Re: V/Scan for Wireless LANs

From: Ivan Arce (
Date: 07/19/03

  • Next message: Bartholomew, Brian J: "RE: V/Scan for Wireless LANs"
    Date: Fri, 18 Jul 2003 20:09:56 -0300

    In the first issue (Jan-feb 2003) of the IEEE Security & Privacy magazine

    Nick Petroni and Will Arbaugh provide a quite detailed description of
    an active attack against WEP that provides full network access to the
    wireless LAN (both encryption and decryption) without knowledge of
    the secret key within a few hours. The attack takes advantage of the
    use of CRC-32 for packet integrity checks and the availability of
    known or easily predictable plainterxt in common network protocols like
    DHCP and ICMP.

    "The Dangers of Mitigating Security Design Flaws: A Wireless Case Study"
    Nick L. Petroni Jr. and William A. Arbaugh
    IEEE Security & Privacy magazine, Jan-Feb 2003, pp 28-36

    I dont know of any publicly available implementation of this attack but
    it is certainly a good starting point for those willing to code it :)


    Perscriptio in manibus tabellariorum est
    Noli me vocare, ego te vocabo
    Ivan Arce
    46 Farnsworth Street
    Boston, MA 02210
    Ph: 617-399-6980
    Fax: 617-399-6987
    PGP Fingerprint: C7A8 ED85 8D7B 9ADC 6836  B25D 207B E78E 2AD1 F65A
    R. DuFresne wrote:
    > It's been done.  But, I think someone erred earlier in the ammount of
    > traffic one needs to capture to accomplish this.  I recall it being
    > someplace between only 5 and 6 megs of traffic, perhaps 10 if one wished
    > to make sure, but, I will enjoy any corrections to  my recollections.
    > Thanks,
    > Ron DuFresne
    > On Fri, 18 Jul 2003, Calderone, Denis wrote:
    >>A side question for the group on this topic,
    >>Has anybody successfully used WEPcrack or Airsnort to crack a 128bit key?  I've never tried.
    >>Denis Calderone

  • Next message: Bartholomew, Brian J: "RE: V/Scan for Wireless LANs"