Sunday, June 7, 2015

HACK - Wireless Hacking - WEP

Background - Intro to Hacking

In the Fall semester of my sophomore year at Bloomsburg University, I took a highly anticipated class that was being offered for the first time. This class was Intro to Hacking, taught by Dr. Polstra. We looked at many aspects of hacking, such as debugging assembly and scanning for vulnerable services. One of the most exciting parts of the class was the wireless password cracking. Luckily, I took notes during class and I would like to share them with you. This is how you go about hacking wireless networks with WEP security.

  • Kali Linux
    • Includes the Air-ng Suite
  • Wireless Adapter
  • A router to hack
  • A client already on the network
  • Permission to crack, it is otherwise illegal

1.) Set up a monitor interface.

With Kali Linux booted up, make sure you have a wireless interface to work with.
# iwconfig
 A very popular wireless interface name is wlan0.
airmon-ng start [WIRELESSINTERFACE]
Make sure to KILL any recommended processes.
# kill [PID1] [PID2] [PID3]

2.) Start monitoring traffic.

# airodump-ng
The top part shows all Access Points.
The bottom part shows all clients.

BSSID - the Access Point's MAC Address
PWR - the signal strength
Becaons - the packets that the router sends out to alert its presence
CH - The channel that information is being broadcast on
AUTH - Either MGT for Managed or PSK for Pre-Shared Key
ESSID - the Access Point's network name
STATION - the client's MAC Address
Probe - The list of ESSIDs that the client is looking to connect with

We are looking for anything that has PSK Authentication or is WEP Encrypted.
Once we find the access point we are looking for, we must make sure there is a client. Otherwise, we will not be able to capture a handshake, which is essential to cracking a network password.

I have not yet learned how to crack MGT Authentication.

Now that we have located an Access Point to crack, we need to start recording any packets that have anything to do with it.

3.) Recording the traffic.

# airodump-ng --bssid [BSSID] -c [CHANNEL] -w [FILENAME] mon0
This will start writing recorded packets to a .cap file. Similarly, you will see your specified access point on the top, and any of its clients on the bottom. Let this run in the background as we continue to work with other utilities.

At this point, we must split into two categories. Your targeted network either has a WEP encryption, or a WPA/WPA2 encryption.

4.) Generating more traffic.

We can easily start cracking WEP, but chances are they aren't generating enough packets. For general purpose, let's consider each packet as what is known as an IV. We need a recommend minimum of 15k IVs. I usually end up cracking a WEP password at around 40k IVs. To get all of these IVs, we need to generate them ourselves.
# aireplay-ng -3 -a [BSSID] -h [CLIENTMAC] mon0
-3 is an arpreplay

This injects ARP requests disguised as the client, which generates the packets we need. Leave this running as well, and open an new terminal.

5.) Cracking the password.

We will be using one more tool in an effort to crack the password using the IVs we captured.
# aircrack-ng --bssid [BSSID] 
It will keep trying as airodump-ng gets more IVs, which were generated from aireplay-ng.

Eventually, you will be left with a result that looks like this:
     KEY FOUND! [ 97:92:1F:E7:7A ]
This is normal. To log onto the network, just type in the code without the colons. For example, the above code becomes: 97921FE77A


While WEP security is rarely seen, it's a good idea to understand why. Given enough packets and only one client, a WEP key can be easily obtained. I do not take any responsibility for actions and damage that is caused by the misuse of this tutorial. I only distribute it for those who wish to learn from it. Use it at your own risk. 

For a more applicable hack, please read my other blog post on WPA/WPA hacking.

Thanks for reading!

No comments:

Post a Comment