Maximum Wireless Security

Wired Equivalent Privacy (WEP), as discussed in Chapter 4, "WEP Security" and Chapter 5, "Cracking WEP," is fundamentally flawed, allowing you to crack it. However, even though it is possible to crack WEP encryption, we still highly recommend that you use it on all your wireless networks. This will thwart the casual drive-by hacker. It also enables another layer of legal protection that prohibits the cracking of transmitted, encrypted signals. With that in mind, let's look at the practical process of cracking WEP.

The most important tool that you are going to need to crack a WEP-encrypted signal is time. The longer you capture data, the more likely you are to receive a frame that will leak a key byte. There is only about a 5% chance, in some cases a 13% chance, of this happening. On average, you will need to receive about 5,000,000 frames to crack a WEP-encrypted signal. To actually capture the encrypted data, you will need a wireless sniffer such as AirSnort (available at http://airsnort.shmoo.com/). In addition to the wireless sniffer, you will also need a series of Perl scripts, which are written by one of the technical reviewers for this book, and which are called (appropriately) WEPCrack. These scripts are available online at http:// sourceforge .net/projects/ wepcrack /.

After you have acquired the necessary tools, please refer to the following list for a step-by-step guide to cracking a WEP-encrypted signal.

1. Using your wireless sniffer, capture the WEP-encrypted signal. As previously mentioned, you will need to capture about 5,000,000 frames.

2. From a command prompt, execute the prism-getIV.pl script using the following syntax:

   prism-getIV.pl capturefile_name

   where capturefile_name is the name of your capture file from step 1. When a weak IV is found, a file named IVFile.log is created for later use.

3. Now that the IVfile.log file has been created, you need to run WEPcrack.pl . This file will use the IVfile.log to look at the IVs and attempt to guess the WEP key.

4. When you run WEPcrack.pl , the output is in decimal format. So, blow the dust off your favorite decimal-to-hex conversion chart and start converting to hex.

   The following shows the decimal to hex conversion data.

   95 = 5F 211 = D3 124 = 7C 211 = D3 232 = E8 27 = 1B 211 = D3 44 = 2C 42 = 2A 53 = 35 47 = 2F 185 = B9 48 = 30 95:211:211:53:185:211:232:44:47:48:124:27:42 (Decimal) 5F:D3:D3:35:B9:D3:E8:2C:2F:30:7C:1B:2A (HEX)

5. Take the hex version of the key and enter it into your Client Manager.

For additional information about WEP theory, please refer to Chapters 4 and 5.