Revision as of 22:54, 14 April 2005 (view source) Techieb0y (talk \| contribs) mNo edit summary ← Older edit		Revision as of 23:31, 14 April 2005 (view source) Jon787 (talk \| contribs) No edit summary Newer edit →
Luckily WEP has another vulnerability we can exploit to generate encrypted traffic on the network. A replay attack is when you retransmit an encrypted message with the hopes that the destination will accept it. There is no check in WEP to ensure that it won't decode and pass on already decoded packets. The retransmitted packet will obviously use the same IV each time, but if a host on the network responds then it's response will use a new IV each time. To usefully exploit this flaw you need a packet that a host will respond to. Most networks have lots of these; it's part of being an Ethernet network. [[Address Resolution Protocol]] (aka ARP) is used by hosts on an Ethernet network to discover what [[~~MAC~~Media Access Control]] address corresponds to an IP address. This is used to fill in the link-layer fields of the packet. This ARP packet is broadcast to all hosts on the network and a host will always respond to an ARP query that contains it's IP address. ARP packets are perfect for the replay attack because of this. Aireplay is a tool that is used to do exactly this. The KoreK attack combined with the replay vulnerability can crack a 40-bit WEP key in under 30 minutes. 104-bit WEP in under an hour.

Wired Equivalent Privacy (view source)