Understanding WEP Encryption
Basic WEP Communication Process
Client
Access Point
Internet
Data to send
Encrypted Data
Client encrypts data using a key (password)
Encrypted packet is transmitted over the air
Access Point receives and decrypts the packet using the same key
Detailed WEP Encryption Process
Each packet in WEP is encrypted using a unique key stream that is generated through these steps:
24-bit IV
(Random)
Network Key
(Password)
Key Stream
Plain Data
Encrypted Data
+
+
1
A random Initialization Vector (IV) is generated (only 24 bits in length)
2
The IV is combined with the network key (password) to create a key stream
3
The key stream is used to encrypt the data using RC4 algorithm
4
The IV is attached to the encrypted packet in plain text and sent over the air
Formula: IV + Network Key = Key StreamEncryption: Key Stream + Plain Data = Encrypted Data
WEP Vulnerabilities
Critical Weaknesses
IV is only 24 bits (too small)
IV is transmitted in plain text
IVs repeat on busy networks due to limited space
Repeated IVs enable statistical attacks
Security Issue: When IVs repeat, an attacker can analyze the traffic patterns to eventually determine the key stream and break the encryption.
WEP Cracking Methodology
To crack WEP encryption, we need to:
Capture a large number of packets/IVs using airodump-ng
Analyze the captured IVs and crack the key using aircrack-ng
Challenges and Solutions
Challenge
Solution
Low network traffic = slow IV collection
Force the AP to generate new IVs using techniques like ARP request replay
Can't communicate with AP (not associated)
Use fake authentication to associate with the AP before launching attacks
ARP Request Replay Attack
Wait for an ARP packet on the network
Capture and replay (retransmit) the packet
This causes the AP to generate a new packet with a new IV
Continue this process until enough IVs are collected to crack the key
WPA/WPA2 Encryption
WPA and WPA2 were developed to address the weaknesses in WEP encryption.
Key Improvements
Much more secure than WEP
Each packet is encrypted using a unique temporary key
Captured packets contain no useful information for direct attacks
WPA/WPA2 Vulnerabilities
1. WPS (Wi-Fi Protected Setup) Vulnerability
WPS is a feature that can be used with WPA/WPA2
Allows clients to connect without typing the password
Authentication is done using an 8-digit PIN
8 digits is a small keyspace that can be brute-forced relatively quickly
The WPS PIN can be used to compute the actual network password
Note: This attack only works if the router is not configured to use PBC (Push Button Authentication).
2. Handshake Capture and Dictionary Attack
The only packets that can aid with cracking WPA/WPA2 are the handshake packets:
A 4-way handshake occurs when a client connects to the network
The handshake doesn't contain data that directly reveals the key
It contains data that can be used to verify whether a guessed key is correct
Client
Access Point
4-way Handshake
Wordlist
123456789
qwerty
password123
Compare
WPA/WPA2 Cracking Requirements
To attempt cracking WPA/WPA2, you need:
Capture the 4-way handshake when a client connects to the network
Use a wordlist to try possible passwords against the captured handshake
Creating a Wordlist
The crunch tool can be used to create a custom wordlist:
crunch [min] [max] [characters] -t [pattern] -o [FileName]Example:
crunch 6 8 123abc$ -t a@@@@b -o wordlistThis would generate passwords like:
Summary
WEP
Uses RC4 algorithm with implementation flaws
Small 24-bit IV sent in plaintext with each packet
Vulnerable to statistical attacks by collecting repeated IVs
Can be cracked using airodump-ng and aircrack-ng
WPA/WPA2
Much more secure than WEP
Vulnerable through WPS if enabled
Can be cracked using dictionary attacks against captured handshakes
Success depends on the password's presence in the wordlist
Ethical Reminder: This knowledge should only be used for authorized security testing, educational purposes, or to secure your own networks. Unauthorized access to networks is illegal in most jurisdictions.