Sunday, June 28, 2009

Hacking Practical 1: Cracking WEP: article 200911

Takeway: Cracked 64 bit WEP in 5 minutes, could get 128 to break

With the help of a friend brining over a 3 COM 7760 Wireless AP last night we were able to practice and observe from the victims standpoint the cracking of WEP 64 and 128.
Booting to BackTrack 3 we first tested that we could crack the WEP 64 using SpoonWep.

SpoonWep is a graphical interface that does just what it says spoon feeds the WEP cracking for you all you need to know is the channel and BSSID, which is the MAC address of the victim AP (Access Point). You can snag this info using Kismet, which we did for practice, but obviously we knew the MAC since we were also in possession of the AP.

By the way some definitions of SSID, ESSID, BSSID:

Short for Service Set Identifier, a 32-character unique identifier attached to the header of packets sent over a WLAN that acts as a password when a mobile device tries to connect to the BSS. The SSID differentiates one WLAN from another, so all access points and all devices attempting to connect to a specific WLAN must use the same SSID. A device will not be permitted to join the BSS unless it can provide the unique SSID. Because an SSID can be sniffed in plain text from a packet it does not supply any security to the network.

The Extended Service Set ID (ESSID) is the name of the network you want to access. It is used to identify different wireless networks. ESSID is just an extended SSID allowing for more features.

The BSSID is a 48bit identity used to identify a particular BSS (Basic Service Set) within an area. In Infrastructure BSS networks, the BSSID is the MAC (Medium Access Control) address of the AP (Access Point) and in Independent BSS or ad hoc networks, the BSSID is generated randomly.

SpoonWep cracked the key in about 5 minutes so we knew it was doable. We wanted not to be so spoon fed and get our hands dirty so we attempted the crack again using:


First we needed to capture data to crack, for 64 bit WEP at least 5000 IVS would be needed. We used airoducmp to capture these.

Typing: Airodump-NG --help will give the list of options and filters. We went with the command:

airodump-ng –ivs -w dumpfile –bssid aa:bb:cc:dd:ee:ff –channel 11 ath0

Breaking this down:
airodump-ng is the command
--ivs tells airodump to save only captured injection vectors
-w dumpfile tells airodump to write to a file I called dumpfile
--bssid aa:bb:cc:dd:ee:ff the AP to capture data from; the mac is made up for the case of this blog
--channel 11 the channel to capture data on
ath0 the name of my NIC

Once airodump was capturing IVS we saw that the data being captured was not increasing very fast, because there was little communication going on between the AP and a node already connected to it. we wanted it to capture faster; this is where Aireplay comes in.

Like Airodump, using the command aireplay-ng --help lists your command options. Notice when doing this there are several attack modes:

--deauth count : deauthenticate 1 or all stations (-0)
--fakeauth delay : fake authentication with AP (-1)
--interactive : interactive frame selection (-2)
--arpreplay : standard ARP-request replay (-3)
--chopchop : decrypt/chopchop WEP packet (-4)
--fragment : generates valid keystream (-5)
--caffe-latte : query a client for new IVs (-6)
--cfrag : fragments against a client (-7)

The attack we chose was ARP Replay since that was what SpoonWep used. Our initial command looked like this

aireplay-ng -3 -b aa:bb:cc:dd:ee:ff -x 1024 ath0

Breaking this down:
aireplay-ng is the command
-3 is the number of the attack we chose, this could also be - - arpreplay
-b aa:bb:cc:dd:ee:ff is again the AP we are attacking
-x 1024 is number of packets per second we are injecting the default is 500, we found 1024 is the max
ath0 is my NIC

This still did not appear to greatly speed up the data capture rate then watching AiroDump we saw the mac of a computer connected to the AP we were attacking. So we rewrote our aireplay command to include a source MAC address. The MAC we used was the one already connected to the AP, thus forcing traffic between the two. Notice the -h we placed in the command.

aireplay-ng -3 -b aa:bb:cc:dd:ee:ff -h 00:22:44:66:88:00 -x 1024 ath0

This ramped up data capture and in time we were at 5000 IVS and beyond. Now it was time to set up the crack.

AirCrack actually performs the cracking to determine the WEP key needed to connect to the network Again - - help will show the options needed. The command we ran was:

aircrack-ng -a 1 -b aa:bb:cc:dd:ee:ff -n 64 dumpfile.ivs

Breaking the down:
aircrack-ng is the command
-a 1 tells aircrack it is working agains WEP
-b aa:bb:cc:dd:ee:ff is the BSSID we are attacking
-n 64 is the key strength, 64 bit
dumpfile.ivs is the file holding all the data airodump has “dumped”, remember the first command I wrote about? Airodump created a dumpfile.txt and dumpfile.ivs; IVS is what you need to crack against

You can begin the cracking process while the airodump is still running aircrack will continue to read the file as it is updated.

All in all it took about 5 minutes to crack the 64 bit WEP.

Using the same process as above, but configuring for 128 we tried to attack 128 bit WEP. The thing is we had no luck. All reading we have performed said around 20000 IVS is needed, we had over 500,000 IVS and still no luck; it was late so we gave up on that and plan to try again in the near future.

1 comment:

  1. Hello,

    My name is David, from spain. I have a 3com 7760, and I like do this. In what mode you configure the AP? Ad-hoc, Repeater, Wireless Bridge, Wireless Workgroup Bridge ?? Can do you explain me all the process? Thanks.