September 18, 2007

Old WEP VS new PTW

We all know that WEP has died long ago, but we all see that it`s still being widely used. Maybe that`s because some administrators can`t imagine the risk of using it on their network. Since 2001, we've seen different implementation of attack methods on WEP , each one boosting previous method , and there are still some ways to improve it ! yes, not all of known academic attacks against WEP are implemented. The most recent attack was released on April 2007 as an academic research paper. Later original researchers of this method implemented this attack and released their proof of concept as a tool named Aircrack-PTW, which is based on famous Aircrack suit ( Aircrack project discontinued and developer moved to Aircrack-NG which is a complete rewrite of previous project ).
Depending on used old attack methods , attacker had to capture number of IVs between 500,000 to 6,000,000 based on used key length and old or new techniques . Simply listening for IVs to arrive may takes days of non-stop sniffing and over 1gig of data packets being captured. Using techniques like arp-request replay injection and other replay attacks in tools like Aireplay it's now possible to force target network ( associated clients ) to generate required number of weak IVs in few minutes. Although documented IV generation rates are very high , but in a real-world scenario and a network with inactive clients it may take more than 30 minutes to gather enough packets. There are many factors affecting the speed and efficiency of attack, which are beyond scope of this post.
The new PTW attack how ever , made this old WEP game even more cool . I remember my old tries on WEP in pen-tests , always having problem on getting enough IVs fast enough. Since release of latest attack , I hadn`t chance to test it in a real-word scenario ,as things in lab do not make me really happy.
So I finally had a target running multiple access points ,one of them still using old WEP configuration. A quick try lead to capture about 50,000 IVs and it was time to give PTW a try . This attack technique has been merged into Aircrack-ng in recent versions , so no need to use PoC code. Compared to old attacks, new one extracted the 128b key almost instantly ! great :)

As you see only ~177Mb of packets captured ,which is about 1/10 of size of captured packets require to extract key with old attacks. The only note on using new PTW attack is that you must use arp replay injection + full header packet capture ,to make clients generate IVs. PTW attack won`t success if you use IV generation techniques other than arp-replay. Sorry, I`m not going to rewrite aircrack-ng & kismet documents on how to play with them!
Btw, CAIN in windows also support arp-replay attack technique , but who's crazy enough to pay ~300$ for a AirPcap-TX while it`s possible to make everything work fine in linux with 0$ ? Are you ?

And a good news for fans of Kismet : expect a brand new release in few days. Although there would be not much for you , if you`re such a SVN guy like me . last Kismet-2007-01-R1b release had some serious bugs which are fixed now . If you follow SVN and missed kismet tree in last days, there was a mysterious bug in kismet_server , making X crash ! thanks to dragorn (the guy behind kismet ) this one is fixed too in latest svn tree.


  1. Generally it takes significantly less than 50,000 packets to crack wep using PTW. I find the average is about 15 to 20 thousand.... Though this article was written in 2007, so maybe the PTW technique has been improved.