Cracking WEP with Windows XP Pro SP2
There is a Video Counterpart to this which is in the format of me describing what I am doing and how to carry out all the actions in this paper from start to finish. It will be available as soon as I can secure my web site adequately and will only ever be available to registered TAZ members. This paper should be considered the pre-reading for the video tutorial.
This is part one in a two part paper on Cracking WEP with Windows XP. This first part covers sniffing wireless traffic and obtaining the WEP key. Part Two will cover associating with a Wireless AP, spoofing your MAC address, trying to log on administratively to the AP and further things you can carry out on the WLAN once authenticated successfully.
What is WEP:
Wired Equivalent Privacy (WEP) is often mistakenly thought of as a protocol designed to 100% protect wireless traffic, when this is not the case.
As its name suggests it was designed to give wireless traffic the same level of protection as a wired LAN, which when you think about it is a very hard thing to set out to do.
LAN’s are inherently more secure than Wireless LAN’s (WLAN) due to physical and geographical constraints. For an attacker to sniff data on a LAN they must have physical access to it – which is obviously easier to prevent than to prevent access to traffic on a WLAN.
WEP works at the lower layers of the OSI model, layers One and Two to be exact, so it therefore does not provide total end to end security for the data transmission.
WEP can provide a level of security between a Wireless Client and an Access Point or between two wireless clients.
WEP is commonly implemented as a 64 bit or 128 bit encryption. These encryption strengths can sometimes be referred to as 40 bit or 104 bit due to the fact that each data packet is encrypted with an RC4 cipher stream which gets generated by an RC4 key. This RC4 key for say a 64 but WEP implementation is composed of a 40 bit WEP key and a 24 bit Initialization Vector (IV) – hence the 64 bit RC4 key, however the actual WEP part of it is only 40 bits long, the IV taking up the other 24 bits, which is why a 64 bit WEP key is sometime referred to as a 40 bit WEP key.
This resultant cipher is ‘XOR’d’ with the plain text data to encrypt the whole packet. To decrypt the packet the WEP key is used to generate an identical ‘key stream’ at the other end to decrypt the whole packet but more about this later on, I will also go over the IV’s in more detail later on as well.
Failures of WEP:
We have heard everyone say WEP is easy to crack and should not be used, can be cracked in 10 minutes etc but why is this?
Well in my opinion WEP is seriously flawed for the following reasons:
1) Initialization Vectors are reused with encrypted packets. As an IV is only 24 bits long it is only a matter of time before it is reused. Couple this with the fact you may have 50 + wireless clients using the same WEP key and the chances of it being reused improve even further.
An IV is sent in clear along with the encrypted part of the packet. The reuse of any encryption element is always a fundamental flaw to that particular encryption and as an IV is sent in clear this further exposes a significant weakness in WEP.