Playing with other people Wi-Fi part 1: The good old “WEP”

Many of us own a Wi-Fi network at home. It is great, convenient and no cables! When this technology first came to existence there were several competitors available as well (Remember DECT ? [wikipedia.org]). One of key points for the Wi-Fi developers was also to drive the cost of equipment down and they inevitably created two problems. Let me quickly talk about some basic issues in the Wi-Fi and then we will move to the practical cracking of WEP encryption. I intend to drive this article as first in the series and I will be mostly focused on the end-user practicalities and only linking to the most interesting theory articles.

Wifi Part 1 thumbnails

Ok, so back to the Wi-Fi inherited problems. First is that the standard nearly ignored having two Wi-Fi networks operating in the same channel to make the equipment as cheap as possible. You might remember that Wi-Fi uses ethernet’s “Carrier sense multiple access with collision detection” (CDMA/CD) but extended to “Carrier sense multiple access with collision avoidance” (CDMA/CA). The extension introduced some great new messages like CTS (Clear to send) and RTS (Request to send). These control messages basically have given control of access to the channel to the access-point. Now the access-point manages all the clients to avoid collisions, but if there are two independent access-points, they pretty much do not care about each other and we are back to the old CDMA/CD system with back-off timers and retransmissions after collisions.

Second drawback is that in order to win the Wi-Fi standard race, the creators created the initial security protection called “Wired Equivalent Privacy” (or WEP [wikipedia.org]) in a rush and without any public driven testing. The wireless standard of 802.11 won the race, but soon afterwards the WEP flaws were identified and it was proved as very easily penetrated.

It is actually easy to explain why it is so vulnerable. Main point is that the encryption algorithm behind is a stream cipher that starts with a combination of your “password” and a random 24bit Initialization vector. Originally the WEP standard has given users 40bit password option and later also 104 bit password option (always add the IV to get 64bit encryption key or 128bit encryption key). Then this key always encrypts the traffic while the continuously changing IV should provide protection against reply attacks. Technically the RC4 provides a continuous stream of key bits, these bits are then mapped with XOR function to each bit of the underlining data.

WEP encryption with RC4 generating keystream for XOR function [wikipedia.org]

But the main security fail of this mechanism is that the Initiation Vector is “only 24bit” long and cannot protect the key in a busy network. For example it is estimated that the IV loops every 5000 packets. In 2001 a passive attack was published by FLuhrer, Martin and Shamir that allowed you can only capture the packets from air and then perform this attack on them to recover a key very easily. In summary all you have to do to crack the code is to capture a very large number of packets to get large number of IVs and then start cracking the WEP key.  Depending on the target network activity you can have the key in a few hours.

Furthermore, in 2007 the attack was significantly improved by a method of “arp-injection”. From this point it was no longer a passive attack and thanks to that it shortened the attack time to a few minutes. The idea is simple, it is possible to recognize ARP (Address Resolution Protocol) packets in the encrypted network without knowing the  encryption key and then spoof deathentification of the originating client and re-sending the captured ARP packet back to the network. Every resended ARP enables you to capture additional IV vector by listening for a ARP reply. This is possible because the ARP packet structure is very static in nature and the ARP reply you get is always the same, only encrypted with a different IV. If you remember mathematics from school, when you get many ARP replies you essentially can construct an equation with both plain text, password as static variables, and only the IV varies. This help the cracking process by several orders of magnitude.

Practical example how to crack WEP

First, lets look what do we need for this task. For the moral and legal reasons, please get your own access-point and configure it with WEP encryption. Then we need two PCs (technically possible with one and two Wi-Fi cards, but two PCs are better). One PC will act as a client (so that it will generate traffic) and the other PC will be for the attacker simulation.

TP-Link 722n

TP-Link 722n

Regarding my personal hardware, I have used a a TP-Link 722n wireless card, with a great external antenna adapter and good support from the hacking tools. As a target I used my TP-Link 741ND wifi router. As a test client I have used my iPhone.

For the software needed you can go in two directions, I personally have dual-boot with BackTrack Linux. This is ubuntu based distribution designed for penetration-testing and comes with all the best selection of security auditing and penetration testing tools as well as already modified drivers to support advanced attacks like arp-injection (which is not needed for a normal user). You can also simply

TP-Link 741nd

TP-Link 741nd

download this image and start it as a live CD (or inside USB). Second option is to start your linux distribution (yes, you need one) and install aircrack-ng package (most probably test below step 0, and maybe you will have to google for your Wi-FI card if it supports at minimum a promiscuous mode of operation).

Step 0. Initialize airmon-ng and test packet injection

First check with ifconfig if your wifi card is recognized as root type “ifconfig” and look for any wlanX or athX card. Maybe if it is in shutdown state try with “ifconfig -a” and then activate it with for example “ifconfig wlanX up”. In my example the card is wlan1 (wlan0 is integrated intel Wi-Fi that is not really usable for attacks).

So in the next steps we activate the airmon-ng package and this will put the wlan1 card into promiscuous mode and create virtual interface mon0 that we will use for attacks.

NOTE: Sometimes the airmon-ng will tell you that there are programs running that can interfere with your network card and that you should close them. For example NetworkManager or a dhclient. Kill tham with the kill <pid> command before continuing.

Lets look at the ifconfig again and you will notice a new interface in the ifconfig output.

Now lets test if the packet-injection works. It will also look around for networks on the same channel and will try to resend a few packets.

Step 1. Find the target network using WEP.

For our little test, I have configured my access-point with single wifi called “WEPcrackTest” and let’s pretend that we didn’t know this. I would personally use inSSIDer, but there are alternatives directly on linux like “ssidsniff” or “iwlist scanning”. So for simplycity, lets try the “iwlist scanning”. You can find WEP encrypted networks if the corresponding Cell has no WPA/WPA2 mentioned and the “Encryption key:on” as indicated below.

 Step 2. Start capturing IVs

Just as historically, your first need is to capture enough IVs (at least 50,000) to have a chance of cracking the WEP encryption. This process is best started in some parallel sessions so please open another terminal windows or use “screen” commands for background session. We will use the airodump-ng command with “-c 6” telling it to capture on channel 6, “–bssid” specifies the mac-address of the Access-Points radio to specifiy a target and and “-w” specifies the output file where to store the captured packets. Last parameter is the interface identifier and we use our “mon0”.

Ok, start the capturing and leave it running until we have a lot of IVs.

Step 3. Arp Injection attack to speed IV capture.

The logic is as follows, we will do fake authentication against the access point and wait for any captured ARP packet, once we capture one we will start resending it back to the network and captured replies to our fake replies will allow us to capture large number of IVs from step 2. But for all this, we need to first associate using the aireplay-ng command as follows. “-1 0” is the attack type, in this case type 0 what is association only. “-e WEPcrackTest” is name of network to associate to, “-a F8:D1:11:37:C2:0E” is the access point mac-address again, “-h D8:5D:4C:91:AB:41” is mac-address of your wireless card (find it from the ifconfig command) and at the end is the wifi interface mon0.

Second part is start listening for ARP packets and if such packets comes, initiate retransmission. To do this we will use aireplay-ng command with attack type “-3”, wifi accesspoint is “-b F8:D1:11:37:C2:0E”, your wifi interface mac-address is “-h D8:5D:4C:91:AB:41” and we are opening this attack on interface mon0.

Great, notice the “sent 0 packets” at the end. Now we wait for some real client to connect and once he connects, the attack will start to run automatically. In summary right now you should have in one terminal running this replay attack and in another running capture from step 2.

Step 4. Simulating legal user to start ARP-reply

This step is artificial in our example as in real attack you would just leave all from previous steps running and wait for some user on the network to send ARP. To speed things in our little test, I will connect my second interface card wlan0 to the test network and generate an ARP manually. So this is how you can connect to a WEP network (notice that on this point I am telling you the key that is “apple”:

Now lets have a look on the arp table, you will most probably see that the we have already resolved the default gateway after or during the DHCP negotiation, so we already have one ARP probably captured.

Now check your step 3 arp-reply attack if it already captured some ARP packets are it is sending them back to the network. Most probably it will be already running crazy fast sending all those ARP requests like below!

Also if you look at the capture from step 2, you will notice now that the capture rate has accelerated several times. And notice that it si “as if” coming from the host with mac-address D8:5D:4C:91:AB:41. This is our wlan0 mac-address but this large number of packets is definitely not coming from that interface.

Step 5, Wait and crack

Now we leave it running for a little while and we can periodically test if we already have enough IVs to crack the key. In step 2 I used the parameter -w to capture all traffic to a file called WEP.cap. You can notice that the file size is increasing over time. We will use the aircrack-ng -w -b F8:D1:11:37:C2:0E ./WEP.cap command. The -w parameter tells that we are going to attempt to crack the code from a file, -b specifies what access-points traffic is interesting for us (because you can just capture in step 2 from multiple networks at once) and at the end we specify what file to use as source of data.

And here you have it, “KEY FOUND!” and it is found as “ASCII: apple”. This was very easy, no ?

Concolusion

In summary for whatever reason do not operate WEP encryption on your Wi-Fi network. I know that this is an old technology and with the standards like 802.11n not having even direct support for it anymore it will eventually die. But until then, I have scanned the area around my home with a 24db antenna and I have located three WEP encrypted networks from the 27 networks around. So there are still people who can be exploited and probably have no idea about it. Make sure you are not one of them.

I am already writing a next part about cracking WPA/WPA2 using the WPS vulnerabilities.

If you enjoyed this blog, please share.

About Peter Havrila

Author's Profile