What is WepLab?
What is WEP?
As Wikipedia says, WEP, Wired Equivalent Privacy, is part of the IEEE 802.11
standard (ratified in September 1999), and is a scheme used to secure wireless networks
(WiFi). Because a wireless network broadcasts messages using radio, it is particularly
susceptible to eavesdropping; WEP was designed to provide comparable confidentiality
to a traditional wired network, hence the name. However, several serious weaknesses
were identified by cryptographers, and WEP was superseded by Wi-Fi Protected Access
(WPA) in 2003, and then by the full IEEE 802.11i standard (also known as WPA2) in
2004. Despite the inherent weaknesses, WEP provides a bare minimal level of security
that can deter casual snooping.
Different key lengths are supported in WEP, from 64 bits to 256 bits (tipically 64, 128
and 256 bits).
What is WepLab?
WepLab is a tool designed to teach how WEP works, what different vulnerabilities it
has, and how they can be used in practice to break a WEP protected wireless network.
So far, WepLab more than a Wep Key Cracker, is a Wep Security Analyzer designed
from an educational point of view. The author has tried to leave the source code as clear
as possible, running away from optimizations that would obfuscate it.
What does WepLab do?
WepLab tries to break the WEP key using several known attacks.
Bruteforce: trying to brute force the key. It is also possible to restrict the keyspace by just trying an small customizable subset like [Link]... if you are
looking, for example, an ascii plain key.
Dictionary: by using a dictionary of words or pass phrases and trying each one
as key in plain or MD5 form. Weplab relies on John The Ripper to generate the
words, so you can take full advantage of all its options.
Statistical attacks: by using the FMS attack and not restricting it to the classic
A+3,FF,x form (as most WEP crackers do), but trying all IV in deep to see if
they are weak, and attacking both the first and the second byte. Latests version
of weplab include the amazing Korek's attacks that make FMS obsolete. Using
these new attacks it is possible to crack a 64-bit key from 100.000 packets and a
128-bit key by using 300.000 packets. Forget everything about interesting or
weak packets. Korek's attacks changes everything. And, as far as I know there is
no patched firmware yet!
Documentation
How to install WepLab
�Installing and compiling WepLab in GNU/Linux, *BSD or MacOSX is very easy.
Instalation steps:
1. Download WepLab from the Download section.
2. Uncompress the tarball: tar xzf [Link]
3. Create Makefile: ./configure
The main need of WepLab is libpcap development files. There are standard
packages in many GNU/Linux and *BSD distributions with this software.
For instance, in Debian GNU/Linux is quite simple: apt-get install
4.
5.
libpcap-dev
Compile: make
Install: make install
How to use WepLab
WepLab is a command line tool (there is a beta wxWidgets based front-end here).
There are many uses of the WepLab tool:
Capture 802.11 traffic: weplab -c
It is very important to configure a wireless interface in monitor mode and in
the same channel where the WEP enabled wireless network is. Example:
weplab -i wlan0 -c [Link]
Analyze 802.11 captured traffic file: weplab -a [Link]
Crack 802.11 captured traffic file with a brute-force attack: weplab -b
[Link]
Crack 802.11 captured traffic file with a dictionary attack: cat dictionary |
weplab -y [Link]
Is very useful to join the variability of john the ripper creating different
candidate passwords in this kind of attack, for example: john -i -stdout |
weplab -y [Link]
Crack 802.11 captured traffic file with a statistical attack (FMS, KoreK attacks):
weplab -r [Link]
Those uses can be modified by many optional parameters:
--debug <debuglevel>: prints debug information.
-v, --verbose: increased verbosity.
-k, --key {64|128}: specifies 128 or 64 bits (default) key.
-i, --interface <interface>: use this interface for capturing packets with -capture.
-m, --multiprocess <number>: assume a number of processes. Number must
be between 1-64. Default is 1.
--caplen <length>: maximum length of captured packets with --capture
(default 80).
--fcs: assume all captured frames have the FCS field.
--keyid <id>: just analyze specific id WEP packets. Only for 64 bits keys.
(default 0).
--prismheader: assume all captured frames have the Prism header.
--allow_dups: do not control packets with duplicated IVs.
--perc <number>: uses this minimun percentage of succeed
when using FMS
cracking.
--stability: selects level of stability. Another way to specify which attacks,
depending on their stability level, will be launched.
--debugkey <key>: gives the real WEP key to weplab to gather information
about a crack. The key must be in the form [Link]... and may be
incomplete.
--attacks <number1,number2,...>: allows you to select which attacks will
be used for heuristic mode.
--bssid <MAC>: only processes those packets that belong to specified BSSID.
-h, --help: displays help and exit.
-V, --version: output version information and exit
Examples
Download of pcap files is available to try them in your system:
Bruteforce attacks
1. weplab -b [Link]
2. weplab -b [Link]
Dictionary attacks
1. cat /usr/share/dict/spanish | weplab -y weplab-64bit2.
3.
[Link]
cat /usr/share/dict/spanish | tr aeiou | weplab -y
[Link]
john -i -stdout | weplab -y [Link]
Heuristical attacks
1. weplab -r
2. weplab -r
3. weplab -r
4. weplab -r
[Link]
[Link]
[Link]
[Link] -k 128
FAQ
There are many frequently asked questions, but many of them are answered in other
sections of this site. For those which are not answered we have opened this section:
For what platforms and operating systems is WepLab available?
Weplab works under any flavor of Linux for i386 and PPC, MacOSX and Windows
NT/2000/XP.
