Posted on 03-09-2008
Backtrack: cracking WEP key with aircrack-ng.
Filed Under (pentesting) by admin

In this tutorial I go over the process of cracking wep encryption for wireless network. Here I demonstrate why configuring your network with wep encryption is not such a good idea, as anyone with the right tools can crack it in a manner of minutes
Some history first:

There are two types of WLAN vulnerabilities, vulnerabilities due to poor configuration and vulnerabilities due to poor encryption. WEP was the original security standard used with wireless networks. Unfortunately, when wireless networks first started to gain popularity, researchers discovered that WEP was flawed, in which an attacker could defeat WEP because of flaws in the way WEP employed the underlying RC4 encryption algorithm.

Discovery:

One of the first steps when pen-testing a wlan network is locating the target, known as wlan discovery. There are two types of wlan discovery scanners, active an passive. Active scanners such as Network Stumbler rely on the SSID broadcast beacons to detect the existence of an access point. An access point can be cloaked by disabling the SSID broadcast in the beacon frame. This method would not prevent the access point from been discovered as you can still detected with a passive scanner like Kismet; Kismet does not rely on SSID broadcast beacon to detect AP, rather passive scanners require the wlan interface to be place in rfmon (monitor) mode. This allows the card to see all the packets been generated by any access point.

Attacing WEP:

The attacks against wep consist on collecting enough IVs. The biggest problem with this is that it can take considerable amount of time. Fortunately you can speed up the process by injecting traffic into the network, creating more packets. You can accomplish this by collecting one or more ARP packets and retransmitting them to the access point. Another method could be if the client has already authenticated to the network a deauthentication frame, essentially knocking the client off the network and requiring reauthentication.

The tools:

For cracking wep on this tutorial I use the aircrack-ng suite, here are some of the tools provided with aircrack-ng.

  • airmon-ng: to put the interface in rfmon (monitor) mode.

  • airodump-ng: a packet capture utility for raw 802.11 frames, and in particular wep IVs to be used with aircrack-ng

  • aireplay-ng: designed to performe injections attacks (deauth and fake auth), and ARP request replay

  • aircrack-ng: for cracking wep using various statistical attacks.

ok… let’s get hacking.

click here to watch video

(2) Comments    Read More   

Comments

Ajesh on 23 September, 2008 at 2:07 am #

good one.some thing for wps as well?
will not use wep any more.


admin on 23 September, 2008 at 2:16 pm #

do you mean wpa?… yes, I have plans to make one about hacking wpa, it’s coming soon!