Today, we commonly find wireless networks around us. Most wireless networks are encrypted using WEP or WPA encryption methods. I covered the dictionary attack on WPA networks in a previous post. Compared to WPA, WEP has weak mechanism and is easy to crack.
Theory
At the time of conception, WEP, short for wired equivalent privacy, was believed to be secure. However, a security flaw was found in the IV headers of data packets that makes it possible to crack WEP if enough IV headers are collected. This tutorial takes advantage of this weakness in the initialization vectors of wireless packets to crack WEP. However, a problem may arise when there are multiple keys in use instead of just one.
What's Needed To Test Your Wireless Network
To crack WEP, you need a Backtrack CD and basic knowledge of Linux. Backtrack is a set of tools for testing network security. Download Backtrack and burn it onto a black CD with InfraRecorder or any other tool.
Then, boot your computer with the Backtrack CD. Hopefully, you'll be automatically presented with a nice and dark GUI screen of KDE.
Surveying Wireless Networks with Kismet
Launch Konsole which is located right next to the KDE Start menu. Open /usr/local/etc/kismet.conf in a text editor and edit the source= line to include your wireless device. For example, for Broadcom 43xx based card, put source=bcm43xx,eth1,bcm43xx. Save kismet.conf and start kismet.
Once kismet starts detecting wireless networks around, press s and P to sort the network list by packet counts in descending order. Press Up or Down key to move to the target network and press i for network information or c for client list. Write down such information as:
- ESSID (wireless network name)
- BSSID (MAC address of access point)
- channel of wireless network
- MAC address of clients
In Kismet, the flags for encryption are Y (WEP), N (No encryption), or O (WPA/WPA2). Press x to close popup windows and Q to exit Kismet.
Dumping Wireless Traffic with Airodump
To hack WEP, you need to use airodump-ng to sniff wireless traffic of the target network and collect good IV's (initialization vectors, a part of WEP encryption data). Type the following commands in a terminal window:
airmon-ng stop wlan0
airmon-ng start wlan0
airodump-ng -w logfile -c 9 --ivs wlan0
The commands above put the network device wlan0 in monitor mode and then use airodump-ng to log the wireless traffic. The -c option specifies the channel to listen to. The screen will show wireless networks and associated clients, if any, with a set of numbers increasing. Don't stop airodump-ng or close the terminal yet. Just leave the terminal open.
Using Aireplay-NG To Generate Traffic
Aireplay-ng is a handy tool that can be used to generate more wireless traffic in order to collect enough good IV's. It does so by injecting or replaying captured packets to fool the access point into giving us what we need.
To Force Association of Clients with Access Point
Open another terminal and enter the following command to associate the target wireless client with the access point:
aireplay-ng -1 30 -e belkin -a 00:11:22:33:44:55 -h 00:fe:21:83:f4:e5 wlan0
The -e option specifies the network name, the -a option specifies the MAC address of the AP, and the -h option specifies the MAC address of the wireless client.
You can use macchanger to view and change your MAC address, for example, macchanger -s wlan0. Then, you can associate your wireless adapter when there are no clients connected to the wireless network in the first place.
ARP Injection with Aireplay
ARP injection is slow but always works. While airodump-ng is listening, run the following command:
aireplay-ng -3 -b 00:11:22:33:44:55 -h 00:fe:21:83:f4:e5 wlan0
Whereas the -b option specifies the MAC address of the AP and -h specifies MAC address of the associated client. Let it run and airodump-ng will pick up traffic. If no client is connected, we can create one by fake authentication described above.
Interactive Packet Replay
This attack generates traffic by asking the access point to resend data packets.
aireplay-ng -2 -b <AP> -h <Client MAC> -n 160 -p 0841 -c FF:FF:FF:FF:FF:FF wlan0
Aircrack in Action
After collecting enough IV packets, aircrack-ng can be used to crack the WEP key. The syntax of the aircrack-ng command to use is like:
aircrack-ng -a 1 -b A0:B1:C2:D3:E4:F5 -n 128 logfile-01.ivs
Replace the filename with your log file that was previously generated with airodump-ng. Also, specify the access point's MAC address with -b option. The -n option specifies whether the WEP strength is 64-bit or 128-bit. The -a 1 option specifies that we're cracking WEP.
Can't Crack?
If you still can't crack WEP with tons of IV's, increase the fudge factor with -f N option (N>=2). It'll take much longer to crack but you'll have a better chance at success.
No comments:
Post a Comment