I'm going to do a brief writeup on a common method used for cracking WEP encryption, using this method you can gain access to just about any wireless network using WEP encryption. This will be followed up with methods to attack WPA2 networks as well as some more advanced wireless attacks like the cafe late and hirte attacks
What you need:
aircrack-ng software suite
macchanger program
wireless adapter(internal or usb, either will work)
linux(i could be wrong but its my understanding that theres either none or a severe shortage of drivers for windows to allow promiscuos mode on wireless receivers, either way this tutorials focusing on linux)
backtrack comes packaged with everything necessary, and unetbootin is a great tool for setting up a bootable flash drive, that way you can turn almost any laptop into a useable auditing machine if you're in a pinch. if you have any particular aversion to using backtrack pretty much any other pen-testing distro should have these tools and if not they are all available for free.
Getting Started:
The first thing we'll do before we begin is just set a dummy MAC address for the sake of being uber ninjas(its pretty unlikely for someone to track you down based on the MAC address of your ethernet adapter, but its easy enough to fake anyways)
Enter the following commands into a terminal:
ifconfig wlan0 down
macchanger -m 00:11:22:33:44:55 wlan0
ifconfig wlan0 up
These commands MUST be executed as root so either type sudo at the start of each or type 'su -' to temporarily sign into the root users account.
Now that that's taken care of, we need to set our network adapter to premiscuous mode, wherein it will start listening to all the wireless traffic floating through the air regardless of which channel it's broadcasting on, this will allow us to map out all of the networks in the area. To do this enter the following command(again and throughout the entire tutorial root priveleges are required):
airmon-ng start wlan0
This will create a mon0 interface that we will be interacting with throughout the rest of this tutorial, below is a screenshot of what the output should look like:
Now that we have the interface setup we need to start sniffing the air to see what networks are available, to do this we'll want to enter the following command:
airodump-ng mon0
Now you should see a list starting to build, let it run for a minute or two to get an accurate idea of what networks are available, a few key columns you should start making note of are: BSSID, #DATA, CH, ENC/CIPHER, ESSID
BSSID - This is the MAC Address of the AP, once you pick your target copy the BSSID to your clipboard because you will be using it a lot.
#DATA - Shows the number of packets sent over the network since you've started sniffing
CH - the channel the AP is broadcasting on
ENC/CIPHER - tell you the encryption in use, for this tutorial we are interested in networks where these cols say WEP
ESSID - this is the SSID of the AP(The wireless network name that shows up when you scan for the network on your laptop or phone)
As the tutorial goes on you'll see why these values are important. Below is a screenshot of roughly what you should be seeing:
Now once you've seen which networks are available and decided which one you want to crack hit ctrl + c to stop airodump-ng, then you want to highlight and copy the BSSID and make note of the channel from the network you're targetting and enter the following command(replace {BSSID} with the BSSID and {CHANNEL} with the channel):
airodump-ng -c {CHANNEL} -w dumpfile --bssid {BSSID} mon0
Now you should see something similar to before except it is exclusively locked on the target network.
We want to keep this window running in the background but open another terminal as well and enter the following command:
aireplay-ng -1 0 -a {BSSID} -h 00:11:22:33:44:55 mon0
At this point what we're doing is trying to trick the AP into "Authing" us so that we can begin exchanging packets, WEP encryption is so inherently weak that all we need to do is capture enough IV packets and no matter what we can obtain the key, by authing we can try a arpreplay attack and get those packets much quicker, sometimes this wont work but it usually does, after you auth open yet another terminal and enter the following command:
aireplay-ng -3 -b {BSSID} -h 00:11:22:33:44:55 mon0
This terminal should start sending packets to the router, if you open the original screen which is monitoring the network traffic you should notice the #DATA field increasing rapidly, if it is then everythings going as planned and in a few short minutes you'll have free internetz! Below are a few quick screens to demonstrate the last two commands
Fakeauth:
Arpreplay:
The final step is to open yet another terminal and enter the following command:
aircrack-ng dumpfile*.cap
remember the previous command where we entered -w dumpfile? that was the name of the file we were writing to, you can call it whatever you like. Initially the program will create dumpfile-01.cap, if you then stop and were to start again it would create dumpfile-02.cap etc.. and so forth. so I usually just use filename*cap as the filename parameter to aircrack-ng and it will automatically load all of the dumpfiles that you've obtained with that name. Now all thats left is waiting, if the network uses 64 bit WEP you're looking at around 5000-10000 IV packets if its 128 bit then perhaps 20000-30000 IV packets, this should take at maximum around 15-20 minuets to complete. And all of these programs can run concurrently, airodump-ng will continue writing to the cap files and aircrack will keep testing as the file is being written to. The end result should look something like this:
Theres our key! D8:14:16:9E:50 by entering this when prompted for a password when we connect, we are able to gain access to the network(don't enter the colons ':' just the 10 hex characters) I have yet to come across a WEP network that this method wouldnt work on, sometimes depending on signal strength and various other factors you will meet with varying success using arpreplay attacks but even if they fail you can still leave a laptop sniffing over the course of a day or two and just through the owners personal browsing you should be able to obtain enough packets to crack the key. I hope this was of help, if anyone has any questions or if anythings written unclearly please let me know and ill get back to you as quick as i can!
If this seemed stupidly easy its because it is. And if you go around sniffing networks(theres lots of free apps for it, do it on your phone sometime) you'll be surprised at just how many networks actually run WEP still(in my experience id estimate somewhere between 25%-50%) so if you're ever a poor college student staying in an apartment somewhere theres one way you can cut costs by eliminating an internet bill ;)
No comments:
Post a Comment