Information Technology Reference
In-Depth Information
launches the NIC in promiscuous mode, with the right channel configured.
AirSnort includes two separate applications: capture and crack.
Airsnort also displays the number of 'interesting packets' (also known as
weak keys) captured. AirSnort is efficient because it does not capture all
packets that are encrypted, but only those that also serve to break the WEP
encryption key. The packages affected are those that in the second byte of the
IV have 0xFF.
If the number of packets obtained, containing the required information is
sufficient, the application will return the shared WEP key. The failure of the
attempt to break the keys does not affect the capture process. According to
the read-me file AirSnort, 1500 packets are sufficient to be able to decode a
128-bit key. The processing time depends on both the key size and traffic on
the network. When network traffic is close to 11 Mbps, encoding WEP key to
40 bit can take 3-4 hours. These times are obtained under optimal conditions,
but certainly show that WEP can be bypassed and an attacker only needs 'a
little patience and a little time' to access data.
Although it is still efficient, the AirSnort project is no longer maintained,
being replaced by AirCrack-ng [26].
7.2.3
WEPCrack
WEPCrack [27] is a project of SourceForge [28], managed by Paul Danckaert
and Anton Rager. This application is easier to use than AirSnort. WEPCrack is
a set of Perl scripts and requires no configuration. However WEPCrack is used
in conjunction with an external sniffer, since it has no catch function for traffic.
The process of capturing data must be completed before using WEPCrack.
To capture the data, prismdump is a valuable support. It is a command line
sniffer that does not require any argument and simply captures all traffic
recognizing all headers 802.11x, which, of course, are essential for capturing
the WEP traffic. For functions of traffic interception, it is based on the libraries
included in the Ethereal protocol analyzer [29]. Once a sufficient number of
encrypted data has been captured, the weak IV and the first byte of encrypted
data must be extracted to a separate file. When a sufficient number of data has
been extracted, WEPCrack can start.
WEPCrack is certainly less efficient than AirSnort, because it does not
capture data that are used for decoding, requiring the user to extract data of
interest.
Acknowledgements
This chapter was written with the contribution of the following students
who attended the lessons of 'Grids and Pervasive Systems' at the faculty of
