Sample implementation of new WEP weakness

[Anton Rager <a_rager () yahoo com>]

Hello,

This is my demo implementation of a specific WEP
weakness outlined in the paper "Weaknesses in the Key
Scheduling Algorithm of RC4" by Fluhrer, Mantin, and
Shamir.

A draft copy of their paper can be found at:
http://www.eyetap.org/~rguerra/toronto2001/rc4_ksaproc.pdf

My implementation only produces and attacks IVs that
match the pattern [A+3, N-1, X] and does not attack
other IVs that might produce weak keys. This is rather
limiting in the real world, but works well with a
static demo for validating the basic weakness.


The tools are Perl based and composed of two parts:

1 - WeakIVGen.pl <aa:bb:cc:dd:ee>
Simulates some of the output data you might see from
an access point.  It's actually designed to produce
IV's within a specific range [3, 255, 0-255 to 7, 255,
0-255 for 40bit WEP] with a single corresponding
encrypted byte for each IV set.

2 - WEPCrack.pl
Takes the output from WeakIVGen.pl and tries to
determine each byte of the secret key by the method
outlined in section 7.1 of the Fluhrer, Mantin, Shamir
paper.

(Note: I'm a Perl hack, so don't criticize the code)

To use:
1 - run WeakIVGen.pl <aa:bb:cc:dd:ee>
aa:bb....:ee is the secret key in decimal format,
delimited with a ":".  This will create a output file.
example - if your key is "abcde" [97 98 99 100 101]
then run "WeakIVGen.pl 97:98:99:100:101"

2 - run WEPCrack.pl
This will read the output file from step 1 to
determine the key


Also available at Sourceforge:
http://sourceforge.net/projects/wepcrack/

Enjoy,

Anton Rager
a_rager () yahoo com


__________________________________________________
Do You Yahoo!?
Send instant messages & get email alerts with Yahoo! Messenger.
http://im.yahoo.com/

Attachment: WEPCrack-beta.tar.gz
Description: WEPCrack-beta.tar.gz