Aircrack-ng against WEP - clickdeathsquad

Using Aircrack-ng against WEP encryption (Tutorial)
By Click Death Squad (C.D.S.)
Revision 1.1

The goal of this tutorial is to see how quickly your own WEP key can be compromised. There are more ways than one to accomplish this. Typically, a WEP key can be recovered using the "chopchop" method or the "fragment" method. Both approaches are covered in this tutorial. The basic idea for key recovery is to capture a packet from the wireless access point that you can use to perform an attack. Deauthenticating any computers that may be connected to the access point is one way to do capture such a packet. When a computer becomes deauthenticated from the access point, it will reauthenticate itself back up to resume normal operation. In turn, this process will give us a packet that we can use to construct a custom ARP request in the form of a replayable packet. That request will then be force fed back to the access point and generate thousands more packets.

The vulnerability in this process is the IV, or initialization vector. Each packet transmitted by the access point is supposed to be encrypted using a unique identifier, which makes it impossible to guess. However, WEP encryption scheme has a weakness in which IVs used to encrypt the packets are occasionally recycled, and become statistically predictable. By replaying a customized ARP request over and over, you can force the router to rapidly generate thousands and thousands of packets, which will disclose the recycled (weak) IVs. Once sufficient IVs have been collected, an attack on the recycled IVs can be performed and 64 or 128 bit WEP keys can be recovered very quickly.

In this example, we used an atheros card, and all the commands issued are given in quotes, with the result of the commands being listed in grey. After each step, a screenshot is given so you may compare your output to what should be happening. Please note that not all the screenshots contain the exact same data which is given in the example, they are merely for reference purposes.

Tools you will need to accomplish this task:

System with aircrack-ng installed, or a Backtrack 3 CD
Wireless network encrypted with WEP (your own) that you can test
Network card that supports packet injection, such as an atheros chipset based device
Basic Linux networking skills and command line capabilities
A cold beer

Step 1: Bring up the interface and find the target.
Assuming you have booted Backtrack and have a console window open, you may care to take a peek at other networks around you, just for the sake of being curious. Before you start testing your own network, you will need to pull up the network interface and scan for the target network.

"ifconfig ath0 up" ### bring up the interface.
"iwlist ath0 scanning" ### dump a list of all wireless access points within range.

Amongst the various other networks, you should see your own network running, called "linksys" in this example screenshot. It would be a good idea to jot down the ESSID of your access point, the MAC address and frequency (channel) your access point is running on. These values will be needed to complete the wireless security audit.

Step 2: Put the interface in monitor mode.
The network card you are using needs to be able to promiscuously (passively) collect packets and dump them to a file. This can be accomplished by using the airmon-ng tool in the aircrack-ng suite. Tell the network card to stop actively transmitting, and create a new interface to collect packets on. Specify the channel that your network is running.

"airmon-ng stop ath0" ### stop the interface.
"airmon-ng start wifi0 6" ### create the virtual interface called wifi0, and start listening in monitor mode on channel 6.

Your wireless card should indicate that it is in monitor mode on the channel you specified. Now you are ready to start collecting packets for analysis.

Step 3: Begin dumping packets on your virtual monitor mode interface.
Once your atheros network card is ready to listen to some packets in monitor mode, open another terminal window and begin selectively saving traffic. In some instances, (WPA cracking) you may wish to save every single packet that is being transmitted by your target. In this case, we are only interested in capturing the weak (recycled) IVs that are being used. This will save space and time when performing the attack itself. By using the "-i" switch, you can tell airodump-ng to only save weak IVs. Once you start dumping traffic to a file, leave this terminal window open and running.

"airodump-ng -c 6 --bssid 00:11:22:33:44:55 -i -w packets ath0" ### where 6 is the channel to listen on, 00:11:22:33:44:55 is the target MAC address and "packets" is the file to save the weak IVs in.

You can see in the screenshot that packets are being dumped which match our target MAC address for the access point. The type of encryption being used (in this case, WEP) is shown in the upper right hand corner. A good "guess" that you have adequate signal strength and distance gap between you and your target would be how quickly the beacon frames are being picked up by your computer. Typically, the faster the beacon frames stack up, the better chance you have to perform an attack. When you see a MAC address appear under station, that indicates a client (besides you) is connected to the target access point and transmitting packets.

Step 4: Fake authenticate yourself with the target.
In order to easily capture a packet that will be used to perform an attack, you need to trick the wireless network into authenticating your computer and associating it as a valid client. By doing so, this means your computer is authorized to offer the WEP key to the access point, and in turn become a validated computer and receive an IP address. Because we do not know the WEP key yet, we are simply going to authenticate our computer with the access point AS IF we were going to offer the WEP key. This is called fake authentication, and will allow the capture of the packet we need to complete the attack. We will also be sending a keep-alive packet to the router every so often to keep our fake authentication status valid, or at least long enough to complete an attack. Technically you only need to fake authenticate with the access point only once, but it is possible that you may become deauthenticated while performing the attack (a few steps down) because you are flooding the network with packets. Leave this terminal window open and running.

"aireplay-ng -1 1 -q 5 -e "linksys" -a 00:11:22:33:44:55 -h 00:C0:A8:D1:CB:43 ath0" ### where "-1 5" means fake authentication mode, "-q 5" means send a keep-alive packet every 5 seconds, "linksys" is the ESSID of the target network, "-a" is the MAC address of the target network, and "-h" is your MAC address.

When this request has been performed correctly, you should see in your terminal window that you have both associated and authenticated with your target access point. It would be advisable to leave this terminal window open and running, as to continue transmitting keep-alive packets with the target long enough to inject some packets.

Step 5: Run a "chopchop" attack to capture a keystream, which allows you to build an ARP packet.
As previously mentioned, there are two ways to get an access point to provide you with the data you need in order to build a custom ARP packet suitable for replaying. This is the "chopchop" method. The idea here is to capture a piece of data that the access point transmits, which is saved to a keystream file. The "chopchop" method typically takes longer to execute versus the "fragment" method. The two attacks work very differently. A "chopchop" captures a piece of a packet, and attempts to brute force the last few pieces until the required data is collected. A "fragment" attack sends deliberately fragmented (or empty) packets to the access point, which causes it to produce the same required data necessary for an ARP packet. Different wireless access points respond uniquely to both types of attacks. if one fails, try the other. Let's try the "chopchop" first and see if we can capture enough data to save a keystream.

"aireplay-ng -4 -e linksys -a 00:11:22:33:44:55 -h 00:C0:A8:D1:CB:43 ath0" ### where "-4" specifies the chopchop attack, "-e" specifies the ESSID, "-a" is the target MAC address and "-h" is your mac address.

Aireplay-ng will automatically grab the first available packet and offer to chop it for you. Select "y" and hopefully you will be able to capture enough data for a keystream.

Once you are able to bruteforce the last few bytes of the keystream, it is saved to a file. In this case, your keystream file is replay_dec-0531-055820.xor. Keep this file around, because you'll need it for the next step, otherwise proceed and try the "fragment" attack. Much like the "chopchop" attack, the "fragment" attack will capture a suitable packet and then attempt to deliberately send a framented request over and over. By repeating a fragmented or null request, your target access point should give you sufficient data to build a keystream. Try using the "fragment" method instead of the "chopchop" and try your skill.

"aireplay-ng -5 -e linksys -a 00:11:22:33:44:55 -h 00:C0:A8:D1:CB:43 ath0" ### where "-5" specifies the fragment attack, "-e" specifies the ESSID, "-a" is the target MAC address and "-h" is your mac address.

Ideally it is preferred to use a "chopchop" attack instead of the "fragment" method. The reason behind this is that usually a chop will yeild a more complete keystream. A captured keystream from either method may be used to build an ARP packet, but if you have a larger keystream, it will cause the access point to generate more packets when you play it back. More packets means more weak IVs are generated, which in turn will help you obtain the WEP key quicker. Sometimes a chop attack will fail if you are too far away from the target. The advantage of a chop is that you will have more data to replay, but a frag attack can capture a keystream much quicker. Basically a trade off.

Step 6: Create a custom ARP packet from the captured keystream.
Now that you have captured a keystream either using a chop or frag, you need to build your custom packet using the tool supplied with aircrack called packetforge-ng. This will allow you to form the keystream into an ARP packet which can be fed back to the access point repeatedly. Once the access point is responding with an ACK to your replayed ARP packet over and over, massive amounts of traffic will be generated as a result. Build the custom packet first, so it may be replayed. Packetforge-ng will tell you if the custom packet was written correctly or not.

"packetforge-ng -0 -y replay_dec-0531-055820.xor -a 00:11:22:33:44:55 -h 00:C0:A8:D1:CB:43 -k 255.255.255.255 -l 255.255.255.255 -w paket.cap" ### where "-0" is the type of packet you are building (ARP), "-y" is the keystream file you captured, "-a" is the target MAC address, "-h" is your MAC address, "-k" is the source ip to replicate (any), "-l" is the target ip to replicate (any) and "-w" is the name of the file to write your custom packet to.

Step 7: Use the forged ARP packet you just created to generate massive traffic.
Your authentication terminal window should still be open, ensuring you stay fake authenticated. Your packet dumping window should also still be open, capturing any weak IVs that are being transmitted by the target access point. You are authenticated with the target, listening for traffic and armed with a forged ARP packet. Launch the attack by replaying your ARP request repeatedly and watch the packets stack to the celing as the access point responds with ACK over and over. Be sure to leave this window open so that the target access point is being bombarded with requests.

"aireplay-ng -3 -e linksys -a 00:11:22:33:44:55 -h 00:C0:A8:D1:CB:43 -r paket.cap ath0" ### where "-3" is the arp-replay attack method, "-e" is the ESSID, "-a" is the target MAC address, "-h" is your MAC address and "-r" is the name of your custom built ARP packet.

Step 8: Run aircrack against your captured IV dumpfile (packets-01.ivs) and decypher the WEP key.
This stage is merely a time trial. The traffic is being captured by you, and all the weak IVs are being picked out and saved to a file that you specified, called packets-01.ivs. Packets are being generated at hundreds per second (in an ideal scenario) and you're ready to put aircrack to the test. Open a new terminal window and instruct aircrack-ng to start cracking. The more packets being transmitted, the more weak IVs will be captured. It is only a matter of time before enough weak IVs are collected to put together the entire picture and decypher the key.

"aircrack-ng packets-01.ivs" ### where packets-01.ivs is the dumpfile where the IVs are saved.

OR

"aircrack-ng -s packets-01.ivs" ### where "-s" specifies aircrack-ng to display the ascii version of the key (if possible) instead of hex after it has been cracked.

As for interpreting the data you are seeing in realtime, here is the breakdown. The first column shows which kilobyte of the WEP key is being guessed. The second colum will show you how many examples of each piece (the depth) of the key has been collected from weak IVs. The final colums are each "vote" given to each piece of the key depending on the traffic that is analyzed. Remember that all the IVs you are testing are being stockpiled in real time and the vote given changes as new data is received. The final result of all your testing efforts will produce keys. Keys, keys, keys.

The results are in. Here's what you are probably looking at:

What is amusing is that given the demonstration used, you can see it is possible to determine WEP keys rapidly. In a matter of 3 minutes and 25 seconds using only 57,000 weak iv's we were able to penetrate the network and recover a 128 bit key. You can immagine how quickly a 64 bit key could be obtained using the method described above. Remember, respect the privacy of others and federal laws. Click Death Squad does not condone the use of knowledge for illegal purposes or financial gain. Think before you type, and keep your network safe!