Analysis, Approach & Attack

By Saurabh Harit

Note: This tut is for learning purpose and to make administrators aware of weakness in WEP. It is
illegal to perform such attacks on the network which is not owned by you. I will not be responsible for
any kind of damage caused by you after reading this tut....sorry guys I had to write this...

Let's get started....

Introduction:

This access point is configured to connect securely with the various legitimate clients using 64 / 128
bit WEP encryption key. In field scenario, once an attacker gains access to this WEP key, he/she will
gain privilege to authenticate himself/herself with the access point. This will open door for many other
wireless attacks. Some of them are as follows,

1) Physical Layer Attacks or Jamming

2) Spoofed Dissociation and De-authentication Frames Floods
3) Spoofed Malformed Authentication Frame Attack
4) Filling Up the Access Point Association and Authentication Buffers
5) Frame Deletion Attack
6) DoS Attacks Based on Specific Wireless Network Settings
7) Attacks Against 802.11i Implementations

Approach

Hardware Requirements:

Here is a list of required hardware,

this will be1) Wireless Access Point the target access point.
Machine1 and Machine2. Machine1 is2) Two laptops attacker’s machine and Machine2 is a
legitimate user who can connect to the access point using WEP network key. Machine1 has no clue
about the WEP network key of the access point.
3) A wireless network card. We used Netgear’s WPN 511 pcmcia card for Machine1. This card comes
with Atheros chipset and has packet injection capabilities. Machine2 has an inbuilt wireless network
card.

Software Requirements:

Here is a list of required software,

1) Airodump-ng
2) Aireplay-ng
3) Aircrack-ng

Airodump-ng is used to sniff the wireless traffic. It will help us locate our access point and the client
connected with it. It will also show us details like operating channel, data rate, beacons, encryption
type etc.

Aireplay-ng is used to replay data packets to access points and clients. This technique is used to
increase the data transfer rate between the access point and client in order to generate more IVs.
More than 20,000 IVs are required to break the 64 bit WEP key and more than 70,000 IVs are
required to break the 128 bit WEP key. Without implementing this technique, the attack becomes
very slow.

Aircrack-ng is used to crack the WEP keys once we have sufficient IVs.

First of all, we need to configure the access point and client. Once the configuration is done we can
leave them and go back to attack machine to break the WEP key implemented by the access point.

The first step is to configure a wireless network between the access point and the client laptop i.e.
Machine2. This network will be secured with WEP key that we need to crack. Assign an SSID to your
access point. Configure a 64 / 128 bit key.
Information gathering:

We would require following information to perform the attack,

1) MAC address of access point.

2) SSID of access point.
3) Wireless channel of access point.
4) MAC address of client associated with access point.

Setup Machine1 (Attack machine):

Insert the pcmcia wireless network card and boot the machine. Check the configurations using the
following commands.

iwconfig

By default, as in my case, you will see only one interface i.e. ath0. You will have to create a new wifi
interface and put it to monitor mode. Use the following command:

wlanconfig ath1 create wlandev wifi0 wlanmode monitor

This will give you your wireless interface with name ath1 which will operate in monitor mode.

ifconfig ath1 up

This will start the wireless network card.

If you want to use the existing interface i.e. ath0, use the following command to put it in monitor
mode.

ifconfig ath0 mode Monitor

This command will put the card in Monitor mode. This is important for passive listening and packet
injection (+ your wireless network card should have packet injection capabilities).

Use the following command to verify if your card is ready to sniff the wireless traffic.

Iwlist ath1 scan

Attack

Following text describes the real attack which I performed on setup to crack the WEP encryption key.

Start airoudmp by typing the following command on your bash prompt,

airodump-ng –write data --ivs --band abg ath1

The above command will start airodump and will start sniffing wireless traffic. The different
parameters are detailed below,

--write will write out the data to a file with name “data”. Every time you specify the same output file
name, such as "data", airodump-ng will append the file name with "-##" such as data-01.ivs, data-
02.ivs, etc.
--ivs will capture only Initialization vectors
--band will search for bands a,b and g

Your screen will be divided into two parts. The upper half will display the access points and the lower
half will display the clients. Find your access point in the upper half of the screen and note down the
MAC address or BSSID, ESSID and channel on which it is operating. We would require this
information. Our aim is to collect as many IVs as possible. Every time data is exchanged between the
access point and the associated client, each data packet will contain an IV. These IVs will then be fed
to aircrack, in order to crack the WEP key.
Although, you will notice that tons of numbers (beacons) are flying by, but the data is not updating
very quickly. This is because airodump is searching all the channels. From upper half of the screen,
we can find out the channel on which our access point is operating. In my case, it was 11. Abort
airodump and re-run it to sniff on specific channel. Use the following command,

airodump-ng --channel 11–write data --ivs –band abg ath1

Airodump will start running at much faster rate now and updating the data constantly. You will see a
number rising very quickly, this is generally the beacons. Beacons just basically say "hey, i'm an
access point" about 10 times a second. You can judge the quality of your connection by how
frequently the beacon rises. Other than this, they are useless for our purposes. For this type of attack
it is important for there to be a client connected to the access point. So connect machine2 to the
access point wirelessly using the WEP encryption key. In airodump, you should see at the bottom a
client pop up, the first MAC is the access point and the 2nd is the Client associated with it. Write
down the MAC address or BSSID of the client.

Open a new bash prompt and type the following command,

aireplay-ng -2 -b APmac -d ff:ff:ff:ff:ff:ff -m 68 -n 68 -p 0841 -h CLmac ath1

where APmac is the MAC address of the access point and CLmac is the MAC address of the client i.e.
Machine2, in our case. –d parameter is used for broadcasting the data. Aireplay will now start sniffing
for a certain type of packet with a length no more and no less than 68 bytes between client and
access point. It will display- “Read ### packets". At this point, if there is significant data transfer
between the client and access point, it will pull the right packet and will prompt you to use it. In this
case, hit Y to use the packet and skip the next step. If however, it keeps reading packets for a while
(more than a couple min) and does not pop up saying "Use this packet?" then open a new bash
prompt and type the following command,

aireplay-ng -0 15 -a APmac -c CLmac ath1

The above command will send out 15 de-authentication packets to the client spoofing the identity of
access point. So the client will think that the packets are coming from the legitimate access point and
will disconnect itself from the wireless network and will try to re-connect after a while. It is this re-
connection packet that we are trying to sniff.
Note: The normal data exchange rate between the access point and the client is not very fast.
Collecting enough IVs at this rate to crack WEP keys will consume a lot of time. So we need to fasten
up the process. This is done by sending data packets to access point at a faster rate. If the packet is
valid and the access point think that the packet is coming from the legitimate client, it will send back
the reply which will also contain the IV. We get a valid packet when the client tries to re-connect to
the access point. Aireplay then uses this packet to flood access point spoofing its identity with the
legitimate client.
Go back to first instance of aireplay and you should see something at the bottom of screen saying –
“Use this packet”. Hit ‘y’ and aireplay will flood the access point with this packet. Switch back to
airodump and you should see the data rate going up significantly.

If aireplay had picked up any more packets, it will prompt you again if you want to use them. Try
more packets. Also, you may need to get closer to your access point or try the aireplay-ng -0 method
again. Experiment with it. Once you've got the data rate going up quickly, start aircrack-ng to crack
the WEP keys. Type in the following command,

aircrack-ng -f 2 -a 1 -b APmac -n 64 data-01.ivs

-n parameter could be 64 or 128 depending on the length of WEP key you have set in access point.
Aircrack will scan the keys collected and will analyze the IVs. After a while of analysis, it will spit out
the WEP encryption key.

Boom....The WEP encryption key has been successfully cracked...