(forw) Sample implementation of new WEP weakness

From: aleph1at_private
Date: Mon Aug 13 2001 - 10:50:58 PDT

Next message: aleph1at_private: "[BabelWeb] NEW web scanner/analyzer/forcer"

Previous message: aleph1at_private: "Virge 2.04"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

----- Forwarded message from Anton Rager <a_ragerat_private> -----

From: Anton Rager <a_ragerat_private>
To: bugtraqat_private
Subject: Sample implementation of new WEP weakness
Date: Sun, 12 Aug 2001 09:23:43 -0700 (PDT)
Message-ID: <20010812162343.33961.qmailat_private>

Hello,

This is my demo implementation of a specific WEP
weakness outlined in the paper "Weaknesses in the Key
Scheduling Algorithm of RC4" by Fluhrer, Mantin, and
Shamir.

A draft copy of their paper can be found at:
http://www.eyetap.org/~rguerra/toronto2001/rc4_ksaproc.pdf

My implementation only produces and attacks IVs that
match the pattern [A+3, N-1, X] and does not attack
other IVs that might produce weak keys. This is rather
limiting in the real world, but works well with a
static demo for validating the basic weakness.

The tools are Perl based and composed of two parts:

1 - WeakIVGen.pl <aa:bb:cc:dd:ee>
Simulates some of the output data you might see from
an access point.  It's actually designed to produce
IV's within a specific range [3, 255, 0-255 to 7, 255,
0-255 for 40bit WEP] with a single corresponding
encrypted byte for each IV set.

2 - WEPCrack.pl
Takes the output from WeakIVGen.pl and tries to
determine each byte of the secret key by the method
outlined in section 7.1 of the Fluhrer, Mantin, Shamir
paper.

(Note: I'm a Perl hack, so don't criticize the code)

To use:
1 - run WeakIVGen.pl <aa:bb:cc:dd:ee>
aa:bb....:ee is the secret key in decimal format,
delimited with a ":".  This will create a output file.
example - if your key is "abcde" [97 98 99 100 101]
then run "WeakIVGen.pl 97:98:99:100:101"

2 - run WEPCrack.pl
This will read the output file from step 1 to
determine the key

Also available at Sourceforge:
http://sourceforge.net/projects/wepcrack/

Enjoy,

Anton Rager
a_ragerat_private

__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/

----- End forwarded message -----

-- 
Elias Levy
SecurityFocus.com
http://www.securityfocus.com/
Si vis pacem, para bellum

Next message: aleph1at_private: "[BabelWeb] NEW web scanner/analyzer/forcer"
Previous message: aleph1at_private: "Virge 2.04"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 13 2001 - 11:20:51 PDT