Hello, This is my demo implementation of a specific WEP weakness outlined in the paper "Weaknesses in the Key Scheduling Algorithm of RC4" by Fluhrer, Mantin, and Shamir. A draft copy of their paper can be found at: http://www.eyetap.org/~rguerra/toronto2001/rc4_ksaproc.pdf My implementation only produces and attacks IVs that match the pattern [A+3, N-1, X] and does not attack other IVs that might produce weak keys. This is rather limiting in the real world, but works well with a static demo for validating the basic weakness. The tools are Perl based and composed of two parts: 1 - WeakIVGen.pl <aa:bb:cc:dd:ee> Simulates some of the output data you might see from an access point. It's actually designed to produce IV's within a specific range [3, 255, 0-255 to 7, 255, 0-255 for 40bit WEP] with a single corresponding encrypted byte for each IV set. 2 - WEPCrack.pl Takes the output from WeakIVGen.pl and tries to determine each byte of the secret key by the method outlined in section 7.1 of the Fluhrer, Mantin, Shamir paper. (Note: I'm a Perl hack, so don't criticize the code) To use: 1 - run WeakIVGen.pl <aa:bb:cc:dd:ee> aa:bb....:ee is the secret key in decimal format, delimited with a ":". This will create a output file. example - if your key is "abcde" [97 98 99 100 101] then run "WeakIVGen.pl 97:98:99:100:101" 2 - run WEPCrack.pl This will read the output file from step 1 to determine the key Also available at Sourceforge: http://sourceforge.net/projects/wepcrack/ Enjoy, Anton Rager a_ragerat_private __________________________________________________ Do You Yahoo!? Send instant messages & get email alerts with Yahoo! Messenger. http://im.yahoo.com/
This archive was generated by hypermail 2b30 : Sun Aug 12 2001 - 09:43:45 PDT