WEP Keys, interesting find!

[imported_relik]

So I broke this wireless network that was using 128 bit 802.11b encryption, yay.

Interesting part was I could see traffic that was being assigned DHCP and I was not receiving an address. After numerous hours spent, I finally figured out the root cause.

If WEP keys are entered in a different key such as key 1 key 2 key 3 key 4 and lets say the AP has his key in the key 2 slot, it will not work in the key 1 slot. Does anyone know why this is? I found it by sheer luck, and DHCP!

Anyone got any ideas why this is? I figured the keys were just different slots to keep multiple keys.

And FYI, if you need to switch between different keys in backtrack, use:

iwconfig ath0 mode managed key [3] key [3] WEPKEY

Keep the brackets in there, and yes you have to type [3] key [3] twice.

Happy sniffing!

ReL

[hobbes]

Good work, sounds like you did a lot of thinking figuring this out. In regards to your question, key indexing is used to mark the location of the stored key. Most access points have room for four keys which can be edited from the web interface.

This is from the Intel security guide:

Under 802.11, a wireless station can be configured with up to four keys (the key index values are 1, 2, 3, and 4). When an access point or a wireless station transmits an encrypted message using a key that is stored in a specific key index, the transmitted message indicates the key index that was used to encrypt the message body. The receiving access point or wireless station can then retrieve the key that is stored at the key index and use it to decode the encrypted message body.

Key indexes can also be selected using the -i option in aircrack (cuts the cracking time by three quarters, if you get it right.) Otherwise aircrack will churn through all four indexes before finding the right key (if you are unlucky).

Thanks for the iwconfig option tip, btw, very helpful.