How To Attack a WEP/WPA Protected Wireless Network

Contents

Updated on Jan/2013: Added WPS section

Any help in completing this document is welcome, thanks!

In this guide we’ll try to discuss the many vulnerabilities affecting the WEP and WPA protocols. We’ll also show you some techniques that can be used to break these protection schemes. Feel free to add any missing questions. Thanks 🙂

Greetings: c0sm4ky, bender0, CyberPK, Giulia and Buffer, Rageman.

What are WEP, WPA and WPA2? In what they differ?

WEP stands for Wired Equivalent Privacy, an unlucky acronym as we all know; it is the implementation of the wireless communication standard IEEE 802.11. The WEP scheme is based on a secret key, only known to the clients which can connect to the network, and on the corresponding Access-Point. The key is used to initialize an RC4 stream needed to encrypt the packets’ payload, in order to guarantee their privacy.

WPA, on the other hand, stands for Wi-Fi Protected Access, a protocol born to replace WEP after its failure, and to provide a temporary alternative while waiting for the – now complete – IEEE 802.11i standard to be finished. The encryption algorithm used is again RC4, but this time the initialization vector is 48 bits long (vs 24 in WEP). A protocol (TKIP) has been introduced, capable of dynamically changing the key every few minutes, and the old checksum algorithm CRC has been replaced with the new Micheal, to avoid many attacks well known by WEP users. WPA is certainly harder than WEP, but if you take a close look at it, you’ll find out it’s not much different to its predecessor.

WPA2, finally, is an implementation of the IEEE 802.11i standard, which differs from its ancestors in the encryption algorithm, not RC4 but AES (Advanced Encryption Standard, brother of Rijndael, the only difference being that Rijndael can handle variable sized data blocks while AES only deals with 128 bit blocks). This standard takes advantage of technologies similar to those used on VPNs to guarantee data privacy and integrity, and to unambiguously identify the sender. It also introduces authentication monitoring technologies and a new 4-way authentication protocol. WPA2 comes in two flavors:

WPA2-Personal: also called WPA2-PSK, PSK meaning Pre-Shared Key. It is used in SoHo networks. The password is unique and shared among all of the users: if a random string is chosen as a password the security of the wireless network is equivalent to that of a wired network.
WPA2-Enterprise: doesn’t use PSK but a RADIUS server for authentication; it is also possible to use certificates and public keys. This mode of operation is the medium-sized and enterprise’s choice, where the use of a single PSK is discouraged, and where the presence of a centralized authentication system, capable of handling amounts of data too big for an Access-Point, is needed.

Which wireless card do I need?

The card we’ll be buying has to be based on a chipset which AT LEAST allows Monitor mode, and optionally the injection of crafted packets, an useful feature we’ll discuss later on.
At the time of writing the chipsets supporting both are:

  • Atheros
  • Prism 2/3
  • PrismGT
  • Ralink (rt2500 / rt2570 / rt61 / rt73)
  • RTL8180 (UNSTABLE)
  • RTL8187L

Since linux drivers which can do these things are born all the time I suggest to periodically check this compatibility list.

My card can do these things, what now?

If you aren’t using a penetration testing oriented live distro you’ll have to patch the drivers.

Then to do packet injection you should learn how to use aireplay-ng; it has a lot of options, which means you’ll HAVE TO read the man page to understand how it works.

How do I build an external antenna?

This issue is discussed in this forum thread (italian).

Which operating system do I need?

Not Windows for sure, because there are problems which are difficult (and sometimes impossible) to overcome. The best thing is to have a Linux distribution.

Yeah but… I don’t want to install that on my laptop!

That’s none of my business. Just joking… There are a lot of live distributions out there, i.e. bootable CDs which load the distribution into RAM without even touching your hard drive.

  1. Troppix (developed until version 1.2, and now discontinued because of licensing issues)
  2. nUbuntu
  3. BackTrack
  4. Auditor

Download the ISO image, burn it on a CD/DVD, stick it in your drive, reboot the pc… And it will run. But remember, some live distributions do not have updated and working drivers for your chipset. Sometimes you’ll just have to install them everytime you boot. Or, you can try to modify the distro and customize it…

Lie, it won’t run!

Yes, it will… Enter the BIOS configuration and make sure that the CD/DVD drive is present among the boot devices and that it is checked BEFORE the hard drive.

What’s a BIOS?

Coff coff… Here’s the deal: check back in… 3 or 4 years and we’ll give you all the answers, ok? 🙂

All right, I booted distro XYZ, what now?

Now you should turn the wireless card on. To see if your system recognized it try this: open up a terminal emulator and type this command:

$ /sbin/iwconfig
lo no wireless extensions.

eth0 no wireless extensions.

eth1 unassociated ESSID:off/any Nickname:”ipw2100″

As you can see the first two interfaces, lo and eth0, are not associated with wireless cards, while the third one, eth1, is, and in this case it’s a ipw2100 card.

If your card isn’t recognized, try another distribution, try to update the drivers, fiddle with it… I don’t possess all the answers :).

Are there any problems with the Intel PRO/Wireless 3945 A/B/G card?

The Intel 3945 card is properly recognized by BackTrack 2 and following versions, provided you run the “Intel 3945 Daemon”, found in the BackTrack menu. Once you do that, you’ll be able to inject traffic with the card. If you’re not using BackTrack you’ll have to patch the drivers, like we said before.

My card is recognized. We should have a beer now, shan’t we?

Sure, as long as you pay for it, otherwise you’d better start looking for wireless networks around you. You’ll need appropriate software. Among the most famous:

  • Airodump-ng (part of the Aircrack-ng suite, also developed for Windows but with limited card support)
  • Kismet (this one is also developed for Windows)
  • WireShark (new name for old good Ethereal)

All of these are included in the distros mentioned above, and have different usages.
Don’t forget to put your card in Monitor mode!!!
If the Aircrack-ng suite is available you can use the “airmon-ng” script, or you can try with

iwconfig XXX mode monitor

replacing XXX with your card’s device name.

Then run iwconfig just to see if your card now shows up in Monitor mode. Now you can run whatever packet capturing software you prefer. If you choose Kismet please remember to start it from the system menu. Don’t do it from a shell, beacuse some distros (like BackTrack) will not start the automatic configuration scripts… Use a shell only if you can’t find the entry in the menu ;p

It will take Kismet a few seconds to list available networks; then you’ll have to detect the encryption algorithm used by them.

How do I discover which algorithm is in use?

I was just about to tell you… Press the s key while in Kismet to open the sorting menu, then press f to sort the networks by discovery time. The highlighted line is the currently selected network: you can move it with the arrow keys, so select one network and press i. You’ll see this screen, the data highlighted is the one you’ll need, so write it down.

SSID : Bubba
Server : localhost:2501
BSSID : 00:40:15:E4:C3:25
Manuf : Unknown
Max Rate: 11.0
BSS Time: 1f6b97f6463
First : Wed Nov 8 17:33:30 2006
Latest : Wed Nov 8 17:34:41 2006
Clients : 1
Type : Access Point (infrastructure)
Channel : 3
Privacy : Yes
Encrypt : WEP
Decryptd: No
Beacon : 25600 (26.214400 sec)
Packets : 135
Data : 1
LLC : 133
Crypt : 1
Weak : 0
Dupe IV : 0
Data : 0B
Signal :
Power : -47 (best -45)
Noise : 0 (best 0)
IP Type : TCP (4 octets)
IP Range: 192.168.1.2

The Encrypt field is telling us that this network uses the WEPalgorithm. Other possible options are: WPA, WEP TKIP WPA, NONE.

I know which algorithm is used, how do I crack it?

We will now analyze some different strategies, depending on the encryption algorithm used. If the network is not ciphered (Encrypt: NONE) you can skip this section.

If it is a WEP network we have some options, but first we must log some network traffic to disk.

How can I log traffic?

You can use Kismet or AiroDump-NG (part of the AirCrack-NG suite).
If you use Kismet, just highlight one network and press l, so you’ll lock sniffing to the channel in which the network operates. If you use AiroDump-NG, you’ll have to run it like this:

airodump-ng -c –ivs –write

in our example (as root):

airodump-ng -c 3 –ivs –write dump.pcap eth1

The number of Beacon type packets will quickly increase, but they are useless for our purpose. The –ivs option captures just the IVs, so if you want to dump everything in order to examine traffic you’ll need to remove it.

How much traffic should I log?

Log between 300’000 and 1’500’000 packets, the more the better. If network activity is high enough it’ll take a short time (maybe an hour), otherwise you’ll need more.

How do I merge a bunch of dumps in a single file?

You can use ivtools, which is part of the AirCrack-NG suite, like this:

ivstools –merge ..

example:

ivstools –merge dump1.pcap dump2.pcap dump3.pcap final_dump.pcap

Or, you can use mergecap, part of the WireShark package (was Ethereal):

mergecap [options] -w <outfile|-> …

example:

mergecap -T ieee-802-11 -w final_dump.pcap dump1.pcap dump2.pcap dump3.pcap

If something goes wrong, try removing the -T ieee-802-11 option… Or reading the manpage.

Ok, I merged those packets, but how do I crack the key?

Using AirCrack-NG. I’ll make here some usage samples, but you MUST refer to the manual because only you know if you will need some options. You can try with:

aircrack-ng -a -e -b dump

example:

aircrack-ng -a 1 -e Bubba -b 00:40:15:E4:C3:25 final_dump.pcap

Then you must wait… Cracking may take from a few minutes to many hours, but if it is WEP and you have enough packets the key will finally pop out. The more packets you capture, the faster the cracking process will probably be. There are some settings you can tweak, e.g. if you know how long the key is you can use the -n parameter. If you know that the key is 128bit long, use:

aircrack-ng -a 1 -n 128 -e Bubba -b 00:40:15:E4:C3:25 final_dump.pcap

You can also tune the fudge factor by using the -f option. If you lower this cracking time will be shorter, but the chances of getting a false (wrong) key will increase. If you raise the value you will deepen the bruteforce level, the cracking will take more time but you will get fewer fake keys. If you have collected a high number of packets try using -f 3 or -f 4. Anyway please READ the AirCrack-NG manpage!

What if the network uses WPA?

It’s a little trickier, as WEP is vulnerable to statistic attacks, while WPA isn’t, so you’ll need to bruteforce the key. The steps are the same as above, but you’re going to need a dictionary (you can download one from the Internet or you can create one with JohnTheRipper):

aircrack-ng -a 2 -b 00:40:15:E4:C3:25 -e Bubba -w dictionary.txt final_dump.pcap

Watch out, the -a option has changed.

What is the WPA vulnerability I heard about in 2008?

In November 2008 a vulnerability has been found in the WPA protocol, to exploit this flaw we’ll have to assume that:

  1. We know the IP range of the subnet we are going to attack (e.g.: 192.168.0.x)
  2. The re-keying interval of TKIP is at least one hour
  3. QoS support is enabled on the network

The first two conditions are quite common, but the third one may be less common in a home environment, expecially on older WiFi routers. How do we proceed? At the time of writing Aircrack-NG doesn’t support an automated procedure to exploit this flaw, so we’ll have to listen for the traffic and intercept an ARP request, this is quite easy because we can infer if a packet is an ARP request simply looking at its size, and to the destination MAC that’s always ff:ff:ff:ff:ff:ff. Since the structure of an ARP packet is well known, and since we’ve made some assumptions we know that we are only missing:

  • 1 byte, the last one, of the client IP address
  • 8 bytes from the MIC
  • 4 bytes from the ICV

Are we able to guess these bytes? Of course we are, all we need is a ChopChop, even tough some protections have been added to WPA to make ChopChop attacks useless, let’s see why:

  1. If a packet contains an invalid ICV then the packet is discarded, if the ICV is correct but the MIC is wrong, then the AP sends a MIC failure report frame and the packet is discarded. If more than 2 wrong MIC are received in a 60 seconds interval, the connection is suspended and keys are changed.
  2. If a packet is correctly received, the TSC for that channel is incremented, after then if a packet with a lower TSC value is received the packet is discarded.

These protections aren’t enough to block a ChopChop attack completely, they just slow us down. If QoS is enabled we have 8 channels to play on, so we are able to decrypt the last 12 bytes in 12 minutes, the 13th byte and the others can be derived directly on the attacking machine since we now have e decrypted ICV. And we also know that the MIC is not an hash-function so we can simply derive the key inverting the function. At this point we are able to inject a new valid packet on all the QoS channels available. It is still possible to perform this kind on attack on a non-QoS enabled network, even tough the procedure is much slower.

What if the network I’m attacking has no traffic?

In this situation you will have to set up a so-called reply attack. You will need at least ONE packet containing an ARP request in order to send it N times to the Access Point.
By doing this the router will reply you with N packets, each packed with a different IV.
Be aware that some wifi cards are not able to stay in Monitor mode while transmitting; that means you will need TWO wifi adapters, one to set up the reply attack and the other to sniff the network traffic. This is, instead, possible to do with only one adapter, if it has a Atheros or Ralink r61 chipset (probably also with others).

What if I have a Centrino card?

Some time ago patches for ipw2200 drivers were released, making possible some sort of “partial” packet injection. You’ll have to use the latest version of aircrack-ng. By “partial” I mean that you can inject data frames only on the AP channel you are currently associated (you must be in managed mode). This is not a big limit since 99% of the APs allow you to associate even if you don’t have a valid key (this is called open key, while shared key is different but weaker). A discussion about this can be found in this forum thread.

What are the other tools in the AirCrack-NG suite for?

  • airdecap-ng: given a valid key, decrypts a WEP/WPA packet.
  • kstats: given a valid key and a dump, calculates which statistic attack is best.
  • ivstools: merges pcap files or extracts IVs from them.
  • makeivs: generates a pcap file for aircrack-ng testing purposes.
  • packetforge-ng: forges a packet to be used with aireplay-ng.
  • airmon-ng: puts a wireless card in Monitor mode.
  • aireplay-ng: injects artificial traffic in the network.
  • aircrack-ng: cracks the WEP/WPA key.
  • airodump-ng: sniffs traffic and dumps it to file.

How do I get around a MAC address filter?

It’s pretty simple, discover the MAC address of a connected client, and set your wireless card to that address. Make sure that that client isn’t active (he could be connected, but preferably not active). In Kismet, select the network with the MAC filter and press c to make it list the connected clients, what you’ll get looks like this:

T MAC Manuf Data Crypt Size IP Range Sgn Nse
00:0B:6B:4E:A6:19 WistronN 1 0 91B 0.0.0.0 0 0
00:15:D6:15:41:28 Unknown 1 0 50B 0.0.0.0 0 0
00:00:5E:BB:F8:A3 Unknown 4 0 2k 0.0.0.0 0 0
00:0B:6B:4E:3D:AE WistronN 1 0 91B 0.0.0.0 0 0
00:00:5E:BB:0E:84 Unknown 0 0 0B 0.0.0.0 0 0
00:0B:6B:36:7C:B5 WistronN 1 0 106B 0.0.0.0 0 0

Pick the MAC address which transmitted the least bytes and, in a linux terminal emulator, as root, type the following:

ifconfig ethX hw ether new_mac

example:

ifconfig eth1 hw ether 00:00:5E:BB:0E:84

On windows you’re going to need programs like MacMakeup, written by the Italian coder Marcello Gorlani.

How do I associate with the Access-Point once I have the key?

It depends!
1) If the network is open there is no key, so the question is meaningless 😉

2) If the network has WEP you can use iwconfig like this:

iwconfig eth1 key
iwconfig eth1 essid “essid of the network”

where eth1 is the network interface corresponding to your wireless adapter and essid is the name of the network. Afterwards, to see if all went as planned, run in a terminal emulator:

iwconfig eth1

If the output looks like this:

eth1 unassociated ESSID:off/any Nickname:ipw2100
Mode:Managed Channel=0 Access Point: Not-Associated

Then the key is wrong, or there’s another authentication layer. Otherwise, you’ll get something like this:

eth1 IEEE 802.11b ESSID:Bubba Nickname:ipw2100
Mode:Managed Frequency:2.432 GHz Access Point: 00:0A:CA:3C:B4:70

3) If the network has WPA you’ll need wpa_supplicant. We’ll need to configure it first, so edit the file /etc/wpa_supplicant.conf (it may also be somewhere else, but that is the usual location) and add something like this:

network={
ssid=”STUDENTI.MATH”
key_mgmt=WPA-EAP
identity=”your_username”
password=”your_password”
}

and then run wpa_supplicant like this:

wpa_supplicant -Dwext -ieth1 -c/etc/wpa_supplicant.conf

where eth1 is the network interface corresponding to your wireless adapter, the -D parameter can be changed if you’re using other cards, but wext usually works (at least with Atheros chipsets). Here you have the list of other supported drivers:

  • hostap: (default) Host AP driver (Intersil Prism2/2.5/3). (this can also be used with Linuxant DriverLoader).
  • hermes: Agere Systems Inc. driver (Hermes-I/Hermes-II).
  • madwifi: MADWIFI 802.11 support (Atheros, etc.).
  • atmel: ATMEL AT76C5XXx (USB, PCMCIA).
  • ndiswrapper: Linux ndiswrapper.
  • broadcom: Broadcom wl.o driver.
  • ipw: Intel ipw2100/2200 driver.
  • wired: wpa_supplicant wired Ethernet driver
  • bsd: BSD 802.11 support (Atheros, etc.).
  • ndis: Windows NDIS driver.

However, in the end you should run a dhcp client to get an IP address from the network, so run:
dhcpcd eth1

where eth1 is… we got it, and everything should be good.

What if the network is using WPA-PSK?

Add this to your wpa_supplicant.conf:

network={
ssid=””
psk=””
}

where is the network’s SSID and is the key you found with AirCrack-NG. Then run wpa_supplicant with the same command as above:

wpa_supplicant -Dwext -ieth1 -c/etc/wpa_supplicant.conf

What are the main vulnerabilities in WEP?

Let us preface this by saying that a brute-force attack can never be ruled out, but its success depends strictly on the available resources (time, computational power). There are methodologies which, under certain conditions, can make an unauthorized decrypter’s life way easier.
We’re talking about:

  • Keystream Reuse: suppose we intercepted two crypted packets, C1 and C2, encrypted using the same keystream (so we have an IV collision). Xoring these two packets we get: C1 XOR C2 = P1 XOR keystream XOR P2 XOR keystream = P1 XOR P2. Thus, knowing the ciphertext and its respective plaintext, we are able to decrypt every packet that uses the same keystream. In fact: P1 XOR C1 = P1 XOR P1 XOR keystream = keystream.
  • Checksum linearity: this vulnerability is based on the fact that CRC32 is a linear and unkeyed function, which implies that CRC(x XOR y) = CRC(x) XOR CRC(y). The attacker can forward a message if he’s able to get a correct ICV value. Let P1 be a valid plaintext and C1 = P1 XOR keystream the corresponding ciphertext. Suppose we can create a new plaintext doing: P2 = P1 XOR v, where v is a randomly chosen value. C2 = C1 XOR (v + CRC(v)), and so extending C1 we get: C2 = keystream XOR (P1 + CRC(P1)) XOR (v + CRC(v)). Now, if we just xor P1 with v and CRC(P1) with CRC(v) we get: C2 = keystream XOR (P2 + CRC(P2)).
  • Traffic injection: given a couple (C1, P1) it’s easy to obtain the keystream simply by xoring these two values with each other. We are now able to decrypt an arbitrary plaintext, append it to the IV (found in C1) and forward it to the AP.
  • Traffic reinjection: it’s possible to forward through the Ap the same encrypted message and indefinite number of times (there are no counter measures on replay attacks). This allows us to do an ARP request reinjection, a highly efficient active attack which we’ll discuss later.
  • Authentication Spoofing: this attack exploits the analysis of authentication data (SKA, Shared Key Authentication) sent by the wlan client (initiator) to the AP (responder). The initiator sends a non-ciphered message to the AP (authentication request management frame) where it states that the authentication will be executed using SKA. The responder then replies with a random 128-byte string (authentication challenge management frame). Now the initiator ciphers the challenge message using WEP, and sends it back to the AP. The responder now deciphers the message and verifies the ICV.
  • Ip redirection: to accomplish this attack you need an internet-connected AP and you must know the originating (AP) and terminating (client) IP addresses. Once a generic packet C has been intercepted, the destination address is replaced with the attacker’s address exploiting Checksum Linearity and the packet is forwarded to the AP. It will decipher the message and send it to the attacker. To make sure the ICV remains untouched you need to balance the change to the destination IP by changing the source IP (which now is not relevant). Let source_ip = x1.x2.x3.x4, that once divided in two 16-bit words becomes: source_ip_h = x1*256 + x2 and source_ip_l = x3*256 + x4 (“h” and “l” stand for “high” and “low”). Same thing for the destination IP: dest_ip = y1.y2.y3.y4, dest_ip_h = y1*256 + y2, dest_ip_l = y3*256 + y4 e newdest_ip = z1.z2.z3.z4, newdest_ip_h = z1*256 + z2, newdest_ip_l = z3*256 + z4. To make sure the checksum remains unchanged you must subtract from the lower word of the source ip the value newdest_ip_h + newdest_ip_l – dest_ip_h – dest_ip_l (source_ip_l = source_ip_l – (newdest_ip_h + newdest_ip_l – dest_ip_h – dest_ip_l)).
  • Table-based Attack: this attack consists of building a table containing a series of indexed keystreams, using any possible value of IV as a index.
  • Reaction Attack: when an authentication succeeds, the AP replies with an acknowledgement packet. This is a predictable-length packet, and this allows the attacker to understand which packets have a valid ICV. Then, exploiting a CRC vulnerability, the attacker can change the packet’s content provided that P[i] XOR P[i+16]=1 (for a random “i”). Given a ciphertext C1, let C2 = C1 XOR v (v is 1 in position i and i+16, 0 in the other positions). To obtain more informations about plaintext the attacker uses the following mathematical property of sums modulo (2^16 -1) (valid under the condition mentioned above): P[i] XOR v P mod(2^16 -1).

What about FMS and Chopchop?

FMS (Fluhrer, Mantin e Shamir)

FMS is a passive, statistic attack. It’s name consists of the initials of its creators and it’s described in the paper Weakness in the Key Scheduling Algorithm of RC4.
In this article the authors explain the “Invariance Weakness” (that states that there are some keys that cause the transformation, by KSA, of a pattern in the key K into pattern of an initial permutation of the S array) and the “IV Weakness” (related to the usual way seed is generated in stream ciphers). Here we will briefly describe FMS without being rigorous; for further reading please refer to the paper.
FMS exploits the vulnerabilities in KSA and the use of weak IVs, that allow an attacker to gain informations about the first byte of the keystream.
If you collect enough weak IVs (please note that the same key is used with many weak IVs) and you have the first byte of the keystream, you can find the Wepkey.
Since the first byte of a generic 802.11 frame is known (because it is the same as an 802.2 LLC header (DSAP) ) it is possible to get the first byte of the keystream by simply XORing the first byte of the ciphered frame and its plaintext value 0xAA.
An IV consists of 24 bits (3 bytes) and, in our case, a weak IV is in the form (A+3, N-1, X) where:

  • A is the byte of the key we want to find
  • N is the modulo parameter used in RC4 (256)
  • X is an arbitrary value from 0 to 255

The algorithm requires sequential attacking of the bytes of the keystream. The k[] array is created this way:

  • k[0], k[1] and k[2] hold the IV
  • k[3] … k[Wepkey_len] contain the Wepkey
  • k[Wepkey_len+1], k[Wepkey_len+2] e k[Wepkey_len+3] hold the IV again
  • k[Wepkey_len+3+1] … k[2*Wepkey_len+3+1] contain the Wepkey once more.

The attack begins with the calculation of the first byte of the keystream, then A+3 steps of the KSA are run, starting with A=0 and so using only the 3 bytes from IV. If j is lower than 2 the step fails, otherwise the subtraction modulo 256 between the first byte from the keystream, j and S[A+3] is executed.
Executing these steps on about 60 IVs and using X always variable, you obtain a success percentage above 50%. The procedure is repeated to determine the entire Wepkey (calculating the following bytes of the keystream).

Chopchop (Korek)

A hacker known as Korek described an active Wep attack (Chopchop) that exploits an ICV vulnerability.
It states that when we truncate the final byte of a packet to a value C and we obtain a nonvalid message C1 a value exists, depending only from the omitted byte, that once XORed to C1 allows the attacker to obtain a valid C2.
The Chopchop attack sets the truncated value to 0, corrects C1 and forwards the packet to the AP. So two situation may take place:

  • the packet is accepted and broadcasted (injection attack)
  • the frame is discarded and the attack goes on (maximum 255 tries) until the frame is accepted

The process is repeated to get the other bytes of the message, fully deciphering it. Please note that, in this situation, we obtain the plaintext without knowing the Wep key.
To obtain further information about the maths of this attack please refer to Korek’s document.

Can I modify a packet bypassing the CRC?

Yes, and that’s not just a theoretical possibility, but an easily done thing in practice. We know that WEP uses a simple CRC to identify errors in the packets, but CRC (non being a HMAC) has some flaws. First off, it is a linear operation for Xor, which means: CRC(x ^ y) = CRC(x) ^ CRC(y). Since RC4 uses XOR to encrypt data we will be able to edit an encrypted packet, also modifying its CRC. Now, since CRC is linear, given an encrypted message C we will be able to create a new C1 message with a correct CRC. The new message will be built like this: C1 = C ^ d where d is a delta packet that we’ll choose. The demonstration is simple and interesting, but we’ll need a couple assumptions:

  • || is the concatenation operator: AB || CD = ABCD
  • IV is the Initialization Vector
  • K is the password
  • M is our plaintext
  • M1 is the message obtained decrypting C1
  • RC4(K) is the pseudo-random keystream generated by RC4 seeded with K

And here’s proof of what we claimed before:

  • C = RC4(IV || K) ^ (M || CRC(M))
  • C1 = C ^ (d || CRC(d))

= RC4(IV || K) ^ (M || CRC(M)) ^ (d || CRC(d))
= RC4(IV || K) ^ ((M ^ d) || (CRC(M) ^ CRC(d))
= RC4(IV || K) ^ ((M ^ d) || CRC(M ^ d))
= RC4(IV || k) ^ (M1 || CRC(M1))

Thus we will just need to XOR the captured packet and our d packet to obtain a new packet with the correct CRC.

I heard about a Fragmentation Attack, what is it?

All of the attacks developed as of today require quite a big number of packets to obtain the key, which is why a this new kind of attack has been developed and implemented. In a Fragmentation Attack we are able to send an arbitrary amount of data on the network, just by sniffing a single packet. Not a bad enhancement. You can download the full paper and the tools to accomplish this. If we own the correct adapter we will get the WEP key in a very short time, without the need of logging more traffic.

How do I discover the gateway if there’s no DHCP?

For one, with port scanning. We can use Nmap, which is a must in a live distro dedicated to computer security. First, you should know that there are three (actually 4) IP ranges reserved for LAN use, the following:

10.0.0.0 – 10.255.255.255
172.16.0.0 – 172.31.255.255
192.168.0.0 – 192.168.255.255
169.254.0.0 – 169.254.255.255

The last one isn’t commonly used in LANs since it’s reserved for Automatic Private IP Addressing (only used in Windows systems). Actually all of the LANs I’ve run into (including many wlans) used addresses from the first and the third range, 10.x.x.x or, more often, 192.168.x.x. Suppose our WLAN uses addresses in the 192.168.x.x range, what now? Well, let’s begin by giving our network interface a (random) IP address in the range, like this:

ifconfig eth1 192.168.1.100

Then, using Nmap, we check if there’s somebody in this range with port 80 open. This because a lot of Access Points can be set up with a web interface, so they run a web server, and web servers usually listen for connection on port (guess?) 80.

nmap -sT -p80 192.168.1-254.1-254

With that we would be checking all of the 192.168.x.x range, but experience suggests that the typical configuration is to have the router/ap/gateway on 192.168.1.1 and the clients on the next addresses, so we can simply try

ping 192.168.1.1

If a device responds to our ping, chances are it’s the gateway. Other typical addresses are 192.168.x.1 (for low values of x) or 10.0.0.x (still for low values of x). Anyway we will just try to connect to the router with a web browser to make sure it’s really our target: type “http://<suspicious_ip>/” in the address bar and if we get a login screen or a control panel we’re good. Once we found a gateway, to set it as a default on our system we can run
route add default gw <gateway_ip>

To discover the ip address of the gateway we can also sniff ARP traffic. The ARP protocol is used to discover the hardware (MAC) address of a host given its network layer address (e.g. its IP address). So we fire up Wireshark (or Ethereal if your distro is older), select Capture→Interfaces.. and select the Start option on the line corresponding to our wifi network interface. When some ARP traffic is captured you’ll see something like this:

Arp_traffic

In this simulation the Access Point (192.168.8.1) wants to know the MAC address of the client of IP address 192.168.8.120; to do this he broadcasts his IP address and so we can write it down. Obviously any client can send an ARP request, so you need some experience to know which one is the gateway. Anyway, with this technique you’ll surely discover the IP range used in the LAN/WLAN.

Shall we talk about ARP request injection?

This attack is possible because WEP:

  • does not protect against reply attacks
  • works at the data-link layer (802.2 LLC), not encrypting stuff in the 802.3 MAC sublayer, as it should do for correct frame delivery.

This said, traffic is sniffed and attention is paid to broadcast traffic (so 802.3 destination address FF:FF:FF:FF:FF:FF).
Remember that ARP requests are sent to broadcast but ARP replies are unicast. Moreover, an ARP request frame has a fixed length of 68 bytes.
So we only consider frames having:

  • 802.3 destination address FF:FF:FF:FF:FF:FF
  • length equal to 68 bytes

We start replicating them hoping that they are ARP requests, and suppose the scenario is:
Host A
IP address 192.168.0.100
MAC address AA:BB:CC:DD:EE:FF

Gateway
IP address 192.168.0.1
MAC address 00:11:22:33:44:55

When the host has to exit its subnet, using 192.168.0.1 as default gateway, he will send a broadcast ARP request asking for the MAC address for that IP. The gateway will then answer with an ARP reply directed only to host A (unicast) and, by doing this, he’ll send a WEP frame with another IV.
If we capture the ARP request and we send it once again it’s still valid (there’s no protection against replay attacks), so the gateway will send a moltitude of ARP replies and so a lot of IVs. Now we can use Aircrack and successfully finalize the attack.

What is a deauthentication attack and how is it done?

This attack allows you to dissociate one or more clients from the WLAN, and can be used for various purposes. As an example:

  1. To discover the SSID of a network that does not broadcast it
  2. To capture handshake packets for WPA or WPA2
  3. To generate ARP-requests

The third case is the most useful when it comes to cracking WEP in 60 seconds, and can be accomplished by using Aireplay-NG:

aireplay-ng -0 1 -a 00:11:22:33:44:55 -c 55:44:33:22:11:00 eth1

These are the options:

  • -0 tells the program that we want to de-authenticate a client
  • 1 makes the program send only one packet (setting this to 0 will make Aireplay-ng send de-auth packets forever)
  • -a 00:11:22:33:44:55 is the MAC of the Access Point
  • -c 55:44:33:22:11:00 is the MAC of the client to dissociate
  • eth1 is the interface to use to send the packet.

By using handshake packets captured in a WPA/WPA2 network, we’ll be able to perform a dictionary or bruteforce attack

Breaking WEP in less than 60 seconds, it’s possible!

In april 2007 Eric Tews, Ralf-Philipp Weinmann and Andrei Pyshkin presented a paper titled Breaking WEP in less than 60 seconds, discussing a new (active) attack which allows the recovery of a WEP key in less than 60 seconds. Actually, the attack described isn’t really brand new, but an improved version of an extremely efficient attack published by Andreas Klein in 2006. Klein’s attack is described exhaustively in Quequero’s paper about the analisys and cryptanalysis of RC4 (italian), so take a look at it in order to be sure you’ll understand what we’re talking about.
The attack is based on the assumption that IPv4 runs on the WLAN, so that when a host wants to contact another it’ll send an ARP-request to discover the destination address, and the target will reply with an ARP-reply. ARP packets aren’t subject to timeouts (unlike, for example, UDP traffic), they have a fixed length, so they’re easy to spot, and their first 16 bytes are constant. Also, ARP-request and ARP-reply only differ by one byte in the header, though the former is broadcasted while the latter isn’t, but since WEP doesn’t change those addresses we can easily distinguish them.

We find ourselves in a familiar situation: by xoring (italian) the encrypted packet with the bytes we know we can obtain the first 16 bytes of the keystream. This attack can be expedited both by re-injecting a sniffed packet and by using a deauthentication attack, so that the clients are forced to re-associate with the AP over and over, sending a bunch of ARP-requests through the network.

Computationally, this kind of attack is more efficient than Klein’s because every byte of the key is calculated independently and because it’s tolerant to identification errors, i.e. using a packet which looked like ARP but wasn’t doesn’t jeopardize the final result. Considering all of this, it’s possible to crack a key in 58 seconds half of the times; this attack has a complexity low enough to be run on a PDA.

A team of researchers from the university of Darmstadt wrote a tool called aircrack-ptw.
Sadly, this tool has no support for 256 bit keys yet.

On May 13, 2007 version 0.9 of aircrack-ng was released, which supports this attack (called PTW) through the -z option.
To use it you must feed aircrack-ng a .cap file, not IVs, so don’t use the –ivs flag in airodump-ng when dumping packets, even though you’ll get a much bigger dump file.
Basically all you need to do is:

aircrack-ng -z xxxxx.cap

To find a 128 bit key with a 100% success rate we used to need around 1.000.000 packets, now to get close to 100% we only need 80.000.
Go fetch the source files, build them and test your networks.
Here’s other evidence of WEP’s weakness to remind stubborn WEP users…

How do I generate a random WEP/WPA key?

Windows:

Windows doesn’t provide an easily accessible entropy-pool, so take advantage of UIC: open up our Random Pool and you will get a list of numbers. Select a string from there, which can be as long as you wish, between 0 and 63 characters, that will be your WEP/WPA key. You can use it for both protocols since the pool generates hexadecimal numbers. Remember to change it very often if it is a WEP key, or every 3/6 months for WPA/WPA2, especially if you often hand it out to your friends to have them connect, you never know.

Linux:

The best thing we can do on Linux it to use /dev/random which is an excellent source of entropy, so open up a terminal emulator and run the command which corresponds to the length you’ve chosen:

40-bit WEP Key
dd if=/dev/random bs=1 count=5 2>/dev/null | hexdump -e ‘5/1 “%02x” “\n”‘

64-bit WEP Key
dd if=/dev/random bs=1 count=8 2>/dev/null | hexdump -e ‘8/1 “%02x” “\n”‘

104-bit WEP Key
dd if=/dev/random bs=1 count=13 2>/dev/null | hexdump -e ’13/1 “%02x” “\n”‘

128-bit WEP Key
dd if=/dev/random bs=1 count=16 2>/dev/null | hexdump -e ’16/1 “%02x” “\n”‘

152-bit WEP Key
dd if=/dev/random bs=1 count=19 2>/dev/null | hexdump -e ’19/1 “%02x” “\n”‘

232-bit WEP Key
dd if=/dev/random bs=1 count=29 2>/dev/null | hexdump -e ’29/1 “%02x” “\n”‘

256-bit WEP Key
dd if=/dev/random bs=1 count=32 2>/dev/null | hexdump -e ’32/1 “%02x” “\n”‘

Wait a couple of seconds for the entropy-pool to be filled up (you can speed up the process by moving your mouse). If you don’t want to wait, you can substitute /dev/random with /dev/urandom, if you don’t mind a slightly less random key:

40-bit WEP Key
dd if=”’/dev/urandom”’ bs=1 count=5 2>/dev/null | hexdump -e ‘5/1 “%02x” “\n”‘

etc…

And there we have a ready to use WEP/WPA random key generator. You can also use the method suggested for Windows which will work flawlessly even on Linux.

What is WPS and how to exploit it?

WPS stands for WiFi Protected Setup, it’s a standard thought to simplify the connection process between a client and an AP. There are three possible ways to authenticate a client using WPS:

  1. Push Button Connect: a WPS button is pushed both on the router and the client, then the authentication process is initiated and the client is configure, this step might require a PIN number usually written on the router itself.
  2. PIN Internal: the client connects to the web interface of the AP and inserts the PIN number.
  3. PIN External: client’s software asks the user for a PIN number, after typing in the PIN number the client is granted access to the network.

The PIN number is composed by 8 numbers, this should be enough to prevent a brute force attack, or better.. It should be. There is serious flaw into the authentication process: PIN is sent and verified in two block of 4 numbers each. The AP replies with a EAP-NACK message as soon as it finds that one half of the PIN is wrong. Therefor our attack space drastically reduces from 100.000.000 of possibilities down to 10.000*2, since we are able to bruteforce the first half of the PIN and then the second. There is more: the last number of our PIN code is always a checksum that can be easily calculated since we are generating the whole PIN, this reduces further the number of combinations down to: 10^4 + 10^3 = 11.000. The whole bruteforce process can recover the PIN code, and thus the full passphrase, in no more than 10 hours in the worst case, usually 4. To exploit this flaw just install reaver-wps put one of your WiFi cards in monitor mode and run it, then wait, if the network you’re attacking has a WPS enabled AP, you’ll soon be able to get the full key:

# reaver -i mon0 -b aa:bb:cc:00:11:22 -vv