Now that we understand the basics of how WEP works, let's review a few points.
The IV is sent as plaintext with the encrypted packet. Therefore, ANYONE can easily sniff this information out of the airwave and thus learn the first three characters or the secret key.
Both the KSA and PRGA leak information during the first few iterations of their algorithm. The i will always be 1, and j will always equal S for the first iteration of the PRGA, and the KSA is easily duplicable for the first three iterations due to the fact that the first three characters of the secret key is passed as plaintext.
XOR is a simple process that can be easily used to deduce any unknown value if the other two values are known.
In addition to these previously explained points, there are several more that make WEP dangerous.
There is a 5% probability that the values held in SS will NOT change after the first three iterations of the KSA. In other words, any hacker can guess what will happen during the KSA process with a 5% likelihood of being correct.
The first value of the encrypted data is always the SNAP header, which equals AA in hex or 170 in decimal form. This essentially means that by sniffing the first byte of encrypted text and XORing it with 170, any hacker can deduce the first output byte of the PRGA.
In the WEP encryption process, it has been determined that a certain format of an IV indicates that it is a weak IV and subject to cracking. The format is (B + 3, 255, x) where B is the byte of the secret key being cracked. However, we know the first three characters due to the IV, so we want to crack the pre-shared password that starts after the IV. The 255 value indicates that the KSA is at a vulnerable point in the algorithm, and the value x can be any value.
Now that these points have been provided, let's take a look at how a hacker would use this knowledge to crack WEP.