SecurityFocus has two part article that looks at the new generation of WEP cracking tools for WiFi networks, which offer dramatically faster speeds for penetration testers over the previous generation of tools. In many cases, a WEP key can be determined in seconds or minutes. Part one, compares the latest KoreK based tools that perform passive statistical analysis and brute-force cracking on a sample of collected WEP traffic. Part two, looks at active attack vectors, including a method to dramatically increase the rate of packet collection to make statistical attacks even more potent.
On August 8th, 2004, a hacker named KoreK posted new WEP statistical cryptanalysis attack code (soon to become a tool called chopper) to the NetStumbler forums. While chopper is functional, it is not currently maintained, and the attacks have since seen better implementations in aircrack and WepLab. However, the KoreK attacks change everything. No longer are millions of packets required to crack a WEP key; no longer does the number of obviously “weak” or “interesting” IVs matter. With the new attacks, the critical ingredient is the total number of unique IVs captured, and a key can often be cracked with hundreds of thousands of packets, rather than millions.
One of the tools discussed is Aircrack, which implements KoreK’s attacks as well as improved FMS, aircrack provides the fastest and most effective statistical attacks available. To give aircrack a try, simply collect as many packets as possible from a WEP encrypted wireless network, save them as a pcap file, and then start aircrack from the command line.