MASNET GroupXiuzhen ChengFeb 8, 2006 CSCI388 Project 1 Crack the WEP key Liran Ma Department of Computer Science The George Washington University [email protected]

MASNET Group Xiuzhen Cheng Feb 8, 2006

CSCI388 Project 1Crack the WEP key

Liran Ma Department of Computer ScienceThe George Washington University

[email protected]


Project resolutions

Experiment with IEEE 802.11b/g networks.

Learn how to use different network analysis tools.

Exploit 802.11 (WEP) security properties.


Warning

Do not hack any wireless networks other than the one provided for this course.

It is your sole responsibility for your actions!


Notes (1/2)

No laptop will be provided for this project. If you really can not have a laptop, talk to me after class.

Linux OS is highly recommended for this project, though Windows can do the same job as well. The best practice is to use a special security

Linux distribution (such as WHAX, backtrack and etc) with

A USB flash drive with 1G above capacity.


Notes (2/2)

A “good” 802.11b/g wireless card, which must be able to run in promiscuous mode. Not all cards will do this, especially USB

based ones. Most PCMCIA cards will do promiscuous

mode just fine though. You are not required to follow exactly the

procedures/steps mentioned below as long as you answer the question correctly. Those steps are just meant to provide you

with some guidelines.


Wireless Access Point (AP) Location

There is only one AP located in 719, which is near to AC 725, running both 802.11b and 802.11g. You can work at AC 725 because it is an open lab.

The network name, i.e., the SSID is CSCI388. Please report to [email protected] if the AP

seems to be failing.


Step 1: network survey

You will have to find the detailed information about the wireless network: AP’s MAC address. Security protocol running. Encryption key length. Clients association. Any other information that can help you to crack the key.

For windows users, survey the site using Netstumbler. For Linux users, use either Kismet or Air snort.


Step 1: (snap shot of netstumbler)


Step 2: Data collection

Due to the broadcasting feature of the wireless communication, you can sniff the traffic even you are not a legitimate user. Collect data packets using tools such as Ethereal,

Kismet. After collecting enough encrypted data (ranges

from 500 mega to 1G), you are ready to crack the WEP.

For extra credits, you need to detect which service the server is running and figure out how to get the file via hacking that service.


Step 2: (snap shot of ethereal)


Step 3: crack the key

Crack the WEP key using the collected data. You can recovery the key by: The weakness of the key scheduling in RC4. Active dictionary attack. Or any other attacking measures (some

attacking method can make your life much easier. Last year’s record is two hours).

Once you recovery the key (in ASCII format, convert it to ASCII if you get a key in hexadecimal format), you know you did it right.


Extra credits: Hack into the server

Use the data collected in step 2: Detect which service the server is running. figure out the user name and password. Then, get the file from the server using the

user name and password. You may need a little extra works in order

to associate with the AP and get access to the server.


What to turn in

A zip or tar ball file that contains: Detailed cracking steps (including what tools are

used, how to install and run them, provide snapshot if necessary).

The WEP encryption key. One legitimate MAC address. Answers to the questions.

Extra credits: The user account and its password of the

service that is running on the server. The file you see after you hack into the server.


Available tools Windows Wireless Security Tools

Ethereal – a free network protocol analyzer (sniffer) http://www.ethereal.com/ WinPcap – for capturing packets http://winpcap.polito.it/default.htm Netstumbler – site surveying utility http://www.netstumbler.com/ tinyPEAP – Official tinyPEAP site http://www.tinypeap.com Change MAC address: http://www.nthelp.com/NT6/change_mac_w2k.htm or

http://students.washington.edu/natetrue/macshift/ WepLab – a Wep Security Analyzer. http://weplab.sourceforge.net/

Linux Wireless Security Tools Ethereal – a free network protocol analyzer (sniffer) http://www.ethereal.com/ LibPcap – should be available with your distribution of Linux. Kismet – A VERY good tool for surveying wireless networks puts Netstumbler to

shame http://www.kismetwireless.net/ Airsnort – A utility for cracking WEP keys. Also, you can get information about

Monitor mode on the Airsnort page. You may find this useful, although not essential. http://airsnort.shmoo.com/

For changing you MAC address in Linux, use ifconfig <iface> hw ether <mac address>.

WepLab – a Wep Security Analyzer. http://weplab.sourceforge.net/ WepAttack – this tool uses different approach (active dictionary attack) to crack

the WEP. You are welcome to try it. http://wepattack.sourceforge.net/


Questions?

Good luck and have fun!


Backup slides: Snapshot of Kismet


Backup slides: Snapshot of AirSnort

Documents

MASNET GroupXiuzhen ChengFeb 8, 2006 CSCI388 Project 1 Crack the WEP key Liran Ma Department of Computer Science The George Washington University [email protected]