This document discusses cracking WEP encryption on wireless networks. It explains that monitor mode allows a wireless card to capture all network traffic, including unencrypted data. It also describes how to use tools like aircrack-ng, wep_crack, and WEPAttack to perform dictionary attacks and brute force the 5 or 13 byte encryption keys by exploiting weaknesses in the WEP algorithm and capturing large numbers of packets with duplicate initialization vectors. With enough captured packets, these tools can typically recover WEP keys within minutes, regardless of the passphrase complexity.

1. Chapter 12
Targeting the Network

2.  Wired Equivalent Privacy (WEP)
 Wi-Fi Protected Access (WPA, WPA2)

3.  Types:
◦ Managed mode – What is typically used
 Card passes only 802.3 data
 Sniffing in this mode will NOT report management frames,
control frames, or wireless-header data
 Card will only pass to sniffer data on connected networks
 Card automatically decrypts data
◦ Ad hoc mode – Used to form ad hoc networks
◦ Master mode – Wireless card acts as an access point
◦ Monitor mode (also called RFMON mode) – Receive-only
mode
 Card in this mode will pass to sniffer ALL data from ALL
perceived networks (not just connected ones)
 Data not decrypted by card

4.  Encryption key is a concatenation of:
◦ A five or thirteen byte pre-shared key (could be generated from a
passphrase of other sizes)
◦ A three byte, non-secret initialization vector (IV)
 Sent in packet
 Varies from packet to packet
 RC4 algorithm accepts encryption key and data length and
generates a pseudorandom bit stream (PRGA) the size of the data

5.  PRGA is XORed with plaintext to generate
ciphertext
◦ Recall the following: If C=A⊕B and D=C⊕B, then D=A
◦ So RC4 uses symmetrical encryption
 We already know the IV, all we need to figure out
is a five or thirteen byte PSK
 Some WEP problems:
◦ Dictionary attacks work well, since people often use real
words as their passphrases
◦ Weaknesses in the process (the Neesus Datacom
algorithm) commonly used to transform passphrases
into PSKs make the effective key length even smaller
than the actual one (24 bits instead of 40, for example)

6.  Use a packet sniffer such as Wireshark,
aerodump-ng or Kismet to capture data
◦ WNIC should be in monitor mode
◦ Need sufficient number of duplicate IVs; to get them:
 Listen long enough
 Generate IVs by replaying broadcasts (e.g., ARP requests)
 Can guess that something is an ARP request if it is a
broadcast with a 28-byte payload (68 byte total packet
length)
 Can use Aireplay-ng to retransmit
◦ With sufficient network traffic, ANY WEP password
(regardless of complexity) can be broken

7.  wep_crack
◦ Can brute force any 5-byte PSK generated by the Neesus Datacom
algorithm in under ten seconds
◦ Does NOT work with 13-byte PSK
 WEPAttack
◦ Works with 5-byte and 13-byte PSKs
◦ Dictionary attack
 Tries Neesus Datacomm algorithm
 Tries truncating or padding dictionary words to 5 and 13 bytes
 Aircrack-ng
◦ Utilizes the fact that there is known plaintext inside all encrypted
packets (e.g., first two bytes of encrypted 802.2 header are always
hex AAAA)
◦ Utilizes the duplicated IVs
◦ Can crack 13-byte PSKs in about two minutes with 95% success
rate if it has 85,000 captured packets. (The more packets
captured, the higher the success rate.)

8.  Basic Service Set Identifier (BSSID) – WAP’s MAC
address
 Extended Service Set Identifier (ESSID) –
network’s name
 Station (client) MAC address
 A dictionary, possibly customized
 Packet capture of initial handshake
◦ Wait for someone to connect to network
◦ Issue a deauth DoS (e.g., with aireplay-ng or airdrop-ng)
◦ To sniff the communication, use a program such as:
 airodump-ng
 Wireshark
 kismet

9.  John the Ripper
 aircrack-ng
 coWPAtty