17.4 Practical WEP Cracking

Now that we have reviewed the theory, let's examine the practical steps for cracking WEP. The most important resource for cracking a WEP-encrypted signal is time. The longer you capture data, the more likely you are to receive a collision that will leak a key byte. Based on empirical data, there is only about a five percent chance of this happening. On average, you need to receive about five million frames to be able to crack a WEP-encrypted signal. In addition to a wireless sniffer, you'll need a series of Perl scripts available from http:// sourceforge .net/projects/wepcrack/, called (appropriately) WEPCRACK .

Once you have acquired the necessary tools, perform the following steps for cracking a WEP-encrypted signal:

1. Capture the WEP-encrypted signal using your wireless sniffer (about five milion frames).

2. From a command prompt, execute the prism-getIV.pl script with the following syntax:

     prism-getIV.pl capturefile_name  

3. where capturefile_name is the name of your capture file from step 1. When a weak IV is found, the program creates a file named IVfile.log .

4. Run WEPcrack.pl , which looks at the IVs IVfile.log and attempts to guess at a WEP key. The output of WEPcrack.pl is in decimal format. You will need a decimal-to-Hex conversion chart.

5. Take the Hex version of the key and enter it into your Client Manager, and you're done!