Cracking WEP

We all know that using WEP to protect wireless network communication is considered unsecure and many people also know that this is because of the way the depreciated RC4 stream cipher is used in its implementation. In real terms, the implementation weakness allows anyone who can capture enough WEP encrypted packets from a particular wireless access point to use statistical analysis to crack the encryption key. This is much quicker and easier that using a brute force dictionary attack.

If you are not a mathematician with some handy wireless packet capture equipment, cracking WEP still seems quite tricky. However a quick search of the internet shows that are plenty of tools out there to do the job for you. Most links point in the direction of aircrack-ng, a suite of tools that allow you to discover weak access points, capture wireless packets, inject extra packets to generate more traffic and finally to extract the encryption key. There are even plenty of You Tube videos to tell you how to use it but I found the documentation on the aircrack-ng site easier to follow.

The most difficult part of the process is getting you wireless network card to work with the software as not all chipsets are supported. Refer to the hardware compatibility list. Aircrack-ng works better with Linux but if you only have Windows you can use a Live CD such as BackTrack.

My own experimentation showed that once you have your attack system up and running, it typically took less that 10 minutes to break into a WEP protected wireless network. Although it is possible to complicate the process by hiding the SSID and restricting MAC addresses, these measures only delay the WEP network’s compromise.

To conclude, WEP shouldn’t be used to secure a wireless network. Given that I can pick up four WEP networks just from my house, (I do live near a business centre), it’s possible it is still in widespread use. Even those networks that are WPA protected are not necessarily safe. The aircrack-ng software also included a brute force attack method that worked against the 4 way handshake part of the initial WPA negotiation although it’s only really successful if common dictionary words are used for the key. There are also reports of new techniques similar to the WEP attack that can be used against WPA TKIP, so it is surely only a matter of time before tools are available for crack this as well. So my advice is to use WPA2 (AES), strong keys and upgrade as new technology comes available.