Upload
rahul-rollins
View
218
Download
1
Tags:
Embed Size (px)
Citation preview
Crack WEP Lab
Last Update 2014.08.12
1.1.0
1Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com
Objective
• In this lab we will see how to recover the WEP PSK using the tools included with Kali Linux
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 2
Source
• This lab is based on the article– Tutorial: Simple WEP Crack
• from the aircrack-ng.org website
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 3
Equipment Used
• In this example the wireless network will be created using a Linksys WAP55AG access point with these settings
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 4
WAP55AG Wireless Networks
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 5
WAP55AG WEP Key
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 6
Equipment Used
• To recover the WEP key, tools included with Kali Linux will be run from a Virtual Box virtual machine
• The wireless NIC attached to the computer running the virtual machine is an Alfa AWUS036H
• This NIC was selected as it is supported natively by both Windows and Linux
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 7
Equipment Used
• It also can inject frames into the network which is a requirement for this method
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 8
Install the NIC
• Plug the Alfa NIC into the computer with just the base operating system running
• Let the operating system install the driver and activate the NIC
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 9
Create the Virtual Machine
• Start Virtual Box• Using the normal procedures create a
virtual machine using these settings– Operating System
• Ubuntu 32 bit
– Memory• 1024
– Hard Drive Size• 16
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 10
Install Kali Linux
• Copy Kali Linux to a location on the computer where you can find it
• Start the virtual machine created above• When it asks for the location of the
operating system file, click on the small file folder and select the location of the Kali Linux iso file
• Wait for Kali Linux to load and run
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 11
Attach NIC to Kali Linux
• As the wireless NIC is a USB device it must be attached to this virtual machine
• To do this in Virtual Box from the Kali Linux virtual machine menu bar select– Devices
• USB Devices– The name of the wireless NIC
• The device driver for the virtual machine will be loaded
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 12
Attach NIC to Kali Linux
• The wireless NIC will appear in Kali Linux
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 13
WEP Key Recovery Method
• WEP is a perfectly acceptable method to use to restrict access to an 802.11 based wireless network in the appropriate environment
• For example, where I live the nearest neighbor is about ½ a mile away
• To access a wireless network I might secure with WEP someone would have to be on my property or in a neighbor’s field
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 14
WEP Key Recovery Method
• In addition they would have to know the procedure for cracking a WEP key
• This is not very likely where I live• If nothing else is available WEP might then
be a suitable security method• On the other hand if this wireless network
was in a college dormitory populated by engineering or IT majors, then WEP would be a poor choice
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 15
WEP Key Recovery Method
• Why is WEP so easy to break• Recall that the key to breaking a code is
repetition of something in the traffic• WEP’s use of an initialization vector which
is repeated is the lock which is easily broken
• Let’s go break this lock
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 16
WEP Key Recovery Method
• The method used here is to utilize aireplay-ng to replay an ARP frame in order to generate new unique initialization vectors
• Then aircrack-ng uses these new unique IVs to crack the WEP key
• ARP frames are created in order to have enough traffic on the network to create the number of IVs needed
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 17
WEP Cracking Steps
• The steps required to break WEP are– Start the wireless interface in monitor mode
on the channel being used by the access point
– Ensure that the wireless NIC can inject frames into the wireless stream
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 18
WEP Cracking Steps
– Start airodump-ng on the channel with a filter based on the access point’s MAC address to collect the new unique IVs
– Use aireplay-ng to perform a fake authentication with the access point
– Start aireplay-ng in ARP request replay mode to inject packets
– Run aircrack-ng to crack the key using the IVs collected
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 19
Start NIC in Monitor Mode
• The NIC needs to be in monitor mode so that it can hear all wireless frames instead of just the ones addressed to it
• A frame from this inclusive stream will be selected for injection back into the stream
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 20
Start NIC in Monitor Mode
• To do this start a terminal session• Stop the NIC by entering where wlan0 is
the name of the NIC you are using as displayed from the Linux command line using the iwconfig program– airmon-ng stop wlan0
• Run iwconfig again to be sure there are no other wireless NICs running
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 21
Start NIC in Monitor Mode
• Start the NIC in monitor mode– airmon-ng start wlan0 6
• where 6 is the channel number the access point is using
• The OS should report that the NIC is in monitor mode
• It may take a minute or so• It should look similar to this
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 22
Start NIC in Monitor Mode
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 23
Start NIC in Monitor Mode
• If it also lists some processes that need to be turned off so that they do not interfere with this process turn them off using the kill command
• For example in my case– kill 2479– kill 2509– kill 3381
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 24
Test Frame Injection
• To test the ability of the NIC to send frames to the access point by running this command all on one line– aireplay-ng -6 –e linksys-g –a
00:0C:41:14:A4:BB wlan0• where -6 is the channel, linksys-g is the
SSID, and 00:0C:41:14:A4:BB is the MAC address of the access point
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 25
Test Frame Injection
• The system should respond with a message saying that the injection worked
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 26
Test Frame Injection
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 27
Capture IVs With Airodump-ng
• Now we will generate the IVs we need to have enough to break WEP
• Start another terminal session• Run this command all on one line
– airodump-ng –c 6 --bssid 00:0C:41:14:A4:BB –w output wlan0
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 28
Capture IVs With Airodump-ng
–where 6 is the channel, 00:0C:41:14:A4:BB is the MAC address of the access point, output is the file name the system will store the data in, and wlan0 is the name of the NIC
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 29
Authenticate With Aireplay-ng
• An access point will not accept a frame from a device that is not authenticated
• It tracks this by MAC address• A MAC address of an already associated
NIC can be used or a fake authentication session can be created
• We will use the fake authentication method
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 30
Authenticate With Aireplay-ng
• Open another terminal session• All on one line run the command
– aireplay-ng -1 0 -e linksys-g -a 00:0C:41:14:A4:BB -h 00:0F:B5:88:AC:82 wlan0
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 31
Authenticate With Aireplay-ng
• where 1 is for fake authentication, 0 is the reassociation time in seconds, linksys-g is the SSID, 00:0C:41:14:A4:BB is the MAC address of the access point, and 00:0F:B5:88:AC:82 is the NIC MAC address
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 32
Authenticate With Aireplay-ng
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 33
Start Aireplay-ng in ARP Mode
• Aireplay-ng is used now to listen for ARP requests and then reinject them back into the network in order to generate IVs
• Anything could be used that will cause the access point to create an IV
• ARP is just convenient for this purpose• All on one line run this command
– aireplay-ng -3 -b 00:0C:41:14:A4:BB -h 00:0F:B5:88:AC:82 wlan0
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 34
Run Aircrack-ng
• The last step is to use aircrack-ng to recover the key by examining the output file just created
• Start another console session and enter– aircrack-ng -b 00:0C:41:14:A4:BB
output*.cap• Let it run• In a minute or two we will have the answer
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 35
WEP Key Recovered
• In the case as the aircrack-ng terminal screen shows it is AA:BB:CC:DD:EE:FF
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 36
WEP Key Recovered
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 37
Finish the Lab
• Stop all of the programs running in the terminal windows by using Ctrl C
• Close all of the terminal windows• Logout of Kali Linux• Stop the virtual machine
Copyright 2014 Kenneth M. Chipps Ph.D. www.chipps.com 38