Case Studies

  • David Clements
    David Clements


    I am looking for case studies on cracking WEP.  Anyone interested in suppling some info?

    How long on average did it take to retrieve a key?
    How long was the key?
    What OS did you use?
    What specific hardware/antenna?
    Any stumbling blocks?




    • Anonymous

      same question here?

    • Andrew Hintz
      Andrew Hintz

      I've found that it takes me somewhere around 3 hours to crack a 40 bit (aka 56 bit) WEP key.

      I'm running Linux (RedHat distro.) using a Linksys wireless card.

      The biggest stumbling block I had was in actually getting airsnort to work properly.

      • Andrew Hintz
        Andrew Hintz

        I forgot to add that it took about 3 hours when one of the hosts on the wireless network was being ping flooded.

    • Roland Gafner
      Roland Gafner

    • Jason Gauruder
      Jason Gauruder

      Here are my notes w/ v 0.1.0
      I'm update once I try 0.2.0

      laptop = NEC Versa 6060 32 MB ram
      NOTE: Disable COM and LPT and SOUND in BIOS to free up IRQs!!!

      Redhat 7.1
      Included kernel = 2.4.2-2
      Included PCMCIA = 3.1.22

      D-link DWL-650

      Using NAI sniffer to "ping flood" a wireless device to generate a huge traffic volume.
      took about 8 hours to crack 128 bit key
      collected about 2000 interesting packets to do this (stopped to crack approx every hour)


    • Anonymous

      I'm running:

      RedHat 7.2 (distribution)

      HP Omnibook
      Linksys wireless card

      On average it has take 40 hours to crack 40 bit WEP.  I'm generating packets from 2 laptops (Linksys and Compaq WL-110).  I'm using fping in non-stop mode to ping the WAP.  It has taken many millions of packets to get 4,000 interesting packets.

      I need to play around with how to best generate packets from a ping flood.  Any suggestions on how to do this without a sniffer?


    • Anonymous

      Maybe I'm missing something here, but wouldn't the case study be more effective if either the average packets per second generated by the ping flood were included for a time to traffic ratio, or if it were using networks without artificially generating traffic? Seems to me that the time needed to crack WEP using these methods is a little misleading for application in a real-world scenario, because if the attacker could generate that kind of traffic they would already be beyond breaching WEP.

    • David Bell
      David Bell

      I'm in the midst of an internal debate about the use of WEP.  One faction (mine) recommends forbidding WEP (since we require all wireless traffic to be FIPS PUB 140-2 or AES encrypted & we use VPN from device to the inside net).  The other faction recommends requiring the use of WEP.

      The principal reason the other side gives for using WEP is to prevent denial of service attacks. 

      In my reading to check the accuracy of their statements, I found this chain.  My question is revolves around that fact that most of the reports here are ping-flooding an AP that is using WEP. 

      Is the claim that WEP prevents locating an AP incorrect?  Seems to me that if I could find an AP and ping-flood it, with or without WEP, I could lauch DOS independent of WEP.

      In general, I would be interested in the most recent methods of cracking WEP with Airsnort or anything else.  And hard measurement results.

      If this is off-topic, I will gladly move the discussion elsewhere.

      thanks, David

      • snacks snax
        snacks snax

        WEP in no way prevents the location of an AP.  An AP using WEP will still send its ESSID in the clear from time to time.  Unless you can associate with the AP, which implies you already know the key, you can't ping it however.  Ping floods are useful for generating traffic for the purpose of testing airsnort.

        DoS attacks against 802.11b are numerous and none of them can be prevented by using WEP.  See for more info on some of the latest DoS and advanced attacks on 802.11


    • I got AirSnort 02.1.b to crack a 40 bit key after collecting 3693 interesting packets out of a total of just over 10,000,000 encrypted packets. The 40 bit crack breath was set at 12.

      It took 6 hours to generate the packets, by running approx 250 concurrent PINGs on a W2K Pro client station.

      The PING (ping -t-f targeted a Linksys AP - model BEFW1154_v2 (firmware 1.42.7).

      The W2K client station used an Orinoco Gold card in a PCI adapter (firmware 7.28).

      The capture machine ran RedHat Linux 7.3 on a Pentium 3 - 500 Mhz, using a Cisco Aironet 350 PCI card (firmware 4.25.30).

      At these firmware levels, both the Orinoco and the Linksys AP generate sequential IV numbers. Before starting the Airsnort capture, I reloaded the firmware on both devices, so the IVs started out initialized to 00:00:00.

    • I would like to know if someone has already guess the WEP key during a communication between 2 cisco aironet (bridge) with the new dynamic WEP (128).
      If you have references, adress, ...



    • Anonymous

      Has anyone found interesting packet on a Cisco 350?
      I have sniffed one for about three hours and have not found one?
      I will continue to do so and let you all know if I find something.


    • Anonymous

      To my knowledge Cisco has removed all interesting IV's. This is very good for us good guys. Kind of stinks for the bad guys. My words of advice get smarter and find more holes so we can all learn! If any one knows what level of code Cisco removed there interesting IV's please let me know.



    • Anonymous

      So how does one crack a WEP using WinXP?

    • Mike

      How long on average did it take to retrieve a key? 2.5 hrs
      How long was the key? 64bit
      What OS did you use? Debian
      What specific hardware/antenna? Orinoco chipset 6.16 firmware.  Compaq WL110
      Any stumbling blocks?  getting all the components working together.

      I constantly pinged the ap and sent a 40 meg file between to computers.  I generated 2.5 million packets and had 3692 interesting IV's

    • koayhc

      Can I say something....If we want to crack or gte some WEP keys, we want to do it in 10, 20 or 30 minutes...Who have the fucking time to wait for 40, 50, 60 or 70 hours...Unless I am unemployed....Can't AirSnort do something cracking in 5 or 10 minutes time??????

    • jaymill

      Windows XP
      Linksys wpc11 v4
      flooded network
            -instead of using massive amounts of pings, I did something much easier, I sat there and transfered files between my home PC and my Brothers PC and read everything on my laptop.

      This took me about 25 minutes with these stats....

      packets: 811687
      encrypted: 797621
      interesting: 1126
      unique: 787609

      it was a 10 number code(which I think is 128 bit)

      I am pumped because I am going to be able to get my damn schools WEP code and surf from school again. =)

    • Dom

      How long on average did it take to retrieve a key?
      2 hours
      How long was the key? 128bit
      What OS did you use? WIN XP
      What specific hardware/antenna? DLink dwlg650+
      Any stumbling blocks? Getting the correct drivers working for my card.

      I downloaded some files off bit torrent and had 2770 interesting packets