28 January 2014

Cracking WEP encryption using BackTrack

1. Some background info
WEP stands for Wired Equivalent Privacy and is a security algorithm for protecting wireless networks. The algorithm has been proved to be flawed and easily broken, which is why in 2003 it has been superseded by WPA (WiFi Protected Access).

2. The task
In the following post I will show you how to crack a WEP encrypted access point and get the key using BackTrack.

3. Requirements
- a laptop/PC with a wireless card that supports packet injection. Check on the Internet if your wireless card model supports this function;
- BackTrack 5, either as a live CD, live USB or installed on your computer. You can get the latest BackTrack image here;
- a wireless access point configured to use WEP encryption;
 - a client for the wireless network (another laptop/mobile phone/etc.);

4. Let's begin
Open a terminal window.
First things first, we need to enable monitoring mode for our wireless card. While it is not mandatory I prefer to use it this way. Read more about it here.

  airmon-ng start wlan0

Now that our wireless card is properly setup, let's find our network. The following command will enumerate the wireless access points and clients in range and also
provide us with useful information

airodump-ng mon0

The output is something like this:
CH  3 ][ Elapsed: 12 s ][ 2014-01-27 16:29                                      
 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID            
 80:1F:02:4B:F9:5C  -33        7        0    0  11  54   WEP  WEP         Edimax AP        
 10:BF:48:92:A2:80  -84       11        1    0   1  54e  WPA2 CCMP   PSK  ASUS              
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                  
 80:1F:02:4B:F9:5C  D8:50:E6:20:D1:07  -84    0 -11     41      113  

The above output shows us that there are two access points in range, Edimax AP, our target, with WEP encryption and ASUS, a WPA2 encrypted access point.
We can also see that there is a wireless client with MAC address D8:50:E6:20:D1:07 being connected to our target (MAC 80:1F:02:4B:F9:5C).
This is good as it is usually faster to get the encryption key when there are clients connected.

Now that we know our target we need to make a fake authentication with it. This will allow us to communicate with our target. The following command does just that

aireplay-ng -1 0 -a 80:1F:02:4B:F9:5C -h 84:4b:f5:6a:6b:83 -e "Edimax AP" mon0

The output should read "Association was succesful :)" on the last line. If it doesn't then you need to experiment with aireplay-ng various options. This depends on the access point
you are attacking.

Now that we are authenticated and associated with our target time to begin the actual attack. Aireplay-ng offers many options and attack vectors against access points and clients as well. For the full set of options just type aireplay-ng in the terminal and hit enter. For now we used the fake authentication to enable a communication channel with the target.
We will now use option 3, standard ARP-request replay. What we'll do is capture the communication made by the access point with its clients which we'll then use to get the key.
So, let's capture.

aireplay-ng -3 -b 80:1F:02:4B:F9:5C -h 84:4b:f5:6a:6b:83 mon0

We are now capturing data. If you look at the output you will see a line which says "Captured packets saved to arp_replay_[some number].cap". That's the file we're going to work with.
You will also in the output that we are advised to start airodump-ng to capture packets as well. So, let's leave this running, open another terminal window and run airodump-ng.

airodump-ng -c 11 -w capture --bssid 80:1F:02:4B:F9:5C mon0

This will capture packets in a capture.cap file. We need to leave this running for a while. How long depends on how much traffic there is through the access point. Let's wait five minutes for a start. Now, for the final step, we'll use aircrack-ng to strip the key from the captured packets.

aircrack-ng -b 80:1F:02:4B:F9:5C replay-arp-[some number].cap capture.cap

Now aircrack will attempt to get the key from our capture files. Let's look at the output. What we're interested in is the first line, "Tested keys XXXXXXXX [some number IVs]". For a cracking to be succesful we need to have as many IVs as possible. The more packets we capture the more IVs we'll have and the higher the chances of a succesful crack.
If in the output of aircrack-ng you get informed that it failed, wait some more then run the above command again.

At one point aircrack-ng will output "!!!!KEY FOUND: ThisIsAWEPKey", or "KEY FOUND" and a hex number. They're both just as valid. Congratulations, you have just cracked the key.

5. Alternatives
As said before, aireplay-ng is very versatile. Using option 6 (the caffe-latte attack) you can target a client instead of the access point. The best part is you can direct such an attack to a client even if it's not connected to the access point. Windows clients (and not just, I also found Android to do the same) send packets in an attempt to connect to the access points they have saved/in the preferred list. These are the packets Caffe-Latte captures for aircrack to do its job.
BackTrack also provides other applications for cracking WEP. The most notable is Gerix (Exploitation Tools->Wireless Exploitation Tools->WLAN Exploitation->Gerix-wifi-cracker-ng) which offers an intuitive GUI and point-and-click navigation. Play around and experiment.

6. How to defend
The best way to defend against such an attack is to not use WEP. Use WPA with a proper key (upper and lower case characters, numbers and symbols) if you want real security.

7. What's next?
While WPA is much more secure, it is still not impossible to break it. The next post will cover cracking a WPA preshared key using a brute force dictionary attack.

No comments:

Post a Comment

Commenting is a privilege, not a right. Use it wisely.