Information Technology Reference
it certainly provides much more powerful functionalities. Kismet is not just a
scanner, but also acts as a Sniffer. During the AP searching procedure, the
packets can be stored for further analysis. The logging feature allows to store
separately, depending on the type of traffic analysis, the captured packets.
Kismet, in fact, can store encrypted packages that use 'weak keys', separately
and then submit them to a WEP Key Cracker.
At best, it takes several hours to obtain the WEP encryption key, but
an attacker in a few minutes identifies an unsecured network. Once a WLAN
has been found where WEP protocol is not enabled, the traffic can be
immediately sniffed. If the target is a free access to the network, the attacker
only needs to obtain a valid IP address, a reachable goal through the use of a
DHCP on the WLAN.
7.2.1 Breaking WEP keys
In this section we discuss the evidence that gave J. Ioannids and A. Rubin of
AT&T that the WEP suffers from a serious weakness that can be easily used
to decode the traffic in a wireless network. Implementing their attack,
Ioannids and Rubin had set out to achieve three goals:
The hardware and software necessary for carrying out the attack should
not have been very expensive.
Demonstrate that the attack can be carried out by anyone.
Optimize the algorithm to break the WEP key that was previously used by
Fluhrer, Mantin and Shamir .
Achieving the first objective was not very difficult, because the biggest
expense is due to face was that of the wireless network adapter. The software
they used was based on the utilities included in the Linux operating system,
even if the network can be found for free on most systems like Windows and
To implement the attack we have to search those initialization vectors
(IV) that have the key setup for the algorithm in a state (S) that contains
information about the key. If the package checks this condition we will
refer to it as resolved. It is relatively easy to control when a particular
package provides an initialization vector and the resulting output byte
verifies the resolved condition. Each resolved package hide only
information about a key byte, then all the key bytes must be correctly
guessed before any package gives key information on last byte. We use the
word 'guess' because the attack has a statistic nature. Every package that
meets the resolved condition gives a rate of 5% to guess the correct key
byte and 95% for making a mistake. However, observing a number of these
resolved cases, it is possible to get more and more closer to the real key