The Caffe Latte attack
In Chapter 4, WEP Cracking, we covered how to crack the WEP keys when the client is connected to the AP, injecting ARP request packets and capturing the generated traffic to collect a consistent number of IVs and then launching a statistical attack to crack the key.
Two wireless security researchers, Vivek Ramachandran and MD Sohail Ahmad, presented a new attack called Caffe Latte at the Toorcon 2007 conference that allows you to retrieve the WEP key from a client even when it is not connected and it is distant from the network.
The attack has been given this name because the authors demonstrated that the time required to complete it is (almost) as short as to take a cup of coffee in a coffee shop or in a restaurant (two classical locations for this kind of attack)!
To perform the attack, we must induce the isolated client to generate enough encrypted WEP data packets. Operating systems such as Windows cache the WEP shared keys along with the relative network details...