When Wi-Fi was first developed and popularized in the late '90s, security was not a major concern. Unlike wired connections, anyone could simply connect to a Wi-Fi access point (AP) and steal bandwidth, or worse—sniff the traffic.
The first attempt at securing these access points was termed Wired Equivalent Privacy, or simply WEP. This encryption method has been around for quite awhile and a number of weaknesses have been discovered. It has been largely replaced by WPA and WPA2.
Despite these known weaknesses, there are still a significant number of these legacy APs in use. I was recently (July 2013) working at a major U.S. Department of Defense contractor in Northern Virginia, and in that building, probably a quarter of the wireless APs were still using WEP!
Apparently, a number of home users and small businesses bought their APs years ago, have never upgraded, and don't realize or don't care about its lack of security.
The flaws in WEP make it susceptible to various statistical cracking techniques. WEP uses RC4 for encryption, and RC4 requires that the initialization vectors (IVs) be random. The implementation of RC4 in WEP repeats that IV about every 6,000 frames. If we can capture enough of the IVs, we can decipher the key!
Now, you might be asking yourself, "Why would I want to hack Wi-Fi when I have my own Wi-Fi router and access?" The answer is multi-fold.
First, if you hack someone else's Wi-Fi router, you can navigate around the web anonymously, or more precisely, with someone else's IP address. Second, once you hack the Wi-Fi router, you can decrypt their traffic and use a sniffing tool like Wireshark or tcpdump to capture and spy on all of their traffic. Third, if you use torrents to download large files, you can use someone else's bandwidth, rather than your own.
Let's take a look at cracking WEP with the best wireless hacking tool available, aircrack-ng! Hacking wireless is one of my personal favorites!
Let's note that our wireless adapter is recognized by BackTrack and is renamed wlan0. Yours may be wlan1 or wlan2.
Note that the interface's name has been changed to mon0 by airmon-ng.
As we can see, we are now able to see all the APs and clients within our range!
Step 4: Start a Specific Capture on the AP
As you can see from the screenshot above, there are several APs with WEP encryption. Let's target the second one from the top with the ESSID of "wonderhowto." Let's copy the BSSID from this AP and begin a capture on that AP.
This will start capturing packets from the SSID "wonderhowto" on channel 11 and write them to file WEPcrack in the pcap format. This command alone will now allow us to capture packets in order to crack the WEP key, if we are VERY patient.
But we're not patient, we want it now! We want to crack this key ASAP, and to do that, we will need to inject packets into the AP.
We now need to wait for someone to connect to the AP so that we can get the MAC address from their network card. When we have their MAC address, we can spoof their MAC and inject packets into their AP. As we can see at the bottom of the screenshot, someone has connected to the "wonderhowto" AP. Now we can hasten our attack!
Now when we inject the ARPs into the AP, we will capture the IVs that are generated in our airodump file WEPcrack.
If we have enough IVs, aircrack-ng will display the key on our screen, usually in hexadecimal format. Simply take that hex key and apply it when logging into the remote AP and you have free wireless!
Stay Tuned for More Wireless Hacking Guides
Keep coming back for more on Wi-Fi hacking and other hacking techniques
The first attempt at securing these access points was termed Wired Equivalent Privacy, or simply WEP. This encryption method has been around for quite awhile and a number of weaknesses have been discovered. It has been largely replaced by WPA and WPA2.
Despite these known weaknesses, there are still a significant number of these legacy APs in use. I was recently (July 2013) working at a major U.S. Department of Defense contractor in Northern Virginia, and in that building, probably a quarter of the wireless APs were still using WEP!
The flaws in WEP make it susceptible to various statistical cracking techniques. WEP uses RC4 for encryption, and RC4 requires that the initialization vectors (IVs) be random. The implementation of RC4 in WEP repeats that IV about every 6,000 frames. If we can capture enough of the IVs, we can decipher the key!
Now, you might be asking yourself, "Why would I want to hack Wi-Fi when I have my own Wi-Fi router and access?" The answer is multi-fold.
First, if you hack someone else's Wi-Fi router, you can navigate around the web anonymously, or more precisely, with someone else's IP address. Second, once you hack the Wi-Fi router, you can decrypt their traffic and use a sniffing tool like Wireshark or tcpdump to capture and spy on all of their traffic. Third, if you use torrents to download large files, you can use someone else's bandwidth, rather than your own.
Let's take a look at cracking WEP with the best wireless hacking tool available, aircrack-ng! Hacking wireless is one of my personal favorites!
Step 1: Open Aircrack-Ng in BackTrack
Let's start by firing up BackTrack and make certain that our wireless adapter is recognized and operational.- iwconfig
Let's note that our wireless adapter is recognized by BackTrack and is renamed wlan0. Yours may be wlan1 or wlan2.
Step 2: Put the Wireless Adapter into Monitor Mode
Next, we need to put the wireless adapter into monitor or promiscuous mode. We can do that by typing:- airmon-ng start wlan0
Note that the interface's name has been changed to mon0 by airmon-ng.
Step 3: Start Capturing Traffic
We now need to start capturing traffic. We do this by using the airmon-ng command with the monitoring interface, mon0.- airodump-ng mon0
As we can see, we are now able to see all the APs and clients within our range!
Step 4: Start a Specific Capture on the AP
As you can see from the screenshot above, there are several APs with WEP encryption. Let's target the second one from the top with the ESSID of "wonderhowto." Let's copy the BSSID from this AP and begin a capture on that AP.
- airodump-ng --bssid 00:09:5B:6F:64:1E -c 11 -w WEPcrack mon0
This will start capturing packets from the SSID "wonderhowto" on channel 11 and write them to file WEPcrack in the pcap format. This command alone will now allow us to capture packets in order to crack the WEP key, if we are VERY patient.
But we're not patient, we want it now! We want to crack this key ASAP, and to do that, we will need to inject packets into the AP.
We now need to wait for someone to connect to the AP so that we can get the MAC address from their network card. When we have their MAC address, we can spoof their MAC and inject packets into their AP. As we can see at the bottom of the screenshot, someone has connected to the "wonderhowto" AP. Now we can hasten our attack!
Step 5: Inject ARP Traffic
To spoof their MAC and inject packets, we can use the aireplay-ng command. We need the BSSID of the AP and the MAC address of the client who connected to the AP. We will be capturing an ARP packet and then replaying that ARP thousands of times in order to generate the IVs that we need to crack WEP.- aireplay-ng -3 -b 00::09:58:6F:64:1E -h 44:60:57:c8:58:A0 mon0
Now when we inject the ARPs into the AP, we will capture the IVs that are generated in our airodump file WEPcrack.
Step 6: Crack the Password
Once we have several thousand IVs in our WEPcrack file, all we need to do is run that file against aircrack-ng, such as this:- aircrack-ng WEPcrack-01.cap
If we have enough IVs, aircrack-ng will display the key on our screen, usually in hexadecimal format. Simply take that hex key and apply it when logging into the remote AP and you have free wireless!
Stay Tuned for More Wireless Hacking Guides
Keep coming back for more on Wi-Fi hacking and other hacking techniques
No comments:
Post a Comment