Crack WEP Lab Last Update 2014.08.12 1.1.0 1Copyright 2014 Kenneth M. Chipps Ph.D

Crack WEP Lab

Last Update 2014.08.12

1.1.0

1Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com

Objective

• In this lab we will see how to recover the WEP PSK using the tools included with Kali Linux

Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 2

Source

• This lab is based on the article– Tutorial: Simple WEP Crack

• from the aircrack-ng.org website


Equipment Used

• In this example the wireless network will be created using a Linksys WAP55AG access point with these settings


WAP55AG Wireless Networks


WAP55AG WEP Key


Equipment Used

• To recover the WEP key, tools included with Kali Linux will be run from a Virtual Box virtual machine

• The wireless NIC attached to the computer running the virtual machine is an Alfa AWUS036H

• This NIC was selected as it is supported natively by both Windows and Linux


Equipment Used

• It also can inject frames into the network which is a requirement for this method


Install the NIC

• Plug the Alfa NIC into the computer with just the base operating system running

• Let the operating system install the driver and activate the NIC


Create the Virtual Machine

• Start Virtual Box• Using the normal procedures create a

virtual machine using these settings– Operating System

• Ubuntu 32 bit

– Memory• 1024

– Hard Drive Size• 16


Install Kali Linux

• Copy Kali Linux to a location on the computer where you can find it

• Start the virtual machine created above• When it asks for the location of the

operating system file, click on the small file folder and select the location of the Kali Linux iso file

• Wait for Kali Linux to load and run


Attach NIC to Kali Linux

• As the wireless NIC is a USB device it must be attached to this virtual machine

• To do this in Virtual Box from the Kali Linux virtual machine menu bar select– Devices

• USB Devices– The name of the wireless NIC

• The device driver for the virtual machine will be loaded


Attach NIC to Kali Linux

• The wireless NIC will appear in Kali Linux


WEP Key Recovery Method

• WEP is a perfectly acceptable method to use to restrict access to an 802.11 based wireless network in the appropriate environment

• For example, where I live the nearest neighbor is about ½ a mile away

• To access a wireless network I might secure with WEP someone would have to be on my property or in a neighbor’s field



• In addition they would have to know the procedure for cracking a WEP key

• This is not very likely where I live• If nothing else is available WEP might then

be a suitable security method• On the other hand if this wireless network

was in a college dormitory populated by engineering or IT majors, then WEP would be a poor choice



• Why is WEP so easy to break• Recall that the key to breaking a code is

repetition of something in the traffic• WEP’s use of an initialization vector which

is repeated is the lock which is easily broken

• Let’s go break this lock



• The method used here is to utilize aireplay-ng to replay an ARP frame in order to generate new unique initialization vectors

• Then aircrack-ng uses these new unique IVs to crack the WEP key

• ARP frames are created in order to have enough traffic on the network to create the number of IVs needed


WEP Cracking Steps

• The steps required to break WEP are– Start the wireless interface in monitor mode

on the channel being used by the access point

– Ensure that the wireless NIC can inject frames into the wireless stream


WEP Cracking Steps

– Start airodump-ng on the channel with a filter based on the access point’s MAC address to collect the new unique IVs

– Use aireplay-ng to perform a fake authentication with the access point

– Start aireplay-ng in ARP request replay mode to inject packets

– Run aircrack-ng to crack the key using the IVs collected


Start NIC in Monitor Mode

• The NIC needs to be in monitor mode so that it can hear all wireless frames instead of just the ones addressed to it

• A frame from this inclusive stream will be selected for injection back into the stream



• To do this start a terminal session• Stop the NIC by entering where wlan0 is

the name of the NIC you are using as displayed from the Linux command line using the iwconfig program– airmon-ng stop wlan0

• Run iwconfig again to be sure there are no other wireless NICs running



• Start the NIC in monitor mode– airmon-ng start wlan0 6

• where 6 is the channel number the access point is using

• The OS should report that the NIC is in monitor mode

• It may take a minute or so• It should look similar to this





• If it also lists some processes that need to be turned off so that they do not interfere with this process turn them off using the kill command

• For example in my case– kill 2479– kill 2509– kill 3381


Test Frame Injection

• To test the ability of the NIC to send frames to the access point by running this command all on one line– aireplay-ng -6 –e linksys-g –a

00:0C:41:14:A4:BB wlan0• where -6 is the channel, linksys-g is the

SSID, and 00:0C:41:14:A4:BB is the MAC address of the access point



• The system should respond with a message saying that the injection worked




Capture IVs With Airodump-ng

• Now we will generate the IVs we need to have enough to break WEP

• Start another terminal session• Run this command all on one line

– airodump-ng –c 6 --bssid 00:0C:41:14:A4:BB –w output wlan0


Capture IVs With Airodump-ng

–where 6 is the channel, 00:0C:41:14:A4:BB is the MAC address of the access point, output is the file name the system will store the data in, and wlan0 is the name of the NIC


Authenticate With Aireplay-ng

• An access point will not accept a frame from a device that is not authenticated

• It tracks this by MAC address• A MAC address of an already associated

NIC can be used or a fake authentication session can be created

• We will use the fake authentication method



• Open another terminal session• All on one line run the command

– aireplay-ng -1 0 -e linksys-g -a 00:0C:41:14:A4:BB -h 00:0F:B5:88:AC:82 wlan0



• where 1 is for fake authentication, 0 is the reassociation time in seconds, linksys-g is the SSID, 00:0C:41:14:A4:BB is the MAC address of the access point, and 00:0F:B5:88:AC:82 is the NIC MAC address




Start Aireplay-ng in ARP Mode

• Aireplay-ng is used now to listen for ARP requests and then reinject them back into the network in order to generate IVs

• Anything could be used that will cause the access point to create an IV

• ARP is just convenient for this purpose• All on one line run this command

– aireplay-ng -3 -b 00:0C:41:14:A4:BB -h 00:0F:B5:88:AC:82 wlan0


Run Aircrack-ng

• The last step is to use aircrack-ng to recover the key by examining the output file just created

• Start another console session and enter– aircrack-ng -b 00:0C:41:14:A4:BB

output*.cap• Let it run• In a minute or two we will have the answer


WEP Key Recovered

• In the case as the aircrack-ng terminal screen shows it is AA:BB:CC:DD:EE:FF


WEP Key Recovered


Finish the Lab

• Stop all of the programs running in the terminal windows by using Ctrl C

• Close all of the terminal windows• Logout of Kali Linux• Stop the virtual machine


Documents

Crack WEP Lab Last Update 2014.08.12 1.1.0 1Copyright 2014 Kenneth M. Chipps Ph.D