Determine WEP key type from scan?

Dan Williams dcbw
Sat Jun 27 05:15:10 PDT 2009

On Tue, 2009-06-23 at 16:21 -0700, Shawn Rutledge wrote:
> Is there any way to determine the WEP key length from scan results?
> (40 bit or 104 bit)  I see that wpa_gui does not enforce any
> particular number of characters, but a 64-bit key should require 5
> characters if entered in ASCII form, and a 104-bit key requires 13.
> Is there a reason why the supplicant can't detect which length it is,
> or is that one of the security features of WEP that you aren't
> supposed to know which length is required?

This information is simply not contained in a scan, as it wasn't
standardized at the time WEP was standardized.  WEP sucks, but we have
to live with it.  The auth algorithm (open system or shared key) isn't
broadcast in the scan either, so you just have to know that too.  But
unfortunately, only shared key (the *less* secure method) will actually
tell you that the key is wrong, so you're stuck either asking the user
for the auth algorithm, or trying shared key first and then open system
if shared key fails (but then of course you're always letting attackers
know specific details about your WEP key because shared key is

Basically, you can't ever know your WEP key is correct until you try to
DHCP and can't get a response from the DHCP server.  Of course, that
could mean that the DHCP server is just down too.

To make matters worse, a 104-bit WEP Hex key is also a valid WEP
passphrase, so you cannot distinguish between the two when the user
enters it.  I've seen a number of places that use what *looks* like a
WEP hex key, but it's actually a passphrase.

Simply put, WEP was badly designed, and nobody should be using it.


More information about the Hostap mailing list