Friday, March 28, 2008

wep cracking 101

WEP was intended to provide confidentiality comparable to that of a traditional wired network. Several serious weaknesses were identified by cryptanalysts; a WEP connection can be cracked with readily available software within minutes. WEP was superseded by Wi-Fi Protected access (WPA) in 2003, followed by the full IEEE 802.11i standard (also known as WPA2) in 2004. Despite its weaknesses, WEP provides a level of security that may deter casual snooping. ( Source, Wikipedia )

Trust me when I say that this is not the most comprehensive posting on WEP cracking, but I received a request from a friend of mine to provide the "short and sweet" on WEP cracking ... so I thought i would share this very short tutorial. The sample I am going to provide has several limitations (ex. I am only demonstrating an attack using ARP replay attack (there are several other methods of attack)), but we are simply giving a brief overview.
Video sample of instructions

There are four basic steps ( least in this example) to cracking a WEP key. The broad overview is as follows:

  1. Setup network interface card to monitor mode with airmon-ng (madwifi drivers for packet injection)

  2. Execute airodump-ng for sniffing wireless traffic and creation of "cap" file (to be used later with aircrack-ng)

  3. Execute aireplay-ng to create traffic for the generation and capture of IV's (we will be using an ARP-Replay attack (-3))

  4. Execute aircrack-ng against the generated cap file

Step One: Setting up your NIC with airmon-ng

  • The first step (and often daunting for the experienced administrator) in our quest for cracking a WEP key is to setup the network interface card on your system. For our example, we are utilizing the Netgear 108 Wireless PC Card (WG511T) which is based on the atheros chipset for packet injection. To setup your NIC to monitor mode, we must first execute a couple of commands in order initialize our card. The first two commands you will execute are:

    # rmmod ath_pci
    # modprobe ath_pci

Once you have executed these two commands, your interface will be ready to use with the airmon-ng script for setting your card into monitor mode with use with the madwifi drivers for packet injection.

  • The second step in setting up your NIC card is to engage the madwifi-ng drivers. Because the madwifi-ng drivers allow for multiple virual access points to be run, personally, I like to destroy and the create a new VAP on each session ... simply to make sure I understand what I have setup on the system. To do this, you will execute the following command:

    # airmon-ng stop ath0
    # airmon-ng start wifi0 1
    # macchanger -m 00:12:23:34:45:56 ath0

    This command(s) will destroy the current VAP and create a new parent VAP as well as, enable monitor mode on ath0 interface. You should now be able to execute the "iwconfig" command to verify that your ath0 interface is in monitor mode for sniffing wireless traffic.

Step Two: Discovering a target with airodump-ng

  • The first step taken with airodump-ng is to initate a session so that you can obtain information regarding a target access point. You will launch airodump-ng with the following command:

    # airodump-ng ath0 (ath1,ath2,...)

    Once you have determined the target access point for your capture, you will perform the following setup.

    # airodump-ng -w FileToCrack -c targetAP_ChannelNumber ath0

    Once this process is started...move to step 3.

Step Three: Initiate aireplay-ng

  • One purpose of aireplay-ng is to move the process of capturing IV's for cracking. This step will submit traffic to the access point so that it stimulates the AP into responding with initialization vectors in the ARP response. We are able to accomplish this with two simple steps. Keep in mind that we are ONLY demonstrating one single method of attack here (but it is (probably) the most popular method).For our example, we will assume that the target AP name is "tdurden" running on channel 6.

    # aireplay-ng -1 0 -e tdurden -a target_ap_mac -h our_mac_addr ath0

    Once this process successfully completes, initiate the following command.

    # aireplay-ng -3 -b target_ap_mac -h our_cards_mac_address ath0

    This will start the initiation of ARP requests to the access point. Once you have captured enough ARP requests, you may the use aircrack-ng to crack the WEP key based on the traffic capture of the .CAP file.

Step Four: Cracking our WEP key with aircrack-ng

  • The final step is to initiate the aircrack-ng script against your .CAP file (generated by airodump-ng). Simply issue the following command:# aircrack-ng FileToCrack.cap

    If you have captured a sufficient number of IV's from the ARP-replay attack then you should have a successful decryption of the WEP key.

Video sample of instructions