Pages

Wednesday 17 April 2013

How to crack a Wi-Fi Network's WEP key

How to crack a Wi-Fi Network's WEP key

A WEP password cracked in minutesIntroduction
It is known that the WEP algorithm, used by some Wi-Fi networks (fortunately less and less) to "protect" their traffic, is very weak: a WEP protected network can be cracked in minutes. This is because of a lot of flaws which make the network vulnerable to some attacks; today there are many tools that can automatically perform these attacks, and BackTrack contains them all, including a nice GUI called Gerix Wifi Cracker for making them easier. This guide will explain you how to use that GUI in order to crack a WEP password, with a bit of theory to understand the whole thing. If you wish to learn how to perform these attacks via CLI (Command Line Interface) or to master the technique, click on the names of the attacks in the next section of this article, and you'll be redirected to the page dedicated to that attack on Aircrack-ng.org.
First steps
You'll find the launcher in the main Menu: Applications -> BackTrack -> Exploitation Tools -> Wireless Exploitation Tools -> WLAN Exploitation -> gerix-wifi-cracker-ng.
The Welcome tab of Gerix Wifi Cracker
The Configuration tab of Gerix Wifi CrackerOnce launched, click on the "Configuration" tab, select your wireless interface and enable its Monitor Mode. Then select the newly created interface (mon0) and perform a network scan on all channels (unless you already know the channel of the network you want to attack of course). When the scan ends, select the WEP protected network you want to crack and proceed to the "WEP" tab.
First of all, start sniffing the traffic using the "Start Sniffing and Logging" button under the "General functionalities" group: this will open a terminal window with airodump-ng logging all the network's traffic, including the packets you'll need to crack the password. Then, you will have to choose the attack you want to execute. In order to crack the WEP key, you'll have to obtain a certain number of IVs (initialization vectors), contained in the packets indicated as #Data in airodump-ng: the number varies from 10000 to 100000 (generally 50000 IVs are sufficient). You'll see that the #Data number increases too slowly, or doesn't increase at all, so you'll need one of the following attacks in order to speed up the thing:
- ARP Request Replay Attack:
This attack tries to capture an ARP request (a special packet) from the traffic and then retransmits it back to the Access Point using injection. This way the packet is "replayed", and the Access Point will generate a new IV, increasing the #Data number. The injection continues until you stop it: you can generate as many IVs as you want, leading the cracking to a success in minute. The great defect of this attack is simple: you'll need an associated client generating the ARP request, before you can replay it. This means that if no one is connected to the Access Point, the attack will fail. You can verify if there's someone connected using the already opened airodump-ng window: the associated clients will appear in the lower part of the window, under the column named "STATION".
So, if you see someone else connected to the AP, click on the "WEP Attacks (with clients)" lower group, then "Associate with AP using fake auth" (you'll need a fake authentication or the AP will discard your packets) and "ARP request replay". When the newly opened window containing aireplay-ng captures an ARP request, it will start to replay it at the speed of about 500 pps (packets per second), generating a lot of IVs.
Airodump-ng in action, sniffing Data packets at 418 packets/s
- CHOPCHOP ATTACK:
The Wep tab, with the "WEP Attacks (no-client)" groupThe principle behind this attack is similar to the ARP Request Replay Attack: in fact you'll need to replay an ARP request in order to generate IVs. However, with this attack you actually create your own ARP request, so you won't need an associated client. This attack is more difficult than the previous one, but its required if there is no one connected to the Access Point. A little theory before practice: the poorly implemented encryption method allows you to simply guess the keystream (a sequence needed to generate a valid encrypted packet) by trial and error: once you have a keystream, you can use it to forge a valid ARP Request packet and inject it. The only defect is that you'll need at least one Data packet in order to try your attempts to guess the keystream, and that even if you guess the keystream the Access Point could have some security measures against your packets, so it could take some time and many tries before successing.
And now, practice: select the "WEP Attacks (no-client)" group, then the "Start false access point Authentication on victim" button, and finally the "Start the ChopChop attack" button. This will open an aireplay-ng window performing the ChopChop attack. When it captures a Data packet, it will ask you if you want to use it in order to guess the keystream: answer "y" and wait. If the attack succeeds, you can close that window and press "Create the ARP packet to be injected on the victim access point" and finally "Inject the created packet on victim access point". The newly opened window with aireplay-ng injecting packets will generate as many IVs as you want.
- FRAGMENTATION ATTACK:
Very similar to the ChopChop attack in practice, but it works differently. This attack obtains a piece of the keystream, and uses this fragment to send arbitrary packets to the Access Point: if they are relayed, a new piece of the keystream is revealed.
In the "WEP Attacks (no-client)" group, press "Associate with AP using fake auth", then "Fragmentation attack" and, when the newly opened window reports a success,"Create the ARP packet to be injected on the victim access point". Then inject the forged packet with the "Inject the created packet on victim access point" button.
A successful fragmentation attack
Decrypt the password
When you obtain more than 5000 Data packets, you can start trying to decrypt the WEP password. Go to the "Cracking" tab, and press "Aircrack-ng - Decrypt WEP password" under the "WEP cracking" group. It will automatically load all the IVs captured, and if the cracking fails it will wait until more IVs are avaiable. Just leave the airodump-ng window, the injecting window and the aircrack-ng window open and they'll do the job for you.
Airodump-ng, Aireplay-ng and Aircrack-ng in action
When you reach 50000 Data packets, it's usually a matter of seconds and you'll have the password shown as plain text. Aircrack-ng will display it in its hexadecimal form (26 or 10 hexadecimal digits, depending on the lenght of the password) and, if the conversion is possible, in its ASCII form (13 or 5 characters). Remember to note it somewhere, or to save it in Gerix Wifi Cracker's internal database (close the aircrack-ng window and select the "Database" tab).

No comments:

Post a Comment

Do You Like Our Blog?