I've been using wep_tools to crack observed wifi traffic while the interface is in promiscous mode. An interesting article describing some internals of this program is unfortunately in PowerPoint, but you can translate it into HTML with Google.
wep_tools is a set of tools containing :
wep_crack, a program dedicated to find the WEP keys of a set of captured frames, in the pcap format. It can work using brute force for 40 bits WEP and with a words dictionnary for 128 bits WEP keys.
wep_decrypt, another program used to decypher captured frames, with the WEP keys discovered by the previous tool.
wep_crack is supposed to use a capture file generated by prismdump, but this
program freezes in an unfinite wait in function recv(), so the
capture file has been generated with '
tcpdump -i wlan0 -w capture.log
-c 100 -s 0'.
The frame has to be idenfified by the pcap filter as
DLT_IEEE802_11 and not as
/usr/include/pcap/net/pbf.h), so verify that you pass the option
prismheader=false' when setting the promiscuous mode with
Also I put '
keepwepflags=false' to have valid Data packets
when reloading the capture file in ethereal :
wep_crack, as it is relying on the whole encrypted data. A small modification in packfile_read(): don't exit if
hdr.len != hdr.caplenfor one packet.
'-s 0'option to tcpdump to allow it to capture the whole packet and not only the first 96 bytes... So it makes
The length of the searched WEP key is set with '
flag. With WEP40, you can try the brute force algorithm (
with WEP128, you must proceed with a dictionnary. The algorithm used to
generate the wep key from a given string from the dictionnary is given in
wep.c and appears to be different from the one used by 3Com on our access point, so the search with a
dictionnary is not usable if the WEP key has been generated on a 3Com
equipment [TODO: search if this string to wep key conversion algorithm is
available somewhere, or has been reverse enginered].
The cracking algorithm supposes that the 4x5bytes keys are generated from a unique seed, and iterates over this seed (0x1000000 possible values excluding (x & 0x808080 != 0)), generates the five keys, and test them against a given packet. This algorithm is fast (1 or 2 minutes), but misses my WEP key, probably because of an unusual algorithm used by 3Com. Exhaustive search of a single 40 bits key would require approx. 110 days on a regular PC.
If you use the
nwepgen keys generator provided in the linux-wlan-ng
wep_crack successfully find your key in a time
< 1 min :
[root@bonobo linux-wlan-ng-0.1.16-pre8]# ./src/nwepgen/nwepgen toto 5 c0:b6:76:bc:08 ba:15:22:4c:cb 86:1b:bb:ac:98 0c:b8:86:dc:0d
You manually enter the first hexadecimal key in your access point.
[root@bonobo wep_tools]# ./wep_crack -b capture.log success: seed 0x00746f74, [generated by AAAa5.5a] wep key 1: c0 b6 76 bc 08 wep key 2: ba 15 22 4c cb wep key 3: 86 1b bb ac 98 wep key 4: 0c b8 86 dc 0d
As a bonus, the algorithm gives you a valid string among others, that generates these 4 WEP keys.
$Id: wireless3.html,v 1.3 2003/10/19 20:36:04 bellet Exp $