Source: The Register
A hanfull of hackers have the fastest attack on WEP that I’ve read of so far.
Here’s are the instructions via The Register:
Step 1: Find the enemy (this is the test-network you created in your lab, to verify our results). You can use kismet or airodump to find it.
Step 2: Generate some traffic. To generate some traffic, use aireplay-ng in ARP injection mode. Aireplay will listen to the network until it has found an encrypted ARP packet. By reinjecting this packet again and again, you will generate a lot of traffic, and you will know that most of the traffic was ARP-traffic. For an ARP-Packet, you know the first 16 Bytes of the clertext and so the first 16 bytes of the cipherstream.
Step 3: Write this traffic to disk using airodump-ng or so. This will create a tcpdump-like capture file with the traffic.
Step 4: Launch our algorithm. You need the aircrack-ptw (by the way, aircrack-ptw has been integrated in the 0.9-dev version of aircrack-ng, which is currently in svn, but not released).
From a theoretical point of view, our algorithm is based on the following ideas. Andreas Klein, a German researcher, showed that there is a correlation in RC4 between Keybytes 1 to i-1, the keystream and the keybyte i. If the keybytes 1 to i-1 and the keystream are known, it is possible to guess the next unknown keybyte with a probability of about 1.36/256 which is a little bit higher than 1/256. We were able to show that it is also possible to guess the sum of keybytes i to i+k with a probability of more thatn 1.24/256.
In a WEP environment, the first three bytes of a packet key are always known and are called IV. Our tool tries to guess the sum of the next 1, 2, 3, … to 13 keybytes for every packet. If enough packets have been captured, the most guessed value for a sum is usually the right one. If not, the correct value is most times one of the most guessed ones.
Aircrack-ptw try to find the key, using this idea described above. If you have about 40,000 to 85,000 packets, your success probability is somewhere between 50 per cent and 95 per cent.
Sounds like fun!!
Big ups to The Register on the sweet article with the interview. Please read the WHOLE article, the interview contains more information than the quick tutorial that I re-posted. Reading the whole article will help you understand what this attack is really doing and how safe WEP really isn’t.
As for the attack itself, you can try to do it all in Windows using aircrack ported into cygwin. However, I would suggest updating your BackTrack 2.0 disc or partition with the latest modules from the latest aircrack suite.