By the time I started this project the driver lacked several key features:
WEP support, WEP sniffing and capability to send raw packets. With the help of
the open source driver developers I managed to add the required features. All
the work was done with version acx100-0.2.0pre8_plus_fixes_43 to which you have to apply my ACX111 patch for the required features. Just
download both files, go to that directory and follow these instructions:
Linux prompt>bunzip2 acx100-0.2.0pre8_plus_fixes_43.tar.bz2
Linux prompt>tar -xf acx100-0.2.0pre8_plus_fixes_43.tar
Linux prompt>patch -p0 < wepacx111_and_others.patch
Linux prompt>cd acx100-0.2.0pre8_plus_fixes_43
Linux prompt>make config.mk
See if is there any warning about something you lack, if so fix it and then:
Linux prompt>make
The process might end with errors at the USB module compilation stage, if so
don't care, ignore the error but check that the PCI module was created as
src/acx_pci.ko or src/acx_pci.o.
If you want to install this driver as the default ACX driver then (as root):
Linux prompt>make install
In case of compilation errors in the USB module you will have to do a manual
installation simply by doing something like (as root):
cp src/acx_pci.ko /lib/modules/`uname -r`/kernel/drivers/net/wireless/
depmod -a
You may prefer not to install this driver as default because it is not the
latest one. Actually the required features may have already been implemented in
the latest driver release, but I have not tested it. So you may try to download
the latest distribution, do not patch it, compile and install it. Then test the
active WEP crack as explained below to see if it works. If not then download
the release linked above, patch it, compile but do not install it. Instead copy
the module acx_pci.ko or acx_pci.o (depending on your kernel version) from
acx100-0.2.0pre8_plus_fixes_43/src into the working directory where you will
run the tools given below. This way active WEP cracking will use the old
patched but successfully tested driver, while normal linux operation will use
the brand new driver you installed.
RT2500 driver procedure
By the time I started working with this chipset the driver lacked several
required features: sniffing of all packets in monitor mode (certain types were
missed) and capability to send raw packets. Thanks to an open source and well
documented driver I managed to add the required features. All the work was done
with version rt2500-1.1.0-b3 to which you have to apply my RT2500 patch for the required features. Just
download both files, go to that directory and follow these instructions:
Linux prompt>tar -xzf rt2500-1.1.0-b3.tar.gz
Linux prompt>patch -cp0 < rawrt2500_and_others.patch
Linux prompt>cd rt2500-1.1.0-b3/Module
Linux prompt>make
If you want to install this driver as the default RT2500 driver then (as root):
Linux prompt>make install
You might prefer not to install this driver as default if it is not the
latest one. Actually the required features might have already been implemented
in a later driver release. So you may try to download the latest distribution,
do not patch it, compile and install it. Then test the active WEP crack as
explained below to see if it works. If not then download the release linked
above, patch it, compile but do not install it. Instead copy the module
rt2500.ko or rt2500.o (depending on your kernel version) from
rt2500-1.1.0-b3/Module into the working directory where you will run the tools
given below. This way active WEP cracking will use the old patched but
successfully tested driver, while normal linux operation will use the brand new
driver you installed.
Common procedure
Your next step is to install Aircrack in the execution path if
you want AirMonitor to automatically find the WEP key. Finally you just have to
start the attack. Simply download the following tools:
Compile the two C files (see source for instructions) and edit the csh script
to configure it with your particular data (see source for instructions).
Basically you have to configure the ESSID, MAC and channel of the access point
you want to crack. If you run AirMonitor without configuring the ESSID it will
show the list of visible access points. Optionally you can configure the output
data path (if not enough free disk space in the current directory), the MAC you
want to set to your interface (this allows disguising your identity and bypass
any MAC filter in the access point) and the capture mode (weak or full). The
first mode will capture only weak IV packets, it is recommended if you are
short of disk space, but will not work with modern access points which skip
weak IVs (or most of them). In that case you will have to configure the full
mode (you'll need several hundreds megabytes of free disk space). Finally you
can configure some technical data if auto detection does not work, like the
module name (acx_pci or rt2500), the wireless interface name and the firmware
directory in case of an ACX111 chipset.
AirSend is the program responsible for the active part of the attack, it
replays packets from the pcap file you give it as a parameter. There can be
more than one packet in the file. You can control how many times the file is
replayed (with the -c option, 0 means replay forever) and at what speed (with
the -d option, which sets the number of microseconds to wait between
consecutive packets, a negative value means as fast as it can; note that values
below the millisecond are not useful because the kernel will schedule away the
process and will not resume it until typically several milliseconds later, due
to it is not a real time application). Some other options are provided to forge
the 802.11 header (FC, A1, A2 and A3 fields) and so, for example, any packet
can be replayed as broadcast going from a client to the access point even if it
actually was a unicast packet going from the access point to a client; WEP
payload would be perfectly valid, though.
WeakCap is provided in case you are short of disk (it was my case), so
total disk space required for a successful WEP crack is only a few megabytes.
However it will take more time to collect enough packets to find the WEP key.
Note that it is not useful if the access point skips weak IVs, something common
in newer hardware.
AirMonitor will take care of initializing and configuring the wireless
adapter, bringing all pieces together to perform the active attack, and most
important, it will monitor the free disk space and that the card is operating
well. It happens from time to time that my ACX111 card stops collecting packets
when performing the attack, I don't know if it is a problem of the driver, the
adapter, other element or simply the attack is too heavy. It is fixed by
reloading the driver, so the script checks for this condition and if found,
reinitializes the card to keep carrying the attack on. AirMonitor will also
start Aircrack when there is enough data collected and will restart it each
time a substantial amount of new data is captured. When the key is found it is
displayed on screen (and saved in a file) and the attack is stopped.
The attack
When you have everything set up the attack is simply started by executing
the script AirMonitor as root. It will take care of running the rest of
programs required. In the output directory will appear a temporal pcap file
which stores captured packets. Each time the card hangs, the content of this
file is appended to another pcap file named as the ESSID of the access point
under attack.
The attack is performed at the highest speed to collect as much packets as
possible. Therefore the access point and even clients may experience a deadly
slow down of performance, so it is advisable to run the attack when no one is
using the network, at least interactively. I've reached speeds of more that one
thousand packets per second, but poor wireless coverage will proportionally
decrease that speed; a good antenna, specially if it is very directional, may
enhance the rate a lot.
AirMonitor will run until the WEP key is found by the automatically
launched Aircrack process. Operating at a speed of 1000 packets/s you can
collect 3.6 million packets per hour, so the WEP key can be found in less than
5 minutes of attack (actual time depends on the packet rate, the key itself,
the key length and statistical fluctuations). This is true if the access point
does use weak IVs, if not it may take a few hours of continuous attack (though
it can be split along different periods) to gather enough packets so that
Aircrack can find the WEP key.
AirMonitor can be interrupted at any time using ctrl-c, but it may leave
some running processes and temporary files. The best moment to stop it is when
it is waiting to associate with the AP (the output on screen announces this
condition and informs about being the best moment to interrupt the script).
However when you restart AirMonitor everything is set up properly and no data
is lost. So the best trick to stop AirMonitor at the desired time is to hit
ctrl-c, restart it and interrupt it again when it is waiting for association.
This way all files are closed properly and no processes are left running,
except Aircrack, you have to stop it manually, otherwise it will run until the
key is found or it fails to find it.
Active WEP cracking for dummies
If you say "fine, but I do not dare installing linux and doing everything
else", this section is for you. Here are instructions and precompiled binaries
so you don't need nearly any linux knowledge. First download the Knoppix 3.9 CD image (better look for your nearest mirror) and burn it
on a 80 min CD, then download this
package[activewepcrack_knoppix39.zip - MISSING] and unpack it in a floppy diskette, USB memory or directory of a
hard disk partition. Use a text editor to configure the variables at the
beginning of the file airmonitor.csh as explained above. If you are using an
ACX111 card don't forget that the firmware file has to be accessible to
Knoppix. If you did not install the card driver in the windows partition then
copy it to the working directory. Firmware file can be found in the
manufacturer driver media or, if you installed the driver in your windows
partition, usually in c:/windows/system32/drivers and is commonly named
TIACX111.BIN, FwRad*.bin or FW*.bin (see section "Firmware for ACX111 cards" of
the ACX driver documentation for
more details). You can download it also
here, but rename it to TIACX111.BIN.
Now place the Knoppix CD into the CD reader and boot the computer from it,
in case of a problem see the Knoppix help to fix it. Once linux is booted press
Ctrl-Alt-F1 to get a root shell and mount the media where you placed the tools.
This is achieved with a command like "mount /mnt/fd0", "mount /mnt/sda", or
"mount /mnt/hda1" for a floppy, USB memory or hard disk partition respectively.
The actual device may depend on your particular setup, execute "ls /mnt" to see
the list of devices accessible by Knoppix. Then go to the directory with a
command like "cd /mnt/fd0", "cd /mnt/sda", "cd /mnt/hda1" or similar depending
on your configuration. Finally type "./airmonitor.csh" to start the attack and
collect packets, be sure to have enough free space in the data directory. And
that's all, AirMonitor will tell you when the WEP key is cracked by Aircrack.
Summary
Here are the steps for a quick start if you have a PCI or CardBus wireless
adapter based on the ACX111 or the RT2560 chipsets and a standard linux
distribution, details can be found in the text above:
- Download, compile and install the Aircrack package.
- Download the tested driver package for ACX111 or for RT2500 depending on your wireless card.
- Download the Active WEP Crack package.[activewepcrack.tgz - MISSING]
- Unpack both files.
- Patch the driver.
- Compile and install or copy the driver module to the working directory.
- Compile the Active WEP Crack tools.
- Configure the Active WEP Crack script (don't forget firmware if required).
- Start the Active WEP Crack.
Simplified variant using Knoppix:
- Download the Knoppix 3.9 CD image (better look for your nearest mirror).
- Download the Active WEP Crack
package for Knoppix 3.9.[activewepcrack_knoppix39.zip - MISSING]
- Burn the image and extract the package files into a media mountable by
linux.
- Configure the Active WEP Crack script (don't forget
firmware if required).
- Boot from CD and mount the media with the tools.
- Start the Active WEP Crack.
Another approach
Just for completeness it is interesting to mention another way of cracking
a WEP network. It is based on a brute force attack to try to find the right key
simply by checking many combinations. The best way to accomplish that is by
capturing a couple of WEP packets (really only two packets are needed, the
smaller size, the better; you can use the same method as described above for
capturing a broadcast packet) and launch an offline key trying process.
A brute force search method would, in principle, try all possible key
combinations to find the right WEP key. However doing it so is not very
practical because it may take too much time. For the weakest WEP key (40 bits)
it would take several months in a fast PC (can be faster using several
computers in parallel) but for a stronger key (104 bits and above) there is not
enough computing power in the world to have a likely chance to find the key in
a reasonable time.
A very quick approach, only practical for 40 bit WEP keys, is to restrict
the search to keys composed only of 7 bit ASCII printable characters (in case
the key was set in ASCII mode by the network administrator) or decimal digits
(in case the administrator set manually the key in hexadecimal mode). Both are
common cases in poorly configured networks regarding security. Restricting the
key search in that way, a modern PC can try all combinations in less than 24
hours for each of both cases. I wrote a couple of very simple programs to try
this attack using the decrypt tool included in the AirSnort package. To try
them simply download FindWEPkey HEX and ASCII versions, configure the system function call
accordingly to your case and compile (see source for details). You would need
the AirSnort tool decrypt compiled and installed in your execution PATH.
In case of stronger WEP keys (104 bit and above) or WPA algorithm
the only viable method is the dictionary attack, in which a list of words,
numbers and combinations of them is used sequentially to see it they match with
a poorly chosen passphrase of the key generator. See Aircrack, coWPAtty and WPA Cracker.
Conclusions
As we have seen, it is very easy and quick to break into a WEP
protected network, no matter how long is the WEP key, how low is the network
traffic or whether weak IVs are not used. So administrators willing to protect
their networks should move to a stronger algorithm like WPA, but always taking
care of choosing robust passphrases.
E-mail: padilla at
domain "gae ucm es" (my PGP/GPG public key)
First version: 8-Apr-2005, last update: 19-Ene-2006
This link: http://www.gae.ucm.es/~padilla/extrawork/activewepcrack.html
![Color line](../icons/line2.gif)
Go to the parent page: Cheap Hi-Tech.