# Decrypting captured WEP packets

## nielchiano

Hi,

I'm wondering if there is a possibility to decode captured WEP packets.

I DO KNOW THE WEP KEY! and I can activate the decryption in the capture program (kismet); but if I forget to turn that option on, what program can read the libpcap file and de-WEP the packets?

Another question: how can I crack a WEP key?

Just for your information (you won't believe me anyway) it's purely for educational purposes; but if you don't want to tell me, that's fine; I understand that.

I just wanted to check how "secure" our own network is.

----------

## NeddySeagoon

nielchiano,

airsnort will crack your WEP.

It shouldn't take more than an hour. WEP is based on a flawed design. 

You need something else for security on a wireless network.

----------

## GentooBox

 *NeddySeagoon wrote:*   

> nielchiano,
> 
> airsnort will crack your WEP.
> 
> It shouldn't take more than an hour. WEP is based on a flawed design. 
> ...

 

Please explain.

Why is the design a flaw ?

and how do i secure a wireless lan ?

I dont even own a wireless lan, but i would like to know more on the subject.

----------

## nielchiano

 *NeddySeagoon wrote:*   

> nielchiano,
> 
> airsnort will crack your WEP.
> 
> It shouldn't take more than an hour. WEP is based on a flawed design. 
> ...

 

If I'm not mistaken Airsnort will only crack if there is a weak IV used; what about AP's which know that and don't use those IV's?

----------

## nielchiano

 *GentooBox wrote:*   

> and how do i secure a wireless lan ?

 

enable all build in security (WEP, SSID hiding) AND add a VPN over it

----------

## NeddySeagoon

GentooBox

Type WEP into google. The first hit I get is

http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

Its a reasonable explaination. I'm sure you will find others.

You secure a wireless net just like a wired one - you use encryprion that works. e.g. ssh,  VPN and so on.

----------

## nightblade

The WEP protocol is flawed in a number of ways, actually.

First, each packet is encrypted using a secret key and an Initialization Vector (IV) which is sent in clear together with the packet. The IV is only 24 bits long, and in a congested network it means that the same IVs will be reutilized quite often. If you have two packets encrypted with the same IV (thus with the same key), the XOR of the encrypted data corresponds to the XOR of the plaintexts, which gives the attacker a whole lot of information in order to mount an attack to the key

Second, the RC4 implementation used in WEP uses IVs that leak information about the key. This allows you to mount a statistical attack: you only need to gather enough packets with "weak IVs" to recover the key. Again, the time you need depends on how much traffic the network has. Might be 1-2 hours, might take weeks. Moreover, some wireless cards now avoid to produce packets with weak IVs.

Third, the integrity check of WEP is made with CRC32, which is a linear algorithm: if you flip one bit in the encrypted payload, you can calculate which bits to flip in the checksum in order to have a packet that will still look legal when decrypted.

Of course this is a very short overview of the risks of using WEP. There is a lot of information out there, tho  :Smile: 

http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html

http://www.isoc.org/isoc/conferences/ndss/02/proceedings/papers/stubbl.pdf

----------

## merclude

Actually, to get a WEP key, in an hour, you'd need a LOT of traffic.. i've tried.

also, there's a number of tools to crack wep'd packets, the one mentioned earlier, airsnort, tries to crack packets as its capturing them, useful sometimes...sometimes not...

another is wepcrack, this will work on already captured packets. (maybe its wepattack, not sure..)

there was also a couple new ones i looked at real quick other day..weplab and aircrack, havnt tried either of those..but they're both on freshmeat..

the only time i've ever cracked wep, btw, was on my network, when i put my password in the list..other than that, i've not had the time nor patience..

----------

## nightblade

 *Quote:*   

> 
> 
> the only time i've ever cracked wep, btw, was on my network, when i put my password in the list..other than that, i've not had the time nor patience..

 

Consider that in order to perform a successful attack against a 104-bit (since 24 bits are used by the IV) key, you need between 2000 and 4000 "weak" packets. Letting airsnort gather traffic for a couple of hours and measuring how many useful packets you got provides you with a rather good estimate of how much time you will need to get the key.

----------

## garo

Logging packages: Kismet

Finding a wepkey: Wepattack (in combination with john the ripper) or weplab (not in portage) (weplab can use "weak" packages found by kismet

Reading encrypted packages : ethereal (don't forget to enter the wepkey)

REMEMBER: only use this to check the security of your own network

----------

## Kysen

with 1 mill packets i can crack a 128 bit key on a pentium 2 in 30 seconds with aircrack

----------

## bgrade

What if you establish IPSEC over the link?

----------

## johntramp

 *Kysen wrote:*   

> with 1 mill packets i can crack a 128 bit key on a pentium 2 in 30 seconds with aircrack

 what options / fudge etc. do you use with that?

I have 800,000 unique iv's and on a xp2600 I can not get it in over 12 hours.

----------

