Initialization Vector (IV) and Insecure Wireless Protocol
Last updated
Last updated
WEP is susceptible to so many attacks that it is considered obsolete. WEP keys come in two sizes: 5-byte (40 bit) and 13-byte (104 bit). WEP uses a 24-bit IV which prepends the PSK (Pre-Shared Key). IVs are sent in plaintext.
One of the main problems with how WEP works, is that it always prepends the IV to the RC4 secret key before including it in the packet. This means an attacker always has access to the first three bytes of the secret key. To recover the PSK, the attacker just needs to collect enough in-transit data. This can be accelerated by injecting ARP packets. This helps speed up the attack because ARP packets have a predictable length, meaning info can be gathered much faster.
WPA and WPA2 are not vulnerable to IV attacks like WEP, but it is possible to capture the 4-way handshake between client and AP and subsequently brute force the WPA PSK. An example of how this is done:
Attacker uses airmon-ng to start wireless interface in monitor mode.
Attacker uses airodump-ng to capture all traffic on the target network.
Attacker uses aireplay-ng to perform a deauthentication attack against the wireless network.
Attacker uses aircrack-ng to crack WPA PSK using a word list.
Took cracks the the PSK after some time.
KRACK (Key Reinstallation Attack) can be exploited depending on specific device configuration. Successful exploitation can allow attackers to reinstate previously used encryption/integrity keys. An attacker can then capture, forge, or replay previously seen traffic by manipulating transmissions of handshake messages.
For info on WPA3 attack techniques see or .
WPS is implemented to allow users to generate a WPA PSK with little interaction with a wireless device. Most implementations of WPS do not have any brute-force protections so you can attempt millions of PINs in a row. A tool called can make WPS attacks simple and easy to execute.