Ask HN: How does WEP cracking work?

27 pointsDaemonXI15y ago19 comments

I downloaded the BackTrack 4 LiveCD and ran it on my own router using the instructions in a couple Youtube videos and online guides.

I understand the basic principles: * find interface and AP info * dump all packets sniffed from target AP * run fake authentication attack * use ARP request replay to generate IVs for cracking * crack collected packets once you have enough

I understand HOW to do it, but not how it works. I don't understand why I have to do a fake authentication attack, or what kind of packets aireplay-ng -3 generates and why they're useful, or how the crack itself works at the end.

Can anyone shed a little light on the process? The pages I've found only detail how to do it, not why they work, and the Wiki pages I've found are too in-depth to be grokable.

Ask HN: How does WEP cracking work?

27 pointsDaemonXI15y ago19 comments

I downloaded the BackTrack 4 LiveCD and ran it on my own router using the instructions in a couple Youtube videos and online guides.

Can anyone shed a little light on the process? The pages I've found only detail how to do it, not why they work, and the Wiki pages I've found are too in-depth to be grokable.

19 comments

13 comments · 5 top-level

jordyhoyt15y ago· 5 in thread

Why is this here?

younata15y ago

because it's an interesting question. It explains why WEP is bad to use, as opposed to the handwave of "it's easy to crack." Therefore, while it could have been better worded (perhaps "why exactly is wep bad to use?"), the question is, in my humble opinion, deserving of being asked here.

Concours15y ago

younata, I just read the question once again, I wish it was about why it's bad to use WEP, it is not. He clearly describes what he is doing or trying to do, and wonder why it doesn't work, he's looking for a way to make it work (crack WEP) for Evil or not Evil intention is not the point.

In no way does it explain why WEP is bad to use, suer the answers may at some extend help one to understand why WEP is bad to use. A google search on "why is not good to use Wep" is very helpful.

1 more reply

js4all15y ago

Look at the name, its called Hacker News.

oscardelben15y ago

it's

Concours15y ago

Yeah, Hacker News NOT Cracker News , we create stuff, we don't crack stuff.

3 more replies

Concours15y ago· 2 in thread

DaemoXI , I knew you were a new user just by reading your question. This is called hacker news, NOT cracker news. You should read the Guidelines or look around (front page) to see what the site is about.

blasdel15y ago

And you in turn out yourself as a clueless interloper with your ninnying prescriptivism!

ESR's edicts on nomenclature hold no sway over this community, nor really any other. His attempt to parlay any negative implications onto the word 'cracker' have only ever been taken seriously by affected noobs.

Concours15y ago

Thanks for your elaboration, I don't know what you are exactly talking about but I respect your views.

1 more reply

Saavedro15y ago· 1 in thread

WEP uses the RC4 cipher. The RC4 cipher generates pseudorandom bytes to XOR (mix) with your data to create the encrypted data. It generates these using an algorithm that "shuffles" the numbers 0-255 around in an array.

The initial arrangement of this array is derived from the key, by what is called a Key Scheduling Algorithm. In certain cases, this key scheduling algorithm can be worked backwards from the output of RC4 (the pseudorandom data) (if you can figure out enough about what the state of the array is) to get the key.

It is not secure to use the same key twice when doing symmetric crypto, so an Initialization Vector (just some extra data that is different for each message) is usually combined with the "key" to create a new key for each message. The IV is not a secret and usually sent along with the message in plaintext since you have to know the rest of the key anyway. However, in RC4, certain IVs cause working the Key Scheduling Algorithm backwards to be much easier.

All of the fake-auth attacks, deauths, and whatnot that aircrack does are for forcing machines on the network to generate more packets, because that increases the chance a packet will have a "weak" IV.

http://en.wikipedia.org/wiki/Fluhrer,_Mantin_and_Shamir_atta...

ErrantX15y ago

To expand more on this great answer; the point of the deauth attack ans so forth are designed to generate a large number of IV's with which to work on.

The idea is that you can use weak IV's (as described above) to attack the subsequent bytes in the encryption key. The important thing to know is that the next byte cannot be definitively calculated - you can only calculate a possible value. The reason a lot of weak IV's is needed is so you can perform the same attack multiple times - at which point the correct byte value will appear much more often than any other value.

(incidentally; the theory behind it is actually pretty simple but you do have to be up on your encryption terminology for it to make sense on first reading :) when I learned all this from scratch it took me ages to get my head round it)

mertenz15y ago

This appears to be a good read on the topic: http://www.wifiplanet.com/tutorials/article.php/1368661/8021...

Hope that helps

jc-denton15y ago

Can't u google it urself?

j / k navigate · click thread line to collapse

19 comments

13 comments · 5 top-level

jordyhoyt15y ago· 5 in thread

Why is this here?

younata15y ago

Concours15y ago

In no way does it explain why WEP is bad to use, suer the answers may at some extend help one to understand why WEP is bad to use. A google search on "why is not good to use Wep" is very helpful.

1 more reply

js4all15y ago

Look at the name, its called Hacker News.

oscardelben15y ago

it's

Concours15y ago

Yeah, Hacker News NOT Cracker News , we create stuff, we don't crack stuff.

3 more replies

Concours15y ago· 2 in thread

blasdel15y ago

And you in turn out yourself as a clueless interloper with your ninnying prescriptivism!

Concours15y ago

Thanks for your elaboration, I don't know what you are exactly talking about but I respect your views.

1 more reply

Saavedro15y ago· 1 in thread

http://en.wikipedia.org/wiki/Fluhrer,_Mantin_and_Shamir_atta...

ErrantX15y ago

To expand more on this great answer; the point of the deauth attack ans so forth are designed to generate a large number of IV's with which to work on.

mertenz15y ago

This appears to be a good read on the topic: http://www.wifiplanet.com/tutorials/article.php/1368661/8021...

Hope that helps

jc-denton15y ago

Can't u google it urself?

j / k navigate · click thread line to collapse