WEP is not a protection
What is WEP and why you should not use it
It can be cracked in minutes!
I am talking about WEP-128 here, which is the most
common version and the "more secure" variant of WEP-64.
I mean "more secure", because WEP-128 needs some minutes
to be cracked and WEP-64 a few seconds. If something
is really done that easily, you cannot say it is
a "protection" scheme or has to do with encryption
and certainly not with privacy. If someone uses
WEP, he/she invites people to his open network.
My equipment is perhaps interesting for you who want
to verify what I write here. I have the following:
- a laptop
- wireless LAN
PCMCIA adapter with an Atheros chipset
- Linux (installed and configured)
- Atheros drivers for Linux (madwifi-ng), compiled with injection support
BackTrack is a linux distro made fully for security analysis ( cracking )
If you are really interested download it and try it out. It is awesome. Not just wireless but for all networks. It is the ultimate toolkit for crackers, ;)
You can also use any other wireless LAN adapter.
It would be a great help, if it supports injection,
but it will be less efficient to wait for someone
using his/her wireless network than do it by yourself.
I will explain that below.
Putting the adapter in monitoring mode
One of the most difficult things, perhaps is to put
your wireless adapter into monitoring mode.
Default mode is called managed. In this mode
you connect to one single network. The monitoring mode
listens to everything in the air.
aircrack-ng comes with airmon-ng,
which is a utility to put the most cards in
monitoring mode. It is used like this:
# airmon-ng start <your-wireless-interface>
I will use the tools that come with the madwifi-ng
driver. Usually my wireless LAN interface is already
created as a managed device (here: ath0, device is wifi0), so I have to destroy
it first and then recreate it again as a monitoring
device. Here is how it is done:
# wlanconfig ath0 destroy
# wlanconfig ath1 create wlandev wifi0 wlanmode monitor
That's it. We listen on everything now. Look check
if the device has been really created as ath1
with the command ifconfig -a. Perhaps it got
a higher numeric suffix. I will use ath1
Choosing the victim network
Next step is to start airodump-ng to listen
on all interesting networks. This is really easy:
# airodump-ng -t WEP -t OPN ath1
You will get a similar output like this, in case you
find WEP networks. This is an output from the manpage,
by the way, so do not worry about exposed MAC and BSSID
CH 7 ][ BAT: 2 hours 10 mins ][ 2006-03-28 21:00
BSSID PWR Beacons # IV CH MB ENC ESSID
00:13:10:30:24:9C 46 15 3416 6 54. WEP the ssid
00:09:5B:1F:44:10 36 54 0 11 11 OPN NETGEAR
BSSID STATION PWR Packets Probes
00:13:10:30:24:9C 00:09:5B:EB:C5:2B 48 719 the ssid
00:13:10:30:24:9C 00:02:2D:C1:5D:1F 190 17 the ssid
The access points are at the top of the screen
and are sorted by activity. The may disappear from
the screen if there are no packets reaching your
laptop. The number of beacons should be constantly
incrementing. That means that you are near the access
point and the quality is good. Walk around with your
laptop to improve the PWR score.
You can see two access points here. One is called
"the ssid" and the other "NETGEAR". Well, open networks
do not need to be cracked, they are already open, unless
someone uses IPsec on it. But most open networks are
often "protected" by MAC restrictions, which is
quite stupid. See below.
Let's try the WEP one.
Notice the BSSID address at left side and the
channel number 6.
You will need it to optimize your crack. You see
also two clients with their MAC-adresses (column STATION) using
the WEP netword "the ssid". Lucky!
Stop airodump-ng by pressing Ctrl+C and
restart it again with the following parameters:
# airodump-ng --channel 6 --bssid 00:13:10:30:24:9C -w capture ath1
Now we capture the packets to a file called
capture-01.cap. You need to capture about
70000 to 80000 IVs to crack the most networks.
You don't need to stop airodump-ng while trying out
if you captured enough IVs.
Packet injection for a faster crack
We will assume that IVs aren't captured fast
enough. And you get bored watching the display.
We need two things to optimize the crack.
- A client must be connected to the network that you want to crack. E.a there must be at least one STATION actively online.
- You need some packets captured. Sometimes 10 are enough. But let's wait for 100 to 200.
Given both criteria, you can inject packets that
you already captured. The station will recognize them,
because they are encrypted and valid. The most
important is, it will answer them! You need
to be in transmition range for this. If the transmition
power (PWR) is too low, you cannot send
and receive and even worse, you can get faulty packets
that make the crack ineffective.
So let's start the injection to produce IVs!
You need another utility from the aircrack-ng package:
# aireplay-ng --arpreplay -b 00:13:10:30:24:9C -h 00:09:5B:EB:C5:2B
-r capture-01.cap ath1
Start this command in a second terminal.
The -b parameter is the BSSID of
the wireless network. The -h parameter is
the client I want to pretend to be while injecting
packages. I selected the client station
that is the most talkative here. aireplay-ng
will inject ARP packets into the victim wireless
network. It takes the packages from our capture
file that airodump-ng constantly writes to.
When everything works fine, you will see IVs
arriving at a very high rate. That is what we want.
We need at least 70000 of them. Have your time, keep
it going higher. These are only a few minutes!
Cracking the WEP key
Keep injecting and capturing with both utilities and
you can try to crack the WEP key, if you think
you captured enough. Start this command in a third
terminal (keep the other tools running!):
# aircrack-ng -z capture-01.cap
Starting with the -z option needs usually
seconds to find the key or it will interrupt the
crack attempt and wait for more IVs. If you don't
get the key, you can also try without -z.
This will take long and perhaps need even more than
70000 packets. I haven't had the case where -z
did not work, yet.
The successful crack shows the WEP key in
hexadecimal right next to "KEY FOUND!" and
the probability of 100%.
I have the password and cannot connect!
There are several problems that you can have connecting
to a WEP network. We put the most obvious aside:
- You are too far away. Often, tt's easier to crack the key than to get near enough the access point.
- You entered the password wrong.
- You entered the hexadecimal key and the client thinks it is textual.
- Sometimes you need to setup the authentication mode.
There is one more problem. Some people think that
restricting their access points to certain MAC addresses
will protect them. They are wrong!
Well, remember what we did above. We actually
have their MAC addresses and even
used them already to inject ARP packets.
Defeating the MAC "protection"
If an access point is protected by this mechanism,
simply setup your wireless adapter to the victim's
MAC address, like this:
# ifconfig <your-wireless-interface> hw ether <the-mac-you-want>
This should almost instantly allow you to associate.
Alternatives to WEP
As you can see, WEP is really not secure at all.
That is why, I recommend to use WPA generally instead
of WEP. If your client doesn't have drivers for WPA,
get them quick! I showed you above why.
When you switch to WPA-PSK, which most people do,
use a strong password. One which cannot be looked up
somewhere in a dictionary. The best are random strings
or random hexadecimal numbers. Notice that you
can also try to crack a WPA-PSK network with
aircrack-ng and you just need one special
type of packet called "WPA handshake". This usually
comes when a client is switched on and associates
with the access point.
Scary. But if you choose a strong password, it is
almost impossible to try out the password. aircrack-ng
can try millions of passwords in a few seconds, so
take it seriously! I have a long dictionary here!
Choosing a strong password
There a several tools for that. I recommend to use
can produce good passwords. Even pronounceable, if you
want to memorize them more easily.
If you are really paranoid and don't trust
your own random number generator, you can use dice
and diceware. This
is not a software. You just throw dice and look up
a word in a long list. You get long and good passwords
that are really easy to remeber.