I've been using wep_tools to crack observed wifi traffic while the interface is in promiscous mode. An interesting article describing some internals of this program is unfortunately in PowerPoint, but you can translate it into HTML with Google.
wep_tools
is a set of tools containing :
wep_crack
, a program dedicated to find the WEP keys of a
set of captured frames, in the pcap
format. It can work using brute force for 40 bits WEP and with a words
dictionnary for 128 bits WEP keys.wep_decrypt
, another program used to decypher captured
frames, with the WEP keys discovered by the previous tool.wep_crack
is supposed to use a capture file generated by prismdump, but this
program freezes in an unfinite wait in function recv(), so the
capture file has been generated with 'tcpdump -i wlan0 -w capture.log
-c 100 -s 0
'.
The frame has to be idenfified by the pcap filter as
DLT_IEEE802_11
and not as DLT_PRISM_HEADER
(see
/usr/include/pcap/net/pbf.h
), so verify that you pass the option
'prismheader=false
' when setting the promiscuous mode with
wlanctl-ng
.
Also I put 'keepwepflags=false
' to have valid Data packets
when reloading the capture file in ethereal : ethereal -r
capture.log
wep_crack
, as it is relying on the whole encrypted data. A
small modification in packfile_read(): don't exit if
hdr.len != hdr.caplen
for one packet.'-s 0'
option to
tcpdump to allow it to capture the whole packet and not only the
first 96 bytes... So it makes wep_crack
happy. The length of the searched WEP key is set with '-s (strong)
'
flag. With WEP40, you can try the brute force algorithm (-b
) and
with WEP128, you must proceed with a dictionnary. The algorithm used to
generate the wep key from a given string from the dictionnary is given in
wep.c
and appears to be different from the one used by 3Com on our access point, so the search with a
dictionnary is not usable if the WEP key has been generated on a 3Com
equipment [TODO: search if this string to wep key conversion algorithm is
available somewhere, or has been reverse enginered].
The cracking algorithm supposes that the 4x5bytes keys are generated from a unique seed, and iterates over this seed (0x1000000 possible values excluding (x & 0x808080 != 0)), generates the five keys, and test them against a given packet. This algorithm is fast (1 or 2 minutes), but misses my WEP key, probably because of an unusual algorithm used by 3Com. Exhaustive search of a single 40 bits key would require approx. 110 days on a regular PC.
If you use the nwepgen
keys generator provided in the linux-wlan-ng
package, wep_crack
successfully find your key in a time
< 1 min :
[root@bonobo linux-wlan-ng-0.1.16-pre8]# ./src/nwepgen/nwepgen toto 5 c0:b6:76:bc:08 ba:15:22:4c:cb 86:1b:bb:ac:98 0c:b8:86:dc:0d
You manually enter the first hexadecimal key in your access point.
[root@bonobo wep_tools]# ./wep_crack -b capture.log success: seed 0x00746f74, [generated by AAAa5.5a] wep key 1: c0 b6 76 bc 08 wep key 2: ba 15 22 4c cb wep key 3: 86 1b bb ac 98 wep key 4: 0c b8 86 dc 0d
As a bonus, the algorithm gives you a valid string among others, that generates these 4 WEP keys.
$Id: wireless3.html,v 1.3 2003/10/19 20:36:04 bellet Exp $