So how easy is it really to crack a WEP key?

I keep reading all those articles that decry Wireless as an insecure
pile of old pants.  I thought it would be interesting to actually
try and crack a WEP key just to see how easy it really is.

Generally I err on the side of caution so the traffic on my home
wireless network is also encrypted using SSL and there is a firewall to
prevent any old oik using my internet bandwidth.  I also use MAC
address filters and have any security options that my AP and NICS both
support turned on.

Nevertheless I though it would be smart to try out some wireless attack
techniques.  This is the first article of a series of Practical
Attacks.I began with my home network up and running normally with my AP set
not to beacon, with 128 bit WEP enabled and a single workstation
running which I'm using to surf normally etc.  MAC level security is enabled so that only designated stations can talk.

The toolkit I used to undertake this project is Security oriented Linux
distro called Auditor.  In a second laptop with a supported NIC, I
booted the Auditor distro.

Once Auditor was booted and running, I made some writeable space I used
the ramdisk as it seemed pretty big.  Next I set up the wireless
card into monitor mode (this is the radio equivalent of putting the NIC
into promiscous mode: it captures averything).

The hack itself was a three stage process:

  • Start sniffing the network capturing packets to file
  • Start retransmitting sniffed packets to cause the IV count to rise
  • Once we have enough (100K+) IV packets, start a crack program to recover the WEP key using the sniffed packets as a source.

I started capturing to a file using the airodump program:
airodump ath0 capture.cap

As well as capturing to disk, the very handily showed the number of
packets captured and specifically the number of  IV packets
received.

Next I ran the aireplay program:
aireplay -i ath0
This began capturing from the network and displayed suitable packets to
transmit.  The trick I found was to select a packet vith the
correct BSSID and which was not addressed to the broadcast
address.  When the IV count did not start to go wild, I just
stopped aireplay and ran it again.

Aireplay caused me a few problems as every few hundred packets the
whole AP seemed to fall over.  The fix seemed to be to ensure that
the laptop that was using the AP remained nice and active and to limit
the transmit rate for aireplay.  Without this change the attack would not have suceeded as the IV count stopped rising.

After around half an hour of fiddling around I had 150K of IV packets captured, so I started the crack program:
aircrack -q 3 -f 2 capture.cap
Aircrack loaded the packets containing the IV's and commenced a much reduced exhaustive attack.

When I say much reduced I mean that the WEP key was printed on the screen in a little under 6 seconds.

From secured AP to open network in less than an hour.  I guess
it's now obvious that WEP is not man enough to protect your
network.  Don't assume that WPA is any better though.  Check
back soon for for articles in this series: coming up soon is a long range attack using a high gain antenna.

TurboTas 2005

Disclaimer: Please note that I tried this technique on my own
network.  If you try this on a network which you do not have
permission to use, you risk prosecution!