Cracking WEP

Pascal Meunier, Purdue University

Introduction

Wireless Threats

Denial-of-Service Attacks

Integrity Attacks

Confidentiality Attacks

Authentication and Accountability Attacks

Design Weaknesses

SSID, BSSID, ESSID

MAC Address–Based Access and Association Control

Authentication and Association

Single Pad Attacks

Pad Collection Attack

Initial Value Collisions

Key Recovery Attacks

Integrity Attacks

Implementation Weaknesses

Restricted IV Selection

IV Selection

Newsham 21-Bit Attack

Dictionary Attacks

Automated WEP Crackers and Sniffers

AiroPeek

WEPCrack

AirSnort

NetStumbler

KisMAC

Kismet

BSD-Airtools

Alternatives to WEP

LEAP

PEAP

EAP FAST

WPA

VPNs

Conclusion

Glossary

Cross References

References

Further Reading

INTRODUCTION

The Burlington Northern and Santa Fe Railway Company (BNSF) U.S. railroad uses Wi-Fi (wireless fidelity) to run “driverless” trains (Smith, 2003). Home Depot (Luster, 2002), BestBuy (Computerworld, 2002; Sandoval, 2002), and Lowes (Ashenfelter, 2003) were famous for being targeted by hackers sitting in the parking lots and eavesdropping on traffic to cash registers, and even accessing their networks through their wireless networks. The U.S. Navy was reportedly interested in deploying 802.11b technology to control warships (Cox, 2003). There are many possible functional benefits of using wireless LAN technology; in most cases, however, a successful malicious attack could have disastrous consequences. The designers of the 802.11b standard provided the wired ...