WEP Crack Using aircrack-ng by Arunabh Das

WEP Crack Using aircrack-ng

Arunabh Das

Content Part 1 - Background

WEP Encryption Authentication Vulnerabilities

Part 2 - Attack Experiment Cracking WEP Keys Test Environment

Network Topology Hardware & Software

The Attack Observations

Part 3 - Conclusion Problems Encountered Detection & Prevention Conclusion References

WEP Encryption

Wired Equivalent Privacy 64-bit and 128-bit (24-bit IV) Utilizes RC4 and CRC32

WEP Authentication

Open System Authentication

http://documentation.netgear.com/reference/sve/wireless/WirelessNetworkingBasics-3-08.html

WEP Authentication

Shared Key Authentication

http://documentation.netgear.com/reference/sve/wireless/WirelessNetworkingBasics-3-09.html

WEP Vulnerability

Static Keys Short IV (24-bits) Susceptible to statiscal analysis based

attacks

Network Topology

attacker

Wireless AP

victim

H/W and S/W requirementsAttackerOS: Ubuntu 8.04NIC: iwl4965/Atheros AR5007 b/gSoftware:

•Kismet•Airodump•Aireplay•Airjack

Wireless APLinksys WRT54GL

VictimOS: Windows XPNIC: D-Link WUA-2340 USB adaptorSoftware: D-Link Wireless Connection Manager

Types of attacks using aireplay It currently implements multiple different attacks: Attack 0: Deauthentication Attack 1: Fake Authentication Attack 2: Interactive Packet Replay Attack 3: ARP Request Replay Attack Attack 4: Korek Chopchop attack Attack 5: Fragmentation attack Attack 6: Caffe-latte attack Attack 7: Client-oriented fragmentation attack

Source - http://www.aircrack-ng.org/doku.php?id=aireplay-ng

Deauthentication This attack is a type of “man-in-the-middle” attack which disassocate

packets to one or more clients which are currently associated with paticular access pont, making the client to disconnect from the AP and connect to the cracker’s fake AP.

The reasons to disassociating clients are : Generate ARP reqests, Force clients to re-authenticate Recovering a hidden ESSID

Deauthenticaton cont. Use aireplay to achieve the de-auth attack

Command:

aireplay-ng -0 1 -a MAC address -c MAC address ath0

-0 means deauthentication

1 is the number of deauths to send

-a MAC address of te acess point

-c MAC address of the client to de-auth

-ath0 is the interface name

Deauthentication cont.

The MAC address of the AP and the client can be get by doing sniffing using tools like wireshark

The output of the command from the slid above will look like:

11:09:28 Sending DeAuth to station -- STMAC: [00:0F:B5:34:30:30]

STMAC is the MAC address of the client(then the client is de-authenticated,and then the attacker will be connected with the spoofed victim’s address)

Fake authentication

Fake authentication allows the attacker to proform the two types of WEP authentication (open system and shared key) pls associate with the AP, Different from deauthentication attack, no ARP packets are generated, plus the fake authentication is only useful when the attacker need and associated MAC address in other packet injection attacks but there is currently no client is connected to the AP

Fake auhentication cont. The actual aireplay command: aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h

00:09:5B:EC:EE:F2 -y sharedkeyxor ath0 -1 means fake authentication 0 reassociation timing in seconds -e teddy is the wireless network name -a 00:14:6C:7E:40:80 is the access point MAC address -h 00:09:5B:EC:EE:F2 is our card MAC addresss -y sharedkeyxor is the name of file containing the PRGA xor bits.

This is only used for shared key authentication. Open system authentication, which is typical, does not require this.(PRGA xor bits can be obtained from the de-auth or kork chopchop attack).

ath0 is the wireless interface name

ARP Request Replay attack

The classic ARP request replay attack is the most effective way to generate new initialization vectors(IVs).

The program listens for an ARP packet then retransmits it back to the access point. This, in turn, causes the access point to repeat the ARP packet with a new IV. Te program retransmits the same ARP packet over and over.

However, each ARP packet repeated by the access point has a new IVs. It is all these new IVs which allow you to determine the WEP key.

ARP Request Replay attack cont. Basic usage aireplay-ng -3 -b 00:13:10:30:24:9C -h 00:11:22:33:44:55 ath0 Where:

-3 means standard arp request replay

-b 00:13:10:30:24:9C is the access point MAC address

-h 00:11:22:33:44:55 is the source MAC address (either an associated client or from fake authentication)


ARP Request Replay attack cont.

A output of the above command would be: Saving ARP requests in replay_arp-0219-

123051.cap You should also start airodump-ng to capture replies. Read 11978 packets (got 7193 ARP requests), sent 3902 packets

KoreK chopchop

This attack, when successful, can decrypt a WEP data packet without knowing the key. It can even work against dynamic WEP. This attack does not recover the WEP key itself, but merely reveals the plaintext.

Some AP are not vulnerable to this attack

KoreK chopchop cont.

Proform korek chopchop with aireplay aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b

00:14:6C:7E:40:80 ath0 4 means the chopchop attack -h 00:09:5B:EC:EE:F2 is the MAC address of an

associated client or your card's MAC if you did fake authentication

-b 00:14:6C:7E:40:80 is the access point MAC address


KoreK chopchop cont. Sample output of the above command Read 165 packets... Size: 86, FromDS: 1, ToDS: 0

(WEP) BSSID = 00:14:6C:7E:40:80 Dest. MAC = FF:FF:FF:FF:FF:FF Source MAC = 00:40:F4:77:E5:C9 0x0000: 0842 0000 ffff ffff ffff 0014 6c7e 4080 .B..........l~@. 0x0010: 0040 f477 e5c9 603a d600 0000 5fed a222 [email protected]..`:...._.." 0x0020: e2ee aa48 8312 f59d c8c0 af5f 3dd8 a543 ...H......._=..C 0x0030: d1ca 0c9b 6aeb fad6 f394 2591 5bf4 2873 ....j.....%.[.(s 0x0040: 16d4 43fb aebb 3ea1 7101 729e 65ca 6905 ..C...>.q.r.e.i. 0x0050: cfeb 4a72 be46 ..Jr.F Use this packet ? y

Fragmentation Attack

This attack, when successful, can obtain 1500 bytes of PRGA (pseudo random generation algorithm). This attack does not recover the WEP key itself, but merely obtains the PRGA. The PRGA can then be used to generate packets with packetforge-ng which are in turn used for various injection attacks. It requires at least one data packet to be received from the access point in order to initiate the attack

Korek chopchop vs. Fragmentation Attack

Fragmentition attack obtains the full packet length of 1500 bytes xor, so any size of packet could be generated, and is sufficient to create ARP request. An is extremel fast, however, it needs ore information such as the IP address to launch.

Chopchop attack don’t need to know any IP info. Bu t is much slower and the maximum xor its is limited .

Flow Chart for Cracking

Source – http://www.aircrack-ng.org/doku.php?id=flowchart#section_7frag_chop-chop_failed

Configuring EnvironmentConfigure Access Point Set the encryption to WEP and generate keys using passphrase

Configuring Environment Step 2Configure Access Point

Set the SSID and the broadcast channel.

Configuring Environment Step3Configure Access Point

Set the Authentication type to Auto

Installation Installation of kismet step1

InstallationInstallation of kismet – step2

Installation Patching of kernel Step1 Note that the 2.6.24 version of the kernel doesn’t contain the modules that

we need

Installation Patching of kernel Step2

Install kernel-package libraries


Wait for complete installation of kernel-package libraries


Download the latest version of the kernel using wget

Installation Patching of kernel Step11 Finding a client that is connected to the AP and client’s MAC id

Installation –Patching of kernel Step12

Installation Patching of kernel Step14-15

InstallationPatching of kernel Step45

Installation Patching of kernel – 7

Installation Patching of kernel – Step 50

Preparatory Step1Testing Injection Enable card to monitor mode

Preparatory Step 2Testing Injection

Basic test to determine if card supports injection

Preparatory –Testing Injection

Check hidden ID or check specific SSID

Preparatory Testing Injection Create 2 virtual wireless interfaces for attack test

Preparatory Step 5 Testing Injection

Reconnaisance Step 1

Reconnaisance Step 2

Reconnaisance -

Reconnaisance

Reconnaisance Step 5 -

Attack Without Deauth – Step1

Attack Without Deauth Step2 -

Attack Without Deauth

Attack Without DeauthStep5

Attack Without DeauthStep 6

Attack Without DeauthStep8

Iteration 2 – ARP Request Replay without deauthentication request

Attack Step 1 Taking down the network interface in order to change the MAC

Iteration 2 – ARP Request Replay without deauthentication

request

Attack Step 2

Finding a target AP and the channel it is broadcasting on.

Iteration 2 – ARP Request Replay without deauthentication

request

Attack -

Finding a client that is connected to the AP and client’s MAC id

Iteration 2 – ARP Request Replay with deauthentication

request Attack

Changing the attacker’s MAC id to match client’s (Spoofing)

Iteration 2 – ARP Request Replay with deauthentication

request Attack Step 5 -

Initiating airodump to capture packets, especially weak IVS packets

Iteration 2 – ARP Request Replay with deauthentication request

Attack Step 6 - Monitoring airodump to monitor rate of capture


Attack Step 7

Initiate aireplay to inject frames


Attack Step 8

Monitoring number of ARP requests generated

Iteration 2 – ARP Request Replay with

deauthentication request Attack Step 9 Sending de-authentication frames to client

ARP Request Replay Attack Variation 3(spoofing MAC but no deauth) Step 1

ARP Request Replay Attack Variation 3(spoofing MAC but no deauth) Finding a client that is connected to the AP and client’s MAC id

ARP Request Replay Attack Variation 3(spoofing MAC but no deauth)


Initiating airodump to capture packets, especially weak IVS packets


Monitoring airodump to monitor rate of capture

ARP Request Replay Attack Variation 3(spoofing MAC but no deauth) Step 7 Initiate aireplay to inject frames


Monitoring number of ARP requests generated


Sending de-authentication frames to client

ARP Request Replay Attack Variation 3(spoofing MAC but no deauth) Step 15 Using airecrack to crack

Observations/Conclusion

WEP is weak and can be cracked easily We were able to crack WEP in x minutes WEP encrypted networks should be replaced with

WPA/WPA2

Detection/Prevention

When an abnormal amount of ARP requests are being made it may be a sign that a hacker is trying to crack your WEP key

Careful monitoring and logging of such an event can help administrators detect such an attack.

Preventing such an attack is near impossible

References[1] “Aireplay-ng”

URL: http://www.aircrack-ng.org/doku.php?id=aireplay-ng[2] “Computer Security”

URL: http://en.wikipedia.org/wiki/Computer_security[3] “Exploit (computer security)”

URL: http://en.wikipedia.org/wiki/Exploit_(computer_security)

Questions ?

WEP Crack Using aircrack-ng by Arunabh Das

Documents

Transcript of WEP Crack Using aircrack-ng by Arunabh Das