Write and discuss with Adam Palmer MBCS CITP. Linux HOWTOs & Tutorials, PHP, MySQL

Unfortunately today there are still a huge range of wireless OEM equipment being shipped with WEP as standard. WEP has been known as vulnerable for a long time. This HOWTO assumes Linux familiarity, compatible hardware, the ability to read and troubleshoot, and a brain.

Hacking your wireless network is not difficult, and here’s a procedure you can use to test:

You’ll need: 1. A PC and wireless network. 2. A linux PC/laptop with a wireless networking device

Method: 1. Boot your (debian) pc 2. wget http://download.aircrack-ng.org/aircrack-ng-1.0-rc1.tar.gz 3. tar -xzf aircrack-ng-1.0-rc1.tar.gz 4. cd aircrack-ng-1.0-rc1 5. ./configure 6. make 7. make install

Make sure that you have drivers capable of packet injection. Without this you’re not going to get very far. Have a look at the official page here: http://www.aircrack-ng.org/doku.php?id=install_drivers

With this done, make sure that your drivers are patched successfully and that everything is working so far. Try the following:

aireplay-ng –test eth0

Where ‘eth0′ is your wireless adapter. If this reports success, then great, let’s continue! Otherwise, visit the aircrack-ng wiki page above and try again.

We’re going to assume that our access point’s MAC address is 11:11:11:11:11:11 and the client connected is 22:22:22:22:22:22. Your wireless LAN has a SSID of “TestWifi”, and operates on channel 6

To pull these statistics up with ease, I generally use Kismet.

Now for a 64 bit WEP key, you’ll generally need about 50,000+ unique IVs. For a 128 bit WEP key, you’ll need about 300,000+ unique IVs.

Start capturing these IVs on your laptop with:

airodump-ng –ivs –write ivs.out –channel 6 –bssid 11:11:11:11:11:11 eth0

Now hop over to your connected wireless device (that currently knows the WEP key), and start browsing. You’ll notice that the IVs (Data #/s) on airodump-ng increases slowly. You’ll also realize that it’s going to take quite some time to get the necessary data packets. This is where aireplay-ng comes into play.

There is a great method to quickly generating data on a WEP network. If you can capture a WEP encrypted ARP packet, you can send it back to the access point over and over again (despite the fact that you can’t actually decode it yourself). Each time, the access point will send back another unique response packet which you can capture and counts towards your IV quota.

We can’t generate the first valid ARP packet ourselves though, as we don’t know the key so we’re going to have to rely on the connected client that does know the WEP key. ARP packets are generally sent when a new device joins the network, so we’re going to disconnect the currently connected client, and hope that it reconnects and spews out some ARP packets.

aireplay-ng –deauth 10 -e TestWifi -c 22:22:22:22:22:22 eth0

You’ll hopefully see some responses from both the AP AND the Client acknowledging that it has disconnected. It will then automatically reconnect, broadcasting ARP packets in the process. You’ve still got airodump-ng running in another window capturing this data, right?

You should now start to see this traffic jump quite quickly. If you receive ‘disassoc’ notices, run the following in another window:

MYMAC=`ifconfig eth0|grep HWaddr| awk ‘{ print $5 }’` aireplay-ng –fakeauth 10 -e TestWifi -c ${MYMAC} eth0

You are now associated with the access point. If you don’t receive any response to this, either the access point is using MAC filtering (in which case you’ll have to sniff until you find a valid MAC address or even brute force one which is pretty implausible) or alternatively you’re just not close enough to the access point.

Once you have about 50,000 IVs captured, in another window run aircrack-ng ./ivs.out and select your target access point. It will now spend some time running and eventually produce you a key!

This doesn’t work with WPA. It’s a different technology and not vulnerable to the same key weaknesses. The best you can do with WPA is capture the initial handshake, and then brute force it against a dictionary list. If the WPA key is not in the dictionary, you won’t crack it.

These tests are of course to be run for educational purposes against your own devices only. Running these tools without permission against someone elses devices is illegal.