WEP Cracking using Auditor’s Security Collection 2006-06
An associate of mine was challenged to crack WEP by one of his collegues recently. Somehow, this collegue was unaware that WEP is flawed and subject to very fast cryptanalysis, and believed that 128-bit WEP keys were unbreakable.
We picked up two Netgear WG511T PCMCIA cards, got the Auditor’s Security Collection as of around June 2006 (I had tried doing this on my own around then, before realizing that my DWL-630 PCMCIA card is on the non-functioning hardware list) and went to work. The first thing we found was that a lot of the documentation on how to do this tends to be specific to software versions, hardware, etc. For example, to perform the deauthentication attack, the guide from Tom’s Hardware uses the void11 tool, which is specific to Prism cards, but the Netgear has a Atheros chipset. Other sites, such as this wiki seemed to use versions of the software tools that had different options from the ones that came from that particular version of the Auditor’s disk, even though it was a useful discussion of the principles involved. There’s also an entertaining video of a fast WEP crack, but they either skip over some steps or were very lucky in an ARP packet capture.
These are my notes on what I did, with the hardware we had on hand, and that particular version of the Security Collection’s tools. As usual, cracking other people’s WEP without permission is illegal; these are notes in a lab/challenge setting.
1. The first thing is to run kismet to survey the area. The items to record on the kismet scan are the target WLAN’s AP’s BSSID/MAC, the channel, and the MAC of an associated client. “h” will give kismet’s help screen, but the relevant keys to push once the target WLAN is selected is “i” for detailed information on the WLAN and “shift-C” for the associated clients.
2. The Atheros cards have to be put in monitor mode:
# iwconfig ath0 mode monitor channel CHANNEL
where CHANNEL is the channel of the target WLAN.
3. We now sniff for IVs:
# airodump ath0 FILENAME MAC_OF_AP
where FILENAME is the destination of the dump, and MAC_OF_AP is the MAC of the access point.
Note that running kismet first will do something with the config of the card. I couldn’t get the airodump command to run without first running kismet, and running the above iwpriv and iwconfig commands.
There may be more than one WLAN displayed. The column to pay attention to is the one counting the IVs that have been captured. We want this number to be at least 100,000 if we’re targetting a 64-bit key, and at least 200,000 for a 128-bit key. This will be incrementing relatively slowly, depending on how busy the WLAN is.
4. Force the generation of IVs. We will attempt to capture ARP packets, as these are associated with IV packets. When we get an ARP packet, we will replay it, which forces extra traffic at the access point, thereby making Step 3 much faster.
# aireplay -n 68 -m 68 -b MAC_OF_AP -d ff:ff:ff:ff:ff:ff ath0
The “-n” and “-m” options specify the packet min and max size, both set at 68 for ARP packets. “-b” is the source, and “-d” is the (null) destination for the ARP request.
This will tick by, with aireplay reporting on how many packets it’s seen. If it sees a packet fitting the specified criteria, it’ll ask you if you want to use this for replay. I got lucky, and an ARP request came by relatively soon. Using that ARP packet allowed me to spin up the IV counter in airodump, so that I had about 200,000 packets in 5 minutes or so.
Of course, it may take a while before an ARP packet comes by. We can force extra ARP traffic by using a second machine to launch a deauthentication attack against an associated client:
# airforge MAC_OF_AP MAC_OF_DEST FILENAME
# aireplay -m 26 -u 0 -v 12 -w 0 -x 10 -r FILENAME ath0
So, the airforge command creates a deauth packet from MAC_OF_AP to the MAC_OF_DEST (the MAC of associated client we saw on the kismet survey) and saves it as FILENAME. The aireplay command then just sends the packet from FILENAME out on the wireless. Note the “-x” option is set to send out 10 packets/second, which is good enough to cause a lot of packet loss on a standard ping to the client machine.
The first machine should see the ARP traffic in its aireplay, and we should be good to go from there.
5. Once enough IVs have accumulated, it’s time to run the cryptanalysis program:
# aircrack -m MAC_OF_AP FILENAME
where FILENAME is the filename of the airodump file. You can run this while airodump is still working and writing to the file. On a 128-bit key with around 250K – 300K IVs, I got a crack in a couple tens of seconds. The key will be in hex form. You can go verify this against the access point’s configuration, seeing as how you’re doing this in a lab and have full control over all the hardware.
December 10th, 2007 at 1:00 pm
gracias, aunque todavia no baja!!