Professional Documents
Culture Documents
aircrack-ng
Arunabh Das
Content
Part 1 - Background
WEP
Encryption
Authentication
Vulnerabilities
Part 2 - Attack Experiment
Cracking WEP Keys
Test Environment
Network Topology
Hardware & Software
The Attack
Observations
Part 3 - Conclusion
Problems Encountered
Detection & Prevention
Conclusion
References
WEP Encryption
Wired Equivalent Privacy
64-bit and 128-bit (24-bit IV)
http://documentation.netgear.com/reference/sve/wireless/WirelessNetworkingBasics-3-08.html
WEP Authentication
http://documentation.netgear.com/reference/sve/wireless/WirelessNetworkingBasics-3-09.html
WEP Vulnerability
StaticKeys
Short IV (24-bits)
Wireless AP
H/W and S/W requirements
ker Victim
buntu 8.04 OS: Windows XP
wl4965/Atheros AR5007 b/g NIC: D-Link WUA-2340 USB adaptor
are: Software: D-Link Wireless Connection Manager
Kismet
Airodump
Aireplay
Airjack
Wireless AP
Linksys WRT54GL
Types of attacks using aireplay
It currently implements multiple different attacks:
Attack 0: Deauthentication
Attack 1: Fake Authentication
Attack 2: Interactive Packet Replay
Attack 3: ARP Request Replay Attack
Attack 4: Korek Chopchop attack
Attack 5: Fragmentation attack
Attack 6: Caffe-latte attack
Attack 7: Client-oriented fragmentation attack
Source - http://www.aircrack-ng.org/doku.php?id=aireplay-ng
Deauthentication
This attack is a type of “man-in-the-middle” attack which disassocate
packets to one or more clients which are currently associated with paticular
access pont, making the client to disconnect from the AP and connect to the
cracker’s fake AP.
The reasons to disassociating clients are :
Generate ARP reqests,
Force clients to re-authenticate
Recovering a hidden ESSID
Deauthenticaton cont.
Use aireplay to achieve the de-auth attack
Command:
aireplay-ng -0 1 -a MAC address -c MAC address ath0
-0 means deauthentication
1 is the number of deauths to send
-a MAC address of te acess point
-c MAC address of the client to de-auth
-ath0 is the interface name
Deauthentication cont.
The MAC address of the AP and the client can be get
by doing sniffing using tools like wireshark
The output of the command from the slid above will
look like:
11:09:28 Sending DeAuth to station -- STMAC:
[00:0F:B5:34:30:30]
STMAC is the MAC address of the client(then the
client is de-authenticated,and then the attacker will
be connected with the spoofed victim’s address)
Fake authentication
Fake authentication allows the attacker to
proform the two types of WEP authentication
(open system and shared key) pls associate
with the AP, Different from deauthentication
attack, no ARP packets are generated, plus
the fake authentication is only useful when
the attacker need and associated MAC
address in other packet injection attacks but
there is currently no client is connected to the
AP
Fake auhentication cont.
The actual aireplay command:
aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h
00:09:5B:EC:EE:F2 -y sharedkeyxor ath0
-1 means fake authentication
0 reassociation timing in seconds
-e teddy is the wireless network name
-a 00:14:6C:7E:40:80 is the access point MAC address
-h 00:09:5B:EC:EE:F2 is our card MAC addresss
-y sharedkeyxor is the name of file containing the PRGA xor bits.
This is only used for shared key authentication. Open system
authentication, which is typical, does not require this.(PRGA xor
bits can be obtained from the de-auth or kork chopchop attack).
ath0 is the wireless interface name
ARP Request Replay attack
The classic ARP request replay attack is the most
effective way to generate new initialization
vectors(IVs).
The program listens for an ARP packet then
retransmits it back to the access point. This, in turn,
causes the access point to repeat the ARP packet
with a new IV. Te program retransmits the same
ARP packet over and over.
However, each ARP packet repeated by the access
point has a new IVs. It is all these new IVs which
allow you to determine the WEP key.
ARP Request Replay attack
cont.
Basic usage
aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0
Where:
Source – http://www.aircrack-ng.org/doku.php?id=flowchart#section_7frag_chop-chop_failed
Configuring Environment
Configure Access Point
Set the encryption to WEP and generate keys using passphrase
Configuring Environment Step 2
Configure Access Point
Set the SSID and the broadcast channel.
Configuring Environment Step3
Configure Access Point
Set the Authentication type to Auto
Installation
Installation of kismet step1
Installation
Installation of kismet – step2
Installation
Installation of kismet step3
Installation
Installation of kismet step4
Installation
Installation of kismet step5
Installation
Installation of kismet step6
Installation
Installation of kismet step7
Installation
Patching of kernel Step1
Note that the 2.6.24 version of the kernel doesn’t contain the modules that
we need
Installation
Patching of kernel Step2
Install kernel-package libraries
Installation
Patching of kernel Step3
Wait for complete installation of kernel-package libraries
Installation
Patching of kernel Step4
Download the latest version of the kernel using wget
Installation
Patching of kernel Step4
Installation
Patching of kernel Step5
Installation
Patching of kernel Step6
Installation
Patching of kernel Step7
Installation
Patching of kernel Step8
Installation
Patching of kernel Step9
Installation
Patching of kernel Step10
Installation
Patching of kernel Step11
Finding a client that is connected to the AP and client’s MAC id
Installation
Patching of kernel Step12
Installation
Patching of kernel Step13
Installation –
Patching of kernel Step12
Installation
Patching of kernel Step13
Installation
Patching of kernel Step14-15
Installation
Patching of kernel Step16-17
Installation
Patching of kernel Step18
Installation
Patching of kernel Step19
Installation
Patching of kernel Step20
Installation
Patching of kernel Step21-23
Installation
Patching of kernel Step24
Installation
Patching of kernel Step25
Installation
Patching of kernel Step26
Installation
Patching of kernel Step27-28
Installation
Patching of kernel Step29
Installation
Patching of kernel Step30
Installation
Patching of kernel Step31
Installation
Patching of kernel Step32
Installation
Patching of kernel Step33
Installation
Patching of kernel Step34
Installation
Patching of kernel Step35-36
Installation
Patching of kernel Step37-38
Installation
Patching of kernel Step39-40
Installation
Patching of kernel Step41
Installation –
Patching of kernel Step42
Installation –
Patching of kernel Step43
Installation –
Patching of kernel Step44
Installation
Patching of kernel Step45
Installation
Patching of kernel Step46
Installation
Patching of kernel – 7
Installation
Patching of kernel – 8
Installation
Patching of kernel – 9
Installation
Patching of kernel – Step 50
Installation
Patching of kernel – Step 51
Installation
Patching of kernel – Step 52
Installation
Patching of kernel – Step 53
Installation
Patching of kernel – Step 54
Installation
Patching of kernel – Step 55
Preparatory Step1
Testing Injection
Enable card to monitor mode
Preparatory Step 2
Testing Injection
Basic test to determine if card supports injection
Preparatory –
Testing Injection
Check hidden ID or check specific SSID
Preparatory
Testing Injection
Create 2 virtual wireless interfaces for attack test
Preparatory Step 5
Testing Injection
Reconnaisance Step 1
Reconnaisance Step 2
Reconnaisance -
Reconnaisance
Reconnaisance Step 5 -
Reconnaisance Step 6 -
Reconnaisance Step 7 -
Reconnaisance Step 8 -
Reconnaisance Step 9 -
Reconnaisance Step 9 -
Attack Without Deauth –
Step1
Attack Without Deauth
Step2 -
Attack Without Deauth
Attack Without Deauth
Attack Without Deauth
Step5
Attack Without Deauth
Step 6
Attack Without Deauth
Step 7
Attack Without Deauth
Step8
Attack Without Deauth
Step 9
Attack Without Deauth
Step 10
Attack Without Deauth
Step 11
Attack Without Deauth
Step 12
Attack Without Deauth
Step 13
Iteration 2 – ARP Request Replay without
deauthentication request
Attack Step 1
Taking down the network interface in order to change the MAC
Iteration 2 – ARP Request Replay without deauthentication
request
Attack Step 2
Finding a target AP and the channel it is broadcasting on.
Iteration 2 – ARP Request Replay without deauthentication
request
Attack -
Finding a client that is connected to the AP and client’s MAC id
Iteration 2 – ARP Request Replay with deauthentication
request
Attack
Changing the attacker’s MAC id to match client’s (Spoofing)
Iteration 2 – ARP Request Replay with deauthentication
request
Attack Step 5 -
Attack Step 6 -
Monitoring airodump to monitor rate of capture
Iteration 2 – ARP Request Replay with deauthentication request
Attack Step 7
Attack Step 8
Monitoring number of ARP requests generated
Iteration 2 – ARP Request Replay with
deauthentication request Attack Step 9
Sending de-authentication frames to client
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 1
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 2
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth)
Finding a client that is connected to the AP and client’s MAC id
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth)
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 5
Initiating airodump to capture packets, especially weak IVS packets
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 6
Monitoring airodump to monitor rate of capture
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 7
Initiate aireplay to inject frames
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 8
Monitoring number of ARP requests generated
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 9
Sending de-authentication frames to client
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 10
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 11
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 12
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 13
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 14
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 15
Using airecrack to crack
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 16
Using airecrack to crack
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 17
Using airecrack to crack
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 18
Using airecrack to crack
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 19
Using airecrack to crack
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 20
Using airecrack to crack
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 21
Using airecrack to crack
ARP Request Replay Attack Variation 3
(spoofing MAC but no deauth) Step 22
Using airecrack to crack
Observations/Conclusion
WEP is weak and can be cracked easily
We were able to crack WEP in x minutes
WEP encrypted networks should be replaced with
WPA/WPA2
Detection/Prevention
When an abnormal amount of ARP requests
are being made it may be a sign that a
hacker is trying to crack your WEP key
Careful monitoring and logging of such an
event can help administrators detect such an
attack.
Preventing such an attack is near impossible
References
[1] “Aireplay-ng”
URL: http://www.aircrack-ng.org/doku.php?id=aireplay-ng
[2] “Computer Security”
URL: http://en.wikipedia.org/wiki/Computer_security
[3] “Exploit (computer security)”
URL: http://en.wikipedia.org/wiki/Exploit_(computer_security)
Questions ?