The Lack of WiFi security (Part 2)

by Don Parker [Published on 6 Dec. 2006 / Last Updated on 6 Dec. 2006]

Tools that collect packets and then break the WEP keys.

If you missed the first part in this series please read The Lack of WiFi security (Part 1).

In part one of this article series on wifi security we took a look at some tools that will help you discover WAP points in your immediate vicinity. What we shall do in this part is look at tools that will actually collect packets and then break the WEP keys.

WiFi security or lack thereof Part II

In the first part of this article series we looked at some of the tools that exist today which will allow you to discover wireless access points (WAP). Wireless networks have become very popular over the past few years for not only business, but also the home market. In all likelihood your neighbors are probably running a wireless router for their home computer network even though it is not using a wireless card. People are often talked into getting wireless routers, even though they don’t need them, by salespeople at electronics stores. These very same people are sadly the ones who are also running an unprotected WAP.

Having a WAP is not in and of itself inherently insecure, but you do need to take measures to properly harden it. That includes having encryption enabled, and making sure that you have the latest firmware available as well. Some other common sense measures should also be implemented as well. For one there is no need to broadcast your SSID. You already know what it is so why make a potential hackers job that much easier.

Figure 1

Another simple measure to take is to enable MAC filtering on your WiFi network. What this does is restrict access to your WAP by virtue of specifying a list of MAC addresses that have permission. All other computers or laptops whose MAC addresses are not on that list will be refused permission. This security measure can be bypassed by an attacker changing their MAC address, however every layer of security helps. Remember “defense in depth”.

Figure 2

On with the show

Well as noted above, I hope your WAP is properly secured. On that note we will now look at some tools which will allow an attacker to compromise that very same WAP. First up on the list is Airsnort. You may recall that I touched on it very briefly in part one of this series. Well we shall now take a look at it. Airsnort will run on either win32 or *nix as mentioned on its homepage. It will take you a bit of extra effort to run it on Windows but rest assured it is entirely possible to do so.

Figure 3

Using Airsnort is fairly simple as seen from the above screenshot. You will need to ensure that you are using a supported wifi card for one. Once done you simply ensure that Airsnort is working off of the proper network device and is using the right driver type as well. Once that is done, and any other minor tweaks you may want to make, you are ready to start it. You will note the values for “crack breadth” on the upper right hand side of Airsnort. I would advise you to leave this to their defaults unless you read up on what they mean and how it will impact cracking WEP.

Airsnort does have one limitation, and that is it requires a large amount of packets to be collected from the WAP in question. I don’t mean either a couple of hundred but rather a couple of hundred thousand or several million. Well as you may have guessed there are not too many WAP’s out there that will generate that type of traffic quickly. So you can imagine that cracking WEP could be a time consuming affair. Well there are tools that have come out since Airsnort was first written which will dramatically reduce the time it takes to crack 64 bit WEP.

WEP crackers

There are several tools that will take wifi packet captures as their input and then work on cracking the key for you. One of the first ones to be aware of is WepAttack and please bear in mind that this is a linux based tool. Though the operating system of choice for many is Windows, it also should be remembered that not all tools written to attack Windows or other devices that are native to win32. You should try to gain at least a rudimentary knowledge of other operating systems and the tools available to them. WepAttack, as seen on its homepage, is a command line utility which accepts .pcap data. You would use a tool such as the earlier discussed Kismet to capture wireless frames and then use WepAttack afterwards to crack the WEP key. It is a pretty simple tool to use.

WEPCrack is another tool to use for cracking WEP keys via a .pcap file for input. The tool is also written in PERL so that means you can use it on your win32 box so long as you have a PERL interpreter installed. Should you not have an interpreter installed then simply go here and get one. WepLab is the last tool that we shall look at in this article. This tool is available for either win32, linux, BSD and Mac. So pick your poison as it were. Once again this tool will work like WEPCrack in that it will accept .pcap data as its input and then try to crack the WEP key.


Well so far we have seen that there is a fairly wide variety of tools out there which will help you crack WEP keys, be they 64 or 128 bit in length. While some of the older tools such as Airsnort do work quite well, they do require a fair amount of data before becoming effective. Since Airsnort was released new attacks have been formulated. No longer do you really need to sit outside an office space, as it were, to collect a myriad of encrypted data.

Such simple things as stimulating the WAP by sending data to it in order to increase packet transmission will help to cut down the time it takes to crack the WEP key. For that type of scenario you would need two separate laptops. One would be used to actively attack the WAP itself while the other one served as a collection point in order to harvest the packets at a much higher rate than the WAP would normally transmit at.

We also saw that once the WEP key has been recovered, it is rather simple to use it to then associate yourself to that WAP. If the WAP has MAC filtering enabled then your task will be a tad more difficult, but far from impossible. Using a tool such as SMAC will allow you to change your MAC address quite easily. Just as I mentioned above in this article, enabling MAC filtering is by no means a definitive block. It will simply slow someone down if they are a determined attacker.

What you will hopefully try to now do is use some of these tools in your home lab to actually break 64 and 128 bit WEP. It is only by doing something that you will truly understand it. Much like “doubting Thomas”, seeing is believing. On that note I will end the article series, and hopefully this series has shown you just how weak 64 and 128 bit WEP is. As always I welcome your feedback. Till next time!

If you missed the first part in this series please read The Lack of WiFi security (Part 1).

See Also

The Author — Don Parker

Don Parker specializes in matters of intrusion detection, and incident handling. He has also enjoyed a role as guest speaker at various network security conferences, and writing for various online and print media on matters of computer security.