Picking the Trivial Lock in a Less Trivial Way: Injecting Traffic to Accelerate WEP Cracking
The attacks against WEP we have reviewed so far are purely passive and rely on traffic being present on the wireless network. But can we generate the additional WLAN traffic without even being associated to the network? The answer is positive and we have reviewed the tools such as reinj or Wepwedgie in Chapter 5. There are claims that reinj can reliably cut WEP cracking time to less than one hour and there is no reason not to believe these claims (shouldn't a security professional be paranoid anyway?). Thus, the arguments like "this SOHO network generates too little wireless traffic to be a suitable target for WEP cracking" fail; nothing stops the cracker from introducing additional network traffic using the tools we have described. Even more, the attacks on WLANs could include host discovery and even port scanning via the wireless traffic injection without even knowing WEP. TCP SYNs can be predictable and thus injected; the same applies to TCP ACKs, TCP RSTs, TCP SYN-ACKs, and ICMP unreachables such as ICMP port unreachable. At the moment, one Linux tool to launch attacks of this class, the Wepwedgie, is under active development and the working beta version should be available as this book hits the shelves—watch out! You don't have to wait until the WEP key is cracked to proceed with further network analysis; use Wepwedgie while cracking the key and save your time.