eventually reuse the same IV.

The other flaw is that WEP is encrypting known data in the form of IP packets stuffed into ethernet frames. It really doesn't matter what actual data payload you send over the air, it all gets stuffed into an IP packet that gets stuffed into an ethernet frame that has the same format as every other IP packet in every other ethernet frame. I don't have to know what you send, just that it's the payload of well documented L2/L3PDUs.

yes, that was my initial question, and now i understand that, thank you. now, my question is more towards how the aircrack actually works. i agree with the two majore weaknesses, the IV is only 24 bits, giving 2^24 different values, and on a very busy network that will still take a while to exhaust all possibilities. that is why when airsnort first came out, they said after you got about 1,000,000 packets you would be able to find the key. i had tried that in the past, and after several days and millions of packets, it never succeded. now, with aircrack they found a way to get IV's extremly quick. i dont know, im just trying to understand this as much as possible... its very interesting to me, sorry if im frustrating you

i was talking about the passive attack that sends a bunch of ACK packets... i was just reading on your previous link
Those are actually separate parts of Aircrack. One of the most important parameters for these attacks is the number of unique IVs captured. On a slow network you can have problems capturing enough usefull packets in a reasonable amount of time. That's where the second part comes into play. By using one of several different replay methods you can cause traffic to be generated on the network. I think the main one used in Aircrack actually uses ARP (ACK would probably work too), so it's trying to solicit responses from as many hosts in the network as possible that way you can get more unique IVs. So really you're just trying to generate more traffic so that you can capture more IVs in a shorter amount of time. Also keep in mind that not all packets seen on a wireless network will be useful for attacking. One of the mistakes people make when attacking a slow network is capturing a horde of AP beacon packets which do not have an encrypted payload and are therefore completely useless. Once you've captured enough IVs, Aircrack then performs the different WEP extraction attacks, including standard FMS and improved FMS attacks.

Looking at the Aircrack docs, the "bit-flipping" chopchop attack is part of aireplay. It works in a completely different way and actually allows you to derive the plain-text from the encrypted packet without ever knowing (or extracting) the WEP key. This is the faster attack, because you're not trying to collect a bunch of IVs. You're taking the original packet modifying it slightly and sending it back to the AP. If the packet is valid then the AP sends it to the network otherwise it's dropped. So you're using the AP as what's called an "oracle". I don't entire understand how that works, so if you want to know more about that attack, read here:
http://www.netstumbler.org/showpost....10&postcount=5

it was saying it can crack it in a couple of seconds because it has so many IV's.. its not taking into account the time getting those IV's.. anyways, i was reading somewhere that it is a problem of base n with something about how many IV's you have... thats why there is the statistical procedures used.. i dont know, i just started researching this, i may be completly wrong..
I was referring to the bit-flipping "chop-chop" attack. However it just decrypts the packet and doesn't actually extract the WEP key. There are some posts in that same thread claiming that decrypting a single packet (a test UDP DHCP request) in 20-30 seconds was possible.

I think it's important to understand that IV collisions aren't the only factor that is critical for cracking WEP (or at least for cracking it in reasonable amounts of time). Part of the problem with WEP is that certain IVs cause information to leak during the encryption process which allow the attacker to walk back through the KSA/PRGA swaps that occur during RC4 and reveal bytes from the WEP key. In some circumstances this is 5%, while for others it jumps to 13%. At 5% (FMS) it takes from ~4-5 million packets to extract the full WEP key. With the 13% cases (improved FMS), the total packets needed drops to ~ 1million. Further optimization has dropped the number required to even less. So I think that is what you were alluding to, i.e..that the identification of these other cases of IVs allowed the number of packets required to drop and which separates the newer generation tools like Aircrack from the older FMS-only attacks like Airsnort.

Wireless is a strange kettle of fish. It is inherently insecure, just by the nature of sending radio waves out through the air.

Furthermore, many computers that spend most of their time "on wires" are set-up with the assumption that "if it's 'on my network,' it's trustworthy." But everyone on a wireless router seems to be "on my network!" And they're not trustworthy at all. They are "outsiders," with addresses that are "inside." Ordinary firewall rules will not exclude these!

It's a good idea to set up a different runlevel or profile for use when you are "wireless." Security rules must be much more stringent. Most services that your computer might wish to provide to co-habitants on a wired network should be off at Starbuck's!

As they say... "first you have to realize that you have no clothes!" "Think like a bad guy."

In order to be able to use aireplay to do the packet
injection, a person who has the correct WEP key has
to be using the wireless network at that exact moment,
correct?

I mean, I couldn't drive by somebody's WEP-enabled
network at 3:00am in the morning when they are asleep
and crack their key. Correct?

Ilan

Hi,

This is an old thread but I will give you a good example to look at;

http://www.tomsnetworking.com/Sections-article111.php

With the right tools anyone can break it. If you want ti keep the honest people honest then wep is like before mentioned. A simple lock in use, with a hair pin or pick it can be opened. The same is true with WEP, be it 64 or 128 encryption.

If you WEP, you can secure it a little more but still not a lock down. Just do a google!

HTH!

gwsandvik, your reply was totally USELESS!

I asked whether it was possible to break the WEP key when there
are no clients and your reply did not address this question at all!

Ilan