csoler

Hi,

I want to report this experiment on cracking a 128b-wep key:

0 - I started with a single packet from a very small collection. The AP indeed really
had no traffic.
1 - I decrypted the packet using 'aireplay -4' attack and made an encrypted arp request
packet from this, providing an associated (faked with areplay -1) mac adress. But
because there was no registered client to respond to this arp, I simply used a
dummy local network adress.
2 - I used aireplay -3 (arp re-injection) with with home-made arp, and the AP did respond
with not less than 7,000,000 encrypted arp with different IV's.
3 - I used these packets (captured with airodump) into aircrack, and I got a key, which
revealed to de-cypher the arp's correctly. But:
4 - the key is not the correct AP's wep-key. I know that because it does not decypher
the original packet and I can not log with this key. Here are my conclusions/questions:

a - It seems seems obvious that arcrack took a long time and a large amount of packets
because the KoreK statistics are heavily biased. Indeed, after decryption, I realised
(yes, I know, I could have guessed that), that the arp packets I captured from the AP
were -- after decryption -- strictly identical, only differing by the IV used to encrypt
them.
b - So I'm fucked ? Maybe not: I'v got 7,000,000 packets and for each and any of them
I've also have the decrypted conterpart (The key works for them, and know I also
could have guessed the content of these packets). So
b.1: is there a tool that can reverse the wep key from a lot of prga's (e.g couples of
encrypted and decrypted packets for a lot of IV's) ?
b.2: otherwise, it seems to me that I can use these prga's to generate as many as I
want new valid encrypted arp packets but with different content. In this case,
the statistics would not be biased, and I would obtain something similar to
what the aireplay -3 attack normaly produces.

What do you think ?

Greeting,
Cyril