AirSnort sniffing with Orinoco Gold cards

Dominick, David David.Dominick at
Thu Aug 23 01:20:01 EST 2001

The level of encryption doesn't matter. WEP uses a public key and a shared
key. The public key is transmitted clear text. All of the computers on the
network use the same shared key. One example of a way to break the key is:
Learn both the ciphertext and the plaintext for some packets encrypted with
a given IV v.
This is really easy if you know the plaintext, because, for example, you
sent it , say via pings, or spam email!
you can also do it passively by watching for collisions.
Then you can easily determine the keystream RC4(k,v) by XORing the plaintext
and the ciphertext.
Note that you do not learn the value of the shared secret k.
Now you store that keystream in a table, indexed by v.
This table is at most 1500 * 2^24 bytes = 24 GB
Fits on a single cheap disk
The next time you see a packet with an IV stored in the table, you can just
look up the keystream, XOR it against the packet, and read the data!

AirSnort basically uses this premise to break the key without bothering to
crack the encryption.

-----Original Message-----
From: Jussi Vestman [mailto:vestman at]
Sent: Wednesday, August 22, 2001 10:01 AM
To: wireless at
Subject: Re: AirSnort sniffing with Orinoco Gold cards

On Wed, 22 Aug 2001, Michael F. March wrote:

> yes
> > doesnt AirSnort require the Prusm II chipset to function?

I actually do sniffing with Compaq WL100, which is Prism II
based. Other stations in the network are using mainly
Lucent's Orinoco Gold cards and I am wondering if AirSnort
can break 128 bit encryption used by them at all.

Mr. Jussi Vestman
An IT student at Lappeenranta University of Technology, Finland
jussi.vestman at

More information about the wireless mailing list