devine

It's a very serious vulnerability; with any AP that does re-encrypt the packet, you can generate IVs with just any WEP data packet by changing the type as 'ToDS', the source MAC as the fake client and the destination MAC as the broadcast address. That's why attack 3 sometimes goes up to 1024 ARPs very quickly, because the AP actually re-encrypts the ARP request we're sending. This would be called the "any data re-broadcast attack"; please see http://www.cr0.net:8040/code/network/aircrack/#q193 for more details and usage instructions for attack 2.