I recently came across a proof of concept tool called aircrack-ptw developed by a team of cryptographic researchers at the cryptography and computer algebra group of the technical university Darmstadt in Germany. The attack uses a different attack to the standard aircrack-ng tool which can enable it to find a 104bit WEP key with 40,000 captured packets rather than 1,000,000+ as required by the traditional aircrack implementation. There seems to be a lot of debate on security auditor forums over the effectiveness of aircrack-ptw; some are swearing by it where as others are more sceptical. It does seem to be the case that those who are sceptical haven’t tried it yet!
I decided the only way to find out how effective a tool aircrack-ptw actually is was to try it for myself. Of course attacking a random access point would be highly illegal and mine is now running WPA2 so I asked a friend who uses WEP if he could play ‘victim’ to which he agreed. It turned out that his 3Com wireless router/modem is particularly vulnerable to attack; in no time at all I was collecting packets despite having no active clients connected. After collecting about 20,000 packets I started up both aircrack-ptw and aircrack-ng which would run in the background as more data streamed in. To my astonishment aircrack-ptw really did work much more effectively than aircrack-ng with an exact match of my friends key at about 45,000 packets (this took around 5 mins). I left the attack running and waited for aircrack-ng to home in on the same key. Aircrack-ng hit the key after about 25 minutes with just over 300,000 packets collected. This was actually quite fast for aircrack-ng as it has required much more data in previous tests.
With the amount of time required to break WEP encryption being reduced so drastically; WEP really is an inconvenience rather than a serious challenge to attackers. I’ve noticed that over the past few months many of the access points in my neighbourhood are moving to WPA/WPA2 encryption (including my own despite having to buy new adapters for a few computers) so people are getting the message.
Don’t use WEP!