> There are some tools that will work to try to find a WEP key but they require a lot of data and time. They exploit known vulnerabilities in the WEP algorithm to find the keys. However it could take as much as 500 meg of data. I don't have the links handy. Sorry. > As far as brute forcing. ok idea but not very doable. to iterate through all cobinations would be 2^128 possibilities which gets you to about 3.4028236692093846346337460743177e+38 possible combinations. If you assumed you could do 1 per second - which would be tough if you wait for DHCP to respond it would take you 10790283070806014188970529154990 years to get through all the combinations. Thats a long time. :) If somebody could check my math that would be great. Hello, Slight mistake here : the first 24 bits of the key are random (sometimes incremental, but most vendors have fixed this by now), but transmitted inside the paquet (this is called Initialisation Vector - IV), whereas the last 40 / 104 bits are derived from one of the WEP key (since the system might use up to 4 WEP keys). 2^40 = 1099511627776 2^104 = 20282409603651670423947251286016 Since RC4 is a fast algorithm, my P4 1.7GHz processor can check around 25,000 k/s, so I guess you can walk trough a 40-bit keyspace in a couple of weeks if you have a cluster a 20 to 30 P4 2.5GHz computers. There is also a trick that can save you time : some vendors derive the WEP key directly from the ASCII passphrase - that is why you sometimes have to give 5-character or 13-character only passphrases. In this case you only have to check the ASCII printable character range. I successfully manage to crack a 64-bit WEP key using a *single* packet within hours using this trick. However I never tried on 128-bit WEP keys. Regards, - Nicolas RUFF ----------------------------------- Security Consultant EdelWeb (http://www.edelweb.fr/) Mail : nicolas.ruffat_private ----------------------------------- --------------------------------------------------------------------------- ----------------------------------------------------------------------------
This archive was generated by hypermail 2b30 : Mon Jul 21 2003 - 09:55:17 PDT