Cryptology 439exist in the packet in the binary form of high- and low-order 16-bit words.
The conversion is fairly simple:
Src IP = 192.168.2.57
SH= 192 · 256 + 168 = 50344
SL =2·256+57=569
Dst IP = 192.168.2.1
DH= 192 · 256 + 168 = 50344
DL= 2 · 256 + 1 = 513
New IP = 123.45.67.89
NH = 123 · 256 + 45 = 31533
NL = 67 · 256 + 89 = 17241
The checksum will be changed by NH + NL − DH − DL, so this value must
be subtracted from somewhere else in the packet. Since the source address is
also known and doesn’t matter too much, the low-order 16-bit word of that
IP address makes a good target:
S'L= SL− (NH+NL −DH −DL)
S'L=569−(31533 + 17241− 50344 − 513)
S'L= 2652
The new source IP address should therefore be 192.168.10.92. The
source IP address can be modified in the encrypted packet using the same
XORing trick, and then the checksums should match. When the packet is
sent to the wireless access point, the packet will be decrypted and sent to
123.45.67.89, where the attacker can retrieve it.
If the attacker happens to have the ability to monitor packets on an
entire class B network, the source address doesn’t even need to be modified.
Assuming the attacker had control over the entire 123.45.X.X IP range, the
low-order 16-bit word of the IP address could be strategically chosen not to
disturb the checksum. If NL = DH + DL − NH, the checksum won’t be changed.
Here’s an example:
NL =DH+DL− NH
NL = 50,344 + 513− 31,533
N'L= 82390
The new destination IP address should be 123.45.75.124.
0x785 Fluhrer, Mantin, and Shamir Attack
The Fluhrer, Mantin, and Shamir (FMS) attack is the most commonly
used attack against WEP, popularized by tools such as AirSnort. This attack