WEPCrack is an open source tool for breaking 802.11 WEP secret keys. This tool is is an implementation of the attack described by Fluhrer, Mantin, and Shamir in the paper "Weaknesses in the Key Scheduling Algorithm of RC4"

While Airsnort has captured the media attention, WEPCrack was the first publically available code that demonstrated the above attack. We released code and announced to bugtraq on Aug 12, 2001. Airsnort released code about a week later, but had a much more useable and complete implementation for both collection and cracking. Adam Stubblefield and AT&T had the first publically announced verification of the attack, but did not release their source code for public review and use.

Our SourceForge development area is at http://sourceforge.net/projects/wepcrack/

Tool Capabilities

The current tools are Perl based, and are composed of the following scripts:
1 - WeakIVGen.pl - This script allows a simple emulation of IV/encrypted output that one might observe with a WEP enable 802.11 Access Point. The script generates IV combinations that can weaken the secret key used to encrypt the WEP traffic
2 - prism-getIV.pl - This script relies on output from Prismdump [or from Ethereal captures if libpcap has been patched for 802.11 monitor mode], and looks for IVs that match the pattern known to weakned secret keys. This script also captures the 1st byte of the encrypted output and places it and the weak IVs in a logfile.
3 - WEPCrack.pl - This script uses data collected or generated by WeakIVGen to attempt to determine the secret key. It will work with either 40bit or 128bit WEP.

Additionaly, I have included a script prism-decode.pl that will decode most 802.11 frame types. This tool is intended to be used with prismdump, but could also be used against Ethereal 802.11 saved captures. It might be useful for capturing SSIDs, AP MAC addresses, or authentication data.

Using the Tools

  • WeakIVGen.pl
    Specify a key, and the program will generate a file "IVFile.log" that contains IVs that weaken each character of the secret key entered. The format for entering the key is "00:01:02:03:04" where each digit is a decimal value of actual key character, and the ":" character is used to delimit each key character.

  • prism-getIV.pl
    This script reads prismdump/Ethereal capture files, and looks for weak IVs in WEP traffic. If weak IVs are found, they are placed in the file "IVFile.log" along with the 1st encrypted output byte. This script accepts input from STDIN or from a file specified on the command line. You can either run "prismdump | prism-getIV.pl" or run "prismdump > capturefile" and then "prism-getIV.pl capturefile"

  • WEPCrack.pl
    This script reads IVFile.log, and uses the weak IVs + encrypted output to determine the secret key used. It sometimes guesses wrong, so additional logic will be added soon to do some additional checks.

  • prism-decode.pl
    This script reads prismdump/Ethereal capture files, and decodes 802.11 frames. This script accepts input from STDIN or from a file specified on the command line. You can either run "prismdump | prism-decode.pl" or run "prismdump > capturefile" and then "prism-decode.pl capturefile"

    Future Capabilities

  • Database of SSIDs and AP MACs for multiple IV collection and cracking
  • Dynamic WEP determination - Current code always assumes traffic is WEP.
  • Brute force capabilities with cracking tool.
  • Patch Ethereal to use WEP key, and decode WEP traffic for further analysis. Additionaly may allow Ethereal to read WEPCrack database and use correct key for specific MACs if WEPCrack has cracked the key

    Author: Anton T. Rager a_rager@yahoo.com