Please note, all the information below are for used in private LAB environment. Purely for Pentest purpose!!

Hey, there

I saw article all-over the places saying WEP is insecure and crackable in 5 min. But I never did that by myself. Since I have a lab to play with now, I want to give it a try to see exactly how weak it is. But I do not think modem AP with WEP is still easy to manipulate... Here is my setup and test:

I have an Cisco AP configured with 2 SSIDs: Test1 and Test2. Test1 is hidden with WPA2 encryption and Radius Authentication; Test2 is hidden with WEP encrption and open authentication.

I used latest BT5 on a laptop with an Intel Wireless WIFI 4965 card. I can find the SSID and channel using airodump-ng but failed to use aireplay-ng for fake-authentication, which also means I could not manipulate traffic to AP for actual traffic capture for final analyse to crack the key.

Do you think this is because the AP has special feature OR the SSID Test1 is using WPA2 while sharing the same MAC ADDRESS with SSID Test2?

Comments plz.

When a wireless link secured with WEP transfers a significant amount of data that is known or predictable, it's possible to deduce the (one... unchanging...) key using regular cryptographic techniques which can be automated.

WPA2 and its kin address this issue ... without any change of hardware ... through dynamic key-management: the encryption keys are generated randomly and regular changes of the key are negotiated. So there is a much smaller set of data that is encrypted using any one key, and the previous or next key could be "anything at all." Other protocols including SSLx, VPN and so-on use the same approach.

Sorry, but what you trying to tell me? difference between WEP and WPA2? If so, that was not my question...

It sounds like you are asking why you were not able to inject sufficient packets into the access point cause artificial traffic that you could thereby use to deduce the WEP key. As sundialsvcs pointed out, WEP cracking takes place through a statistical analysis of a sufficiently large data set and WPA2 does not have this weakness. For whatever reason you were not able to induce the traffic needed to crack the password. There are several reasons why this could be, including insufficient signal strength and hardware or a driver that doesn't support this activity.

Now as to why you were unsuccessful with respect to being able to "manipulate traffic to AP for actual traffic capture" I would recommend that you read the forum rules, in particular rule 14. While I can't speak for the forum administration I think that discussing the theoretical and practical differences between WEP and WPA and why WPA is significantly more secure than WEP and using your own test set is fine. Asking for help in troubleshooting why your cracking technique failed using a particular tool, which will effectively give a "how to" engage in this practice would be better left alone.

3 members found this post helpful.

You could simply just reply as

Thanks for taking time finding the specific section of the forum rule I stated on the very top that this is for pentest in lab environment... I presented 2 possibilities in original post that might cause issue and I am trying to collect opinions. If I want to use this post to do troubleshooting, should I simply ask how to get it work?

Yes, we know what you said...however, there is no way for us to KNOW that you aren't trying to do something else with the information. That's what makes requests like this a touchy subject, and why there are forum rules against it. Those rules should have been visible to you when you signed up.

Opps, wrong forum.

And, to answer the original question, yes, it's that easy. I have done it in my personal access point, but it already had traffic; I didn't generate it.

...and likewise thanks for taking the time to adhere to that specific section of the LQ Rules.