Information Technology Reference
In-Depth Information
Through this algorithm it is necessary to capture from 4,000,000 to
6,000,000 packets to decrypt a WEP key from 128 bits. The two attackers
were able to decrypt a password to 129-bit after two days, but in networks
with high traffic, it can be assumed to complete the attack in less than a day.
The initial algorithm used by Fluhrer, may be changed to increase the
performance of the attack to recover the WEP key. It should be noted that
these changes do not undermine the successfulness of the attack, and they can
greatly reduce both the time and memory space required for an attacker.
These changes affect the choice of different IVs processed in parallel instead
of a single type, exploiting the availability of a few keys in WEP imple-
mentations and considering particular cases of packages that verify the
resolved condition. This new algorithm allows decrypting a WEP key from
128 bits rather than capturing 5,000,000 packets but only 1,000,000, so the
success of the attack is ensured within hours. This type of attack is
completely passive and therefore not detectable.
There are a large variety of tools for cracking WEP, which does not
require any technical knowledge on the WEP protocol and its functioning;
WEPCrack and AirSnort are two of the most popular. WEPCrack is a set of
Perl scripts designed to decrypt WEP keys, using data collected by the
sniffer. AirSnort, on the other hand, includes both features. It gets the traffic
it needed to break the key without the help of an auxiliary sniffer.
7.2.2
AirSnort
AirSnort is a Linux-based tool written by Blake Hegerle and Jeremy
Bruestle to exploit the vulnerabilities of WEP [25]. One of the difficulties
of auditing with the use of applications that we are describing is the fact
that not all of them are compatible with the same wireless cards. The
compatibility is low due to lack of availability of drivers for the cards. If you
want to use these tools, we are faced with a difficult problem that can be
temporarily solved with the purchase of at least two wireless network cards.
NetStumbler and many other Windows-based applications, require a NIC
that uses the Hermes chipset, while Airsnort and many Linux-based
applications are compatible only with cards that use the Prism2 chipset
(AirSnort 2.0 also requires a support ORiNOCO cards with appropriate
patches for the orinoco_cs driver).
Various tests and trials have been conducted before the right combination
of Linux kernel, PCMCIA cards, wlan-ng drivers and versions of AirSnort,
began to give acceptable results.
Once AirSnort is running, the NIC should be in 'random mode'
(promiscuous mode) and set the correct channel to find the Wlan. This
channel is derived from the scanner of WLAN, previously used to locate
the WLAN. AirSnort run a shell script (dopromisc.sh) that automatically
