These key pairs were graciously provided by Eric Betts. They do not conform to my existing WEP key calculator.

Maybe Verizon wised up and made them random? The previous correlation was dead obvious, but this one I can’t see.

Of course, I am only a wannabe cryptologist

The act of cracking encryption is not illegal just like picking a lock is not illegal. It is the unauthorized access of that network which is illegal, just like breaking and entering is illegal.

So. To sum it up, there are two types of encryption. There is the weak kind (wep) and the strong kind (wpa). WEP can be broken in about 5-10 minutes. WPA can be broken in about 24 hours (as long as their password is in your password try-out list).

The actual process or hacking into a network like this requires a suite of tools called the aircrack-ng suite. You can read their tutorials and such, and I highly recommend you do if you want to get into this sort of thing. It’s a lot of FUN! Be prepared to learn linux while you are at it….

But, once you understand what you are doing, you will appreciate the tool I have written. It automates the process of getting the keys. I wrote it as a type of “set-it-and-forget-it” tool that I could just leave running. It isn’t too clean, but if you can read bash scripting you can figure it out.

Here is a screen shot of my tool cracking wep

Remember! Don’t try to just run this tool without understanding what it does and how to read it. If you haven’t breaking a wep key manually you don’t want to run this. It does WEP and WPA cracking (saving the handshake for later). Good luck! I will provide minimal support via comments on this post. Don’t forget to have your radio in monitor mode first, and if you are  going to do wpa you need the mdk3 tool.

Here is the download link to Kyle’s Wireless Cracking Tool.

Here is a link to a more updated versio of my Cracking Tool.

** Update:  A cool cool guy named Dylan Taylor wrote a java implementation of this script: http://fioswepcalc.webs.com/ if you need an offline version **

** Update: I wrote a bash implementation to make it easy to script, and for offline usage: http://xkyle.com/other/fioscalc.sh **

In my previous post I showed a correlation between the WEP key of a Verizon FiOS install and the MAC address of the access point. This was simply a collection of experimental data that I gathered.

Thanks to Fred Williams? for pointing out the correlation between the ESSID and the WEP. With these powers combined form:

Well.. Not exactly. If there was a super hero with the phrase: “Hack the Planet” instead of “Save the Planet” I would have chosen it.

So what is the deal?

The first part of the key is a combination of the second and third part of the MAC, which is either 1801 or 1F90.

The second part of the key is this forumula.. hold on to your butts:

The 5-character SSID name is a base-36 number of the lower 48 bits (6 hex digits) of the WEP key. The string is reversed, with the most significant digit on the right.

Base-36 numbers uses 0-9 followed A-Z to represent 36 digits (0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ)
It maps out like this:
0=00, 1=01, 2=02, 3=03, 4=04, 5=05,
6=06, 7=07, 8=08, 9=09, A=10, B=11,
C=12, D=13, E=14, F=15, G=16, H=17,
I=18, J=19, K=20, L=21, M=22, N=23,
O=24, P=25, Q=26, R=27, S=28, T=29,
U=30, V=31, W=32, X=33, Y=34, Z=35

To go through an example, the SSID name of “E3X12″ comes out as follows.

E*(36^0) is 14 * 1 = 14
3*(36^1) is 03 * 36 = 108
X*(36^2) is 33 * 1296 = 42,768
1*(36^3) is 01 * 46656 = 46,656
2*(36^4) is 02 * 1679616 = 3,359,232
Add these up, and you get 3,448,778 decimal which is 349FCA in Hexadecimal notation.
The first 4 hex digits of the WEP key are the 2nd and 3rd byte from the MAC address as indicated in the original post above.

Thanks again Fred! To math majors this is like a beam of light coming down from the heavens

So I wrote this Javascript calculator (my first javascript program actually) in order to aid the calculation of the keys! Just type in your neighbor’s ESSID and out comes the KEY!
(Sorry about the iframe if that is an issue to you. Goto here if it is.)
</p> <p>Your browser does not support iframes.</p> <p>
Want to try it out? Here is a list of keys I’ve collected in my travels. Theres are cracked with Aircrack-ng, not calculated.

E3X12,1801349FCA
NAMX2,18014B311F
MWXV2,180149FF66
R0LC7,1801BC5C6B
JE2K7,1801C1B02B
HH150,1F900396C5
3RA18,1801CDF4AF
OQ838,1801CF5700
7WY20,1F90021D27
C7WA0,1F9007C188
DJP80,1F90063349
BJ2Z0,1F9018F797
RSHZ0,1F901944DB