My experience trying to crack my WiFi network WEP

Original date: February 8, 2005 3:01 AM by sonnik

My last few posts have been about WiFi network security. In one of them, I'm sure I mentioned I planned on testing my own home network's WiFi security. Well, I made the effort and found some surprising results.

As I had mentioned, I've been using WEP as my preferred method of wireless encryption. WPA is the better choice, as it is much harder to crack. However, more devices support WEP than WPA. A few devices on my network don't seem to offer WPA support, hence my decision to use WEP.

I'm sure you've read technology news stories about WEP (and even WPA) being cracked. I think anyone who's personally attempted this can say it is definately very possible, but not always practical. There are two important factors for cracking WEP: time and traffic.

One, it's going to take a lot of time to capture the network packets needed for the program to capture enough packets. Two, the network you are trying to crack must be broadcasting packets for your card to detect.

If your network is vulnerable, obviously the amount of time needed to crack your WEP will be reduced. Early versions of 802.11b (and perhaps some 802.11g) firmware would generate weak initialization vectors (weak IVs). The WEP encryption produced by this older firmware would be cracked quicker than newer or upgraded hardware. Also, if you generate a WEP key based on a plain english password string, you'll likely be vulnerable to a dictionary style attack. I suggest a strong WEP key generator such as this one (using the random option).

Please keep in mind that despite your best efforts to reduce the number of "Weak IVs", you're still actually vulnerable. If someone has the time, they CAN capture enough packets to run calculations to extract the WEP key. The more computing power the attacker has, the less packets they need to capture.

Remember, the time needed is varies greatly. Also, your wireless LAN access point will likely generate wireless packets regardless of presence of a wireless client device. In my experiments, my longest stretch of time I had in one block to capture packets was about twelve hours. My wireless laptop was receiving a 128k Ogg-Vorbis stream, and I was forcing broadcasts of packets through various means. I ran this captured data through AirCrack for about two hours and it was unable to extract the key. Granted, these weren't ideal circumstances, but it did reveal that that cracking was possible - though it may take more time than the average person has. Other web articles seem to confirm that there's no exact science for figuring how much time or packets are needed at this point.

There are a couple of more roadblocks to the cracker. A lot of the oped source capturing/cracking software isn't as versatile on Windows. A lot of the hacker type developers obviously write their software on Linux, and it hasn't fully been ported to Windows yet. This means that the "script kiddies" that attempt cracks for free WiFi accesss must be proficient at making their Wireless LAN cards work in general under Linux. Also, a 802.11g network essentially cannot be cracked with an 802.11b card (at least under normal circumstances). So, the cracker has to have a good selection of hardware and software set up, and should know how to use it. This doesn't mean that only a few elite hackers can crack your network, though it does reduce the number that can.

There are other security methods available, but the choice of WEP/WPA is essential. With most consumer level access points, there's no other secure method of preventing an unauthorized client from joining your network. I'm planning on outlining other measures you can take to secure your wireless network. Stay tuned for a tutorial on how to tunnel your wireless connection over an encrypted VPN.