I am trying to understand the PTW and Klein algorithms for wep cracking and got stuck. i am using this as reference: http://www.item.ntnu.no/_media/people/personalpages/phd/anton/kleins_and_ptw_attacks_on_wep.pdf and got stuck on page 7: Klein's Attack on WEP
According to this i should assume that i know the first 15 bytes of the data field. By using these 15 bytes i am able to calculate all needed variables for the key. The 15 bytes helps me calculate X[i], but i only have the first 3 bytes(which are the IVs), so how do i calculate X if i don't know all the 15 first bytes of the data field
Maybe i will ask a little bit different:
According to what i can find on google, the first 15 bytes are pretty predictable because i know that the packets i have are ARP responses. The problem is that i don't understand what is so predicable about them?
Edit::
I think i got the answer. At appears that the first 16 bytes of an ARP response are always the same:
\xAA \xAA \x03 \x00 \x00 \x00 \x08 \x06 \x00 \x01 \x08 \x00 \x06 \x04 \x00 \x02
These are my missing 16 bytes of clear text.
I think i got the answer. At appears that the first 16 bytes of an ARP response are always the same:
\xAA \xAA \x03 \x00 \x00 \x00 \x08 \x06 \x00 \x01 \x08 \x00 \x06 \x04 \x00 \x02
These are my missing 16 bytes of clear text.