How WEP Cracking Works
First, I am not an expert so do not take this as law. This is just my recollection of how WEP is broken after several hours of searching online and trawlling white papers and other docs. Please correct me if I am wrong on a point.
First, it is merely the protocol for number generation and the encryption algorithm they used. Had they chosen a different alg, it has the potential to have been much better. The most simple WEP cracks exploit the underlying stream cipher called RC4. RC4 is very secure at a glance, however if the same key is used more than once, it is almost useless (remember this for later). The explanation for this is outside the scope of this though, however wikipedia has a brilliant page on this should you be curious.
In order to get how this works, you need a brief understanding of WEP key usage. When a packet is sent over a WEP protected network, the packet is encrypted by the RC4. The important part is the key used. The key used to encrypt each packet is a concantation of the WEP key (aka the password you enter to join it) and a random number called an Initialization Vector (aka IV) randomly generated by the system. The IV is generated, then the WEP key is attached to the end of the IV. This ensures that the key sent to the RC4 algorithm is different each (well, almost each) time. Then, after the key is created, the computer sends the packet to RC4 to encrypt it with the key, then sends it to the router, where it is decrypted and then sent to wherever its little heart desires.
The idea here is to exploit the RC4's weakness when it encrypts a message with the same key. The key to doing this are the IVs. If the same one is used before the key changes (and who changes their key *that* often?) then the key sent to RC4 is the same as before. The IV is 3 bytes long, so there are 2^24 possible combos, or 16,777,216 possible keys. Yikes. However, thanks to the birthday paradox, we only have around 5,000 give or take our particular luck on that day (again, the explanation for this is outside of scope. Wikipedia also has a nice page on this to interested parties).
So now we need to somehow get a ton of traffic on the network. What we can do is called ARP replay. ARP packets have the same size nomatter what, so if we see a packet of that size we can copy it and resend it and the roter will be nice enough to generate a new IV for the packet to be sent. Now all that has to be done is waiting for two keys to match and then begin cracking it.
And then boom! Its only a matter of time before the key is yours!
Of course this is only a brief overview so you can get a basic understanding of WEP cracking, and this covers an outdated technique, seeing as the PTW method is most popular now, but you at least get a glance into the guts. I hope you enjoyed!
