NetStumbler.org Forums - View Single Post

sorbo · 09-23-2005

It is possible to send arbitrary data [any length and content] on a WEP network after having eavesdropped a single data packet.

http://darkircop.org/frag-0.1.tgz

The idea is:
Sniff first 8 bytes of cipher-text on packet with IV X.
XOR cipher-text with 8 bytes of clear-text:
AA AA 03 00 00 00 08 {00/06} depending if IP/ARP.
Send data in 802.11 fragments of 4 data bytes + 4 CRC32 bytes all encrypted using the PRGA recovered and with IV X.

09-23-2005	#1 (permalink)
sorbo Registered Member Join Date: Oct 2004 Posts: 4	WEP fragmentation attack It is possible to send arbitrary data [any length and content] on a WEP network after having eavesdropped a single data packet. http://darkircop.org/frag-0.1.tgz The idea is: Sniff first 8 bytes of cipher-text on packet with IV X. XOR cipher-text with 8 bytes of clear-text: AA AA 03 00 00 00 08 {00/06} depending if IP/ARP. Send data in 802.11 fragments of 4 data bytes + 4 CRC32 bytes all encrypted using the PRGA recovered and with IV X.