Cracking WEP Wireless Networks using BackTrack made Easy

Although it has been clearly mentioned in all security forums, blogs, books, articles and other resources that WEP encryption is extremely insecure and if you have a current wireless network its totally advisable to avoid WEP and go for the WPA encryption or highly recommended to utilize the WPA2 security/encryption. However till now I can see masses of customers and users still using the WEP encryption as their favorite security model for their Wireless network. Few month ago, while drinking my Coffee at one of these famous (that will be nameless) public free hotspot Café’s, I made a quick search/survey for the nearby access points and I was really astounded that the number of WEP Wireless enabled networks was almost 50% of the nearby networks including the Café itself (some others were open), I repeated the same process on different intervals on different locations and I picked up at least 2 WEP networks on my monitoring software. If you tried to search or investigate for WEP attacks or how to crack WEP keys on the internet using your favorite search engine you will find hundreds of results and recommendations to avoid WEP, however WEP is still widely used, so what’s hindering the adoption of more secure and safer encryption? I believe this is due to the lack of awareness to the normal end users (Security Professionals share the blame for this) or the usage of very old piece of hardware supporting only WEP.

Introduction

Information systems and network security has never been more critical than the last few years. Time changes and at the same time technology progress into new areas and one of these is Wireless Networks. Since we are living in the computer and digital era, the demand for new services is increasing and most of the companies are reinventing their infrastructure and applying new technologies like Wireless LAN’s to meet this demand However, lack of meticulous planning could lead to a vulnerable system. Wireless is one the most revolutionary technology available in the IT market. Most of the Ethernet (Cabling) technologies for the last 15-20 years were evolution technology. The Wireless is completely new expertise with countless different rules and techniques and since we are living in the digital world and we are all counting on computers, Laptops, tablets and smart phones, the need for a mobile and wire free technology was increasing. Since Information is the most valuable commodity it has to be exploited and used to its fullest potential but this should reflect in securing this information to preserve our knowledge and gain the market competitive advantage. In the upcoming few pages I will try to layout the vulnerabilities and problems while using and applying WEP encryption on your wireless network and providing a step by step guide on how recover a WEP Key using the BackTrack and AirCrack Suite of tools (It should be noted that this information should be used only on a Test Network and under your full responsibility / Liability and it’s not applicable to use it in any illegal / Non Ethical work) 

Why BackTrack ? 

BackTrack is a very specialized Linux distribution (or abbreviated as distro) based on the Debian GNU/Linux including a large collection and variety of software applications and tools that are mainly concerned with Penetration testing and digital Forensics. The current and most updated version is BackTrack 5 Release 3 which we will be using during all our upcoming examples and demos. BackTrack now is the defacto standard for IT Security Professionals working in the Penetration testing field with a lot of resources and training resources. Further information about BackTrack and download links can be accessed at the official BackTrack site http://www.backtrack-linux.org/ 

What is Aircrack-ng Suite? 

Aircrack-ng (Next Generation) is a suite of applications / tools including packet detector, sniffer and WEP, WPA and WPA2 cracking tools, it runs under both Linux and Windows however its highly recommended to run under Linux not because of the Aircrack issues with Windows but rather the limitations in Windows Operating itself since its highly proprietary software with a lot of restrictions especially with the network cards and their respective drivers. For more information on the tool, tutorials, downloads and supported configurations please check the official site http://www.aircrack-ng.org/ 

WEP threats 

WEP or Wired Equivalent Privacy is one of the first encryption algorithms used in Wireless to encrypt data travelling in the air in Wireless LANs; it’s also used as part of the shared authentication mechanism to verify the wireless client device. WEP uses an algorithm called RC4 known as stream cipher (Given by RSA security) and pseudo-random number generator (PRNG) and the main problems with WEP or RC4 is:   • The RC4 source code was posted in the mid 90’s and available on the internet for anyone which gives the intruders and hackers the chance to check the code and break it later.   • There are many software packages available in the market and most of them are free tools that are used to crack the WEP. 

RC4 

RC4 is a very popular method of encryption and it’s adopted by many applications. One of the famous applications that’s uses RC4 is SSL (secure Socket Layer protocol) which most of the web sites use to secure their data. RC4 cipher key consists of two parts, Static and Dynamic part. The Static part is the shared secret key that the user enters in the Wireless device in order to connect to the Network or gain access. It’s sometimes known as the pre-shared password. The Length of this Key can be either 40 bit or 104 bit and it can be entered in either Hexadecimal number or ASCII plain text value. If you are using Hexadecimal then you will enter 10 characters for the 40 bit key and 26 characters for the 104 key. If you are using the ASCII then you will enter 5 characters for the 40 bit key and 13 characters for the 104 key. The Dynamic part of the RC4 is the IV (Initialization Vector). The Length of this part is 24 bit and it must be noted that this IV is always changing and that’s why it’s Dynamic. This IV is appended (attached) to the shared secret key (40 bit or 104 bit) which gives us total of either 64 (40 + 24) or 128 (104 + 24) bit encryption.
How WEP Works: 
RC4 works by using the XOR (Mathematical function used with binary numbers, it gives output of Zero for identical binaries and One when the two input are different) with the cipher key in order to encrypt data. 

WEP Encryption Process: 

1. The actual Data (un-encrypted plain text) sent from the sender station passes first by an Integrity check algorithm which creates an integrity check value (ICV) that is added to the end of plaintext data. 
2. The Wireless Device generates a dynamic initialization Vector value (IV) and the IV is appended at the end of the pre-shared key (Static part as explained earlier) and they are both run through the RC4 algorithm, the result is known as seed value. 
3. The Seed value will run against a pseudorandom number generator (PRNG) which in return produces the cipher stream key. 
4. RC4 is used to XOR the cipher key with the output data of step 1 to produce the encrypted data (cipher text). The cipher text is pre appended to the IV and new IV is used for each encrypted frame sent. 

Weakness of WEP:

1. The IV is only 24 bit which is relatively short length for such key; this gives around 16 million IVs (2 to the power of 24). Although many might think that this number is huge but actually on a very busy and large network the 16 million IVs maybe used within hours (around 3 - 4 hours) and reoccurrence might appear with some packets. If an intruder successfully captured packets having the same IV it will be easy enough with many free software tools to get the static part or the preshared key and gain access to the network. It should be noted also that the IV is sent in the air without any encryption which makes it very vulnerable. With the usage of the correct tools it can be easy to crack WEP Networks, actually the Federal Bureau of investigation (FBI) cracked a WEP network in 3 minutes only back in 2005. 

2. The second part of the WEP which is the preshared key (Static element) forms a threat as well since this key doesn’t change and can be used for as long as you can expect since there is no mechanism to change it dynamically in the original 802.11 standard. This gives the hacker the time needed to monitor, capture and hack the network. 

1.1.1 WEP attacks: 

Active Attacks (Injecting Data) To successfully crack a Wireless Network using WEP, the hacker needs to gather millions of packets to be able to get the IV and then the pre-shared key. While this can be easy on a very busy network it will take hours or days on a non-active network. The Hacker can then launches active attack and inject data and frames to the network to create a busy congested network. If the attacker knows the plain text of one encrypted packet or message he can then create new packets, calculate the ICV. Perform a bit flip on the original packet and send it again to the Access point. The fact that the WEP lacks identification of any replay packet since it doesn’t add any timestamp or any authentication code will allow the hacker to inject previous sent packets and messages and it will be accepted. 

Passive Attacks 

(Decrypting Traffic) This type of attack was previously discussed in the WEP weakness and it’s simply a kind of eavesdropping. The attacker tries to collect as much IVs as needed till identical or duplicate IV’s occur. The hackers then using the appropriate tools can XOR the two messages captured with same IV and the pre-shared password is simply revealed. During the upcoming Step by step tutorial we will be using a mix of both type of attacks trying to connect to networks with Connected clients and disconnecting them to force a new connection as well as trying to fake the network by authenticating new clients and associating them to the Network, this attack can be very useful which static networks or non-client connected networks.  Tools and Devices Needed during the Attack 
1. Laptop or Computer with BackTrack 5 R3 loaded on it. It can be Virtual machine or physical computer with good RAM and Processing power. My test Laptop was Dual core processor and 8 GB RAM. 
2. Wireless card able to inject traffic and packets. I will be using the most popular and available wireless card Alfa Networks AWUS036H utilizing the Realtek 8187 driver supported by the Aircrack suite, however there are other cards. Another good one is Netgear WN111. For complete list with supported cards and drivers under either Windows or Linux, please check the following site http://www.aircrackng.org/doku.php?id=compatible_cards 
 3. Access Point supporting WEP encryption (Most of Access points / Routers will satisfy this need) 

BackTrack Basics

 Turn on the Monitoring Mode: The First Step to capture and crack the WEP encryption key is to turn the Wireless Network card into monitoring mode (Similar to the Promiscuous mode in Ethernet Networks). The Easiest way to do so is to use the Airmon-ng Command. Running “airmon-ng” without any parameters will display the current wireless interfaces on your computer or Laptop to check which one will be used in the Packet sniffing and injection incase you have several cards. In my case I had two interfaces (The first network is the default Wireless card built in the laptop) and I enabled the WLAN0 (which has the Realtek RTL8187) interface using “Airmon-ng start wlan0” as per attached.

To check if there is any process accessing the Wireless card and may cause any future problems you can run the “airmon-ng check”, if any process is listed you can kill them using the command “airmon-ng check kill”. The next step will be checking and identifying the nearby networks, sometimes you might get many Wireless Networks in your coverage area and it would monitoring mode on the exact channel of the Access Point that you are targeting. To get a list of the nearby Access points / Networks you can either get it using the BackTrack Graphical Interface from Applications – Internet – WICD Network Manager

ertainly be beneficial if you can start your
monitoring mode on the exact channel of the Access Point that you are targeting. To get a list of the nearby Access points / Networks you can either get it using the BackTrack Graphical Interface from Applications – Internet – WICD Network Manager.



Another way would be using the EGREP functionality with the IW DEV command as shown below (This command is case sensitive and the spaces should be preserved) iw dev wlan0 scan | egrep “DS\ Parameter\ set|SSID”

In my current test scenario the target Wireless Network using WEP was using Channel 11. So my network card monitoring mode was commenced on Channel 11 to filter the surrounding Access Points

WEP Key Recovery Step by Step attack: 

1. In my current test scenario the target Wireless Network using WEP was using Channel 11 and I fired my monitoring mode on Channel 11 to filter out the surrounding Access Points using the command airmon-ng start wlan0 11 as shown on the picture above.
 2. Start an Airodump Capture on the Given Access Point Channel and BSSID. The output of this Airodump will be saved on a Capture file on the computer disk to be passed later to the Aircrack tool to recover the Key. Airodump-ng is mainly used for Capturing 802.11 frames and in our case the WEP IVs. The Command used is as follows: 
airodump-ng -c 11 --bssid xx:xx:xx:xx:xx:xx -w testdemo mon0 Where “C” stands for the Channel, “BSSID” is the MAC address of the

As you can see from the above image that by pointing and targeting Channel 11, I was able to filter the list of Access Points to only my target AP (Ending with 87) and there is one station currently connected (ending with A8:42) Make sure to keep the Airodump-ng window running till you finish step 3, 4 and 5 and gather the needed IVs
3. We will run the first attack using Aireplay-ng which is the fake authentication. The Fake Authentication attack is used mainly when you need to attack a WEP enabled access point and there are no current clients associated to this Network and you need to fake this network. Fake Authentication allows you to use both WEP authentication (Open and Shared), It should be noted that it’s only used with WEP enabled Wireless Networks and not WPA or WPA2. It’s recommended by all security professionals to 
 start always with the fake authentication attack. The command used is: 
aireplay-ng -1 0 -e AP-SSID -a xx:xx:xx:xx:xx:xx -h yy:yy:yy:yy:yy:yy mon0 
Where “1” stands for the Fake Authentication attack which is the number 1 attack, “0” is the timing in seconds for Re-association, “e” is for the Wireless Network name that users connect to with their network cards, “a” is the Target Access Point MAC address and “h” is followed by the MAC address of my internal Realtek Wireless card.

To confirm that my Fake Authentication was successful we will run the Airodump again (Ran earlier in Step 2) and we will find the new Workstation (Our Realtek Card ending with 07:b0) added to the list of connected stations

 4. Run an ARP request Replay attack (ARP stands for Address Resolution Protocol and its TCP/IP protocol used to convert an IP address into a physical address, such as an Ethernet address), this is one of the most effective methods to generate new IVs. It listens for an ARP packet then retransmits it back to the access point which will make the Access Point repeat the ARP packet with a new IV, this process should be done over and over for some time till enough number of Initialization Vectors IVs are collected. aireplay-ng -3 -b xx:xx:xx:xx:xx:xx -h yy:yy:yy:yy:yy:yy mon0 Where “3” stands for the ARP request Replay attack which is the number 3 attack in the suite, “b” is Target AP MAC address and “h” is your MAC address after successful Fake authentication attack and association to the Target Access Point or any already associated client MAC address.

For more information please check http://www.aircrackng.org/doku.php?id=arprequest_reinjection  

5. The final steps before fully recovering the WEP key will be trying to deauthenticate any of the connected clients to the wireless network, this will mainly serve the purpose of generating new ARP Requests / Packets as the client will try to establish a new connection back with the Access Point.  

aireplay-ng -0 1 -a xx:xx:xx:xx:xx:xx -c yy:yy:yy:yy:yy:yy mon0  

Where “0” stands for the Deauthentication attack, “1” is the number of de-authentications to be sent, if its zero this will mean continuous packet sent and “c” is the MAC address of the client to be disconnected, if nothing is mentioned all clients associated with this Access Point will be de-authenticated. For more information please check http://www.aircrackng.org/doku.php?id=deauthentication  

6. After collecting the needed number of IVs and running the Airodump-ng for sometime, you can stop the Airodump-ng process (step 2) by hitting CTL+C and examining the output Capture file (testdemo-01.cap) using the Aircrack-ng Tool.  

Aircrack-ng testdemo-01.cap 

Final conclusion  

The bottom line is that WEP should be used sparingly if at all on business and sensitive networks. WEP offers a basic security model which may be sufficient in a few cases due to its popularity and availability on all Routers and Access Points in the market, however the major drawback is it can be cracked easily with some patience. This article highlighted the weakness and illustrated how simple it is to crack such a network.  

Knowledge is the power and recognizing a weakness is the first step on the path to avoid them. There is no one solution to secure the network and every one must understand the fact that Technology is human made so it will always have an element of vulnerability and what all security professional trying to do is to limit the number of vulnerable points in their systems (Sometimes called Attack surface), instead of being open for any attacker starting from script kiddies to professionals. Sometimes WEP is the only available security compared to nothing however you need to take some extra precautions. Check for the most updated drivers from your Access Point Manufactures, use a 128 bit encryption key, change the key frequently and finally install any free IDS system to monitor the connections and if any malicious attacks is launched against your system. 

 I will try to explore more advanced WEP cracking techniques including data / packet injection in further future articles and explores the world of the famous secured WPA and WPA2 and their weakness (Remember there is no complete secure system)

Related Posts

• 
  What is Brup Suite ?
• 
  Watch Out! This New Web Exploit Can Crash and Restart Your iPhone
• 
  How to Create/Make Endless Enter ??
• 
  Black-box testing
• 
  GoAT (Golang Advanced Trojan) is a trojan that uses Twitter as a C&C server
• 
  D-DOS Attacking Tool for Kali Linux Ubuntu and other Linux

Share this post

Subscribe Our Newsletter