The weakness of WEP resides in the IV. It is sent as plaintext with the packet which basically means that anyone who grabs the packet can see the first 24bits of the code that was encrypted. The RC4 encryption algorithm can only generate about 16 million different codes based on the IV, meaning if you gather enough of these IVs you can crack the code throughout a brute force attack. Also contributing to the WEP’s weakness is the discovery that some IVs are weaker than others and software can recognize “weak” IVs and then use them to crack the key even quicker.
Once the theory of how to Crack WEP was proven possible, computer programs were written that streamlined the process. There are two steps involved that programs take.
Once an encrypted wireless network is found and the client is in range, it begins to intercept packets and logging the IVs. The packets contain encrypted data and are worthless individually, but if enough IVs are logged the code can be cracked. Usually about 50 000 IVs are needed to crack WEP. The number of IVs traveling is related to network traffic, so if no one is connected to the network it will take days to get that many, that’s why you need to create artificial traffic, but in the other hand if someone is already connected you can get a lot of IVs fast without any problems.
Of course there is a method of speeding up the collection of IVs, through a certain type of packet injection although this technique it’s not supported by all Wireless Cards.
This type of packet injection is called ARP injection. With this technique the wireless card sends out an ARP request to the access point which then responds with an ARP response. This response contains an IV, which is then captured. This process is repeated rapidly to generate numerous IVs. To perform this injection, the origin of the ARP request must be associated with the AP, or else the AP will not respond. Software is able to spoof the origin to make the request look like it came from an associated client, not from the attacker’s computer.
As I told you I will be using a wireless security suite called aircrack-ng that comes with Backtrack Linux distribution for WEP attacks. Aircrack-ng contains all the tools necessary for discovering and cracking wireless networks.
First let’s try to break a network with a connected client.
Once a network has been identified through any technique the basic steps to crack WEP encrypted networks, and the programs used to accomplish with are:
1) Put the wireless card in passive monitor mode (airmon-ng)
2) Begin capturing packets that contain unique IVs and save them to the disk (airodump-ng)
3) Inject ARP requests from an associated client to generate new packets (aireplay-ng)
31
4) Once enough IVs have been captured, run a cryptographic attack to decipher the WEP key (aircrack-ng)
In this case, I will attack my own network so it is like if the attacker, me, had already identified the WEP encrypted network he wants to crack. The information he will need to start collecting IVs is the BSSID of the access point and the channel it is operating on. This information is easy to get using airodump-ng and it will also be used to capture the IVs and save them into a file. In this case the BSSID of the network we are trying to crack 00:80:5A:28:B5:AB is, the channel is 11, and we will call the output file wepkey.
Let’s put our card in monitor mode, but first you need to know the Interface to use:
#airmon-ng
You have now a list of interfaces that you have on your machine. If you have only one wireless card you will have only one interface, if you have two wireless cards connected you have two interfaces. I might use different cards through all the tutorials, when you see wlan1 and your Interface is wlan0 you use wlan0 instead of wlan1.
Remember I’m making the attacks on my machine and it could be different from yours.
So I will use wlan0 for this tutorial. To put that Interface on monitor mode use:
#airmon-ng start wlan0
By now you have the wlan1 Interface and the system created a new interface called mon0. Well this is a virtual interface, basically “mon” comes from monitor it means that the interface mon0 is monitoring traffic.
Now let’s sniff traffic from the network that we will attack, so use:
#airodump-ng wlan0
32
As I told you before this network I’m attacking is mine. My network is called WLAN so by using airodump-ng I already know the BSSID, the Channel. Let’s get started:
#airodump-ng --channel 11 --bssid 00:80:5A:28:B5:AB --write wepkey wlan0
As we can see the “#Data” means the number of unique IVs we caught so far and saved in wepkey.cap. It is possible that airodump-ng create some .cap files like wepkey-01.cap, wepkey-02.cap, that’s why in the end we will use in aircrack-ng “wepkey*.cap”.
The “#/s” is the number of Unique IVs that we get per second. As you can see there is no traffic at all in this network and doing the math if we will try to get 50 000 IVs, we would need to wait 25 000 seconds, almost 7 hours to get enough IVs, so why don’t we start a packet injection technique to speed up the unique IVs collection?
We can do that using aireplay-ng:
33
#aireplay-ng --arpreplay -b 00:80:5A:28:B5:AB -h 00:15:AF:A2:8D:98 wlan0 -b 00:80:5A:28:B5:AB is the access point MAC address
-h 00:15:AF:A2:8D:98 is the MAC address of the client that we will use as the “arp requester”
This command will wait for an ARP Request coming from the network and flood the airwaves with that ARP request but making it look like it is coming from the associated client.
So if you are attacking a network that has only one client connected it could take a while until you get an Arp request. If there is traffic coming from the network you might have a chance to get it the simple way. Imagine the situation, there is a client connected but he is not doing anything like if it was on “stand-by” mode, you can make it the hard way by deauthenticating the client using the network forcing him to communicating with the router. Use the following command:
#aireplay-ng -0 10 -a 00:80:5A:28:B5:AB -h 00:15:AF:A2:8D:98 wlan0
-0 means deauthentication attack
10 is the number of deauthentication packets it will send -a 00:80:5A:28:B5:AB is the access point MAC address
-h 00:15:AF:A2:8D:98 is the MAC address of the client to be deauthenticated
When the client gets back to the network you might get some ARP requests. Well this is a simple process. You get an Arp Request and you replay it. That’s what “aireplayng -3” or “aireplay-ng --arpreplay” is doing. It waits for an ARP Request and replay, it gets another one and Replay it again. And keeps doing it and consequently generating traffic on the network. Remember that the traffic we are collecting are nothing but packets collecting IVs that we will use to brute force the wep key.
34
After you get the first Arp request you should be getting something like the image above. It’s just a matter of time until you get enough IVs to make a brute force attack.
Once you get around 50 000 you have a good chance of crack the network.
However if you fail, just repeat the process. Get more IVs and try again. You’ll need more IVs depending on how big is the key. There are 64-bit keys, 128-bit keys and 152-bit keys, more 152-bits means more password combinations possible and we might need more IVs to crack the password. So if you fail with 50 000 get more IVs and you will get the key.
As you know the captured data packets containing IVs are stored in the file that I called wepkey outputted by airodump-ng. The program will write multiple files to the active directory in different formats, but the one we are interested is the .cap files.
To perform the crack use wepkey*.cap since it could write more than one .cap file, for example wepkey-01.cap, wepkey-02.cap…
The attack starts with this command:
#aircrack-ng -b 00:80:5A:28:B5:AB wepkey*.cap wlan0
35
So as you can see it found the WEP key of the network. The key I used for this example was “abcdef1234” and as you see in aircrack-ng output “KEY FOUND!
[AB:CD:EF:12:34]”
This was the example of how to break a WEP network with an already authenticated client. When you don’t have any clients connected to the network you want to break, you should do a different type of attack, let’s find out how we can do it.