Occasionally it’s fun to sit down on a Saturday afternoon and crack some WEP. While this encryption algorithm is deprecated, it is still in use by the masses due to the fact that it’s the first and most prevalent option for security on any "off-the-shelf" wireless router.

First, a little background. WEP stands for ‘Wired Equivalent Privacy’ and was one of the first encryption methods employed to secure 802.11 networks.  It was replaced in 03′ by WPA, and subsequently WPA2 but you’ll find that several common wireless routers still ship with the option for WEP. Not too long ago a suite of applications came out dubbed aircrack-ng which bundled scripts for packet injection, arp-replay, and encryption cracking. This software made it possible to capture data packets called IV’s (initialization vector values) from a wireless router. IV’s have 3 bytes of information in them that directly correpsond to your PSK (pre-shared key). If you can get enough IV’s in plain text, there’s a good chance you’ll be able to discern the key, this is where aircrack-ng comes into play.

The name of the game nowadays is devising new ways to drive down the amount of packets you need to decrypt the key. The first version of aircrack-ng I started using back in late 06′ required around 1 million packets, now with the release of a new (circa 07′) attack method called PTW you only need about 40,000-100,00 packets with the odds of your key being generated correctly corresponding to the amount of IV’s you have captured. PTW has since been rolled into the aircrack-ng suite and is what we’ll be using later to decrypt our target’s PSK.

The only necessity beyond a computer that you will need for cracking WEP is a nic card capable of monitor mode and packet injection, you really don’t even need linux or windows installed on your hard drive. I have only recently found out about a very cool linux live cd called BackTrack which is currently at version 3. BackTrack comes equipped with aircrack-ng and several other useful security related programs. Where BackTrack excels though is it’s incorporation of patched drivers for many of the cards capable of packet injection making it much easier than hunting down the drivers and patches yourself.  And, as it is a live cd that loads entirely into memory, it will keep your current OS install free of any changes to network settings.

The Gear:
1) Lenovo/IBM T41
1) Copy of Backtrack ver. 3 from Remote-Exploit.org
1) Asus WL-107G (pcmcia wireless nic card based on RaLink’s rt2500 chipset)

**Note: The IBM T41 comes with a built in Intel ipw2100 Nic card, these cards do not support monitor mode thus prompting me to purchase the Asus.

Step 1. Preparation: Let’s get promiscuous!!!

Make sure your nic card is in monitor mode. There are 2 ways of doing this.

ifconfig ra0 down
iwconfig ra0 mode monitor
ifconfig ra0 up

or you can use this:

airmon-ng start ra0

Where ‘ra0′ is the name of your wireless nic interface. The latter is aircrack-ng’s built in script to accomplish this, which in my opinion is easiest. A successful command will yield a screen like this:

Step 2. Association: Let’s make friends..

There are several ways to track, and associate your nic with a target network. Aircrack-ng uses two apps for this. Airodump-ng for tracking, and aireplay-ng for authenticating.

First we want to see what’s out there, issue this command:

airodump-ng ra0

A successful command will yield a screen like this. Mac addresses have been blurred to protect the innocent.

As you can see, airodump-ng is displaying a list of wireless networks in your area with pertinent information for each of them. Choose your target network from the list and note it’s MAC address (BSSID), name (ESSID), and channel.

So now we have our target network acquired and it’s time to associate our nic with it. This can be done by opening a separate shell and issuing the following command.

aireplay-ng -1 0 -a 'Target BSSID' -h 'Client BSSID(your mac address)' ra0

Breakdown:
** -1 is the FakeAuth attack
** 0 is the reauthentication time in seconds
** -a is your targets mac address or BSSID w/o the ” surrounding it
** -h is your mac address w/o the ” surrounding it
** ra0, both airodump-ng and aireplay-ng both require you to supply the interface at the end of each command

A successful command will yield a screen like this:

What this program does is send an authentication request to the target wireless network, eventually you will get an "Authentication Successful" return, which should associate you with the router.

You can check if you’re associated with the router, and start to capture packets, by issuing the following command:

airodump-ng -c 11 --bssid 'Target BSSID' -w 'name of cap file' ra0

Breakdown:
** -c 11 is channel 11, make this whatever your targets channel is
** –bssid is your targets bssid w/o the ” surrounding it
** -w turns on packet capture to whatever filename you specify(this is the flat text file your data dumps to)
** ra0, and close with interface name

A successful command will show your mac address under the "Station" column of the target, denoting that you are associated with the network.

As you can see in the screen above, the MAC address ending in :86 is associated with the target network ending in :F8.  You will want to leave this window alone now, it will stay open for as long as we need to capture #Data.  Do all of the other commands in a separate terminal.

Now it’s time to start watching the #Data field on your airodump-ng screen. These are the packets we will need for aircrack-ng to generate the key. The #/s field shows you how many usable data packets you are getting a second. We need to get this number as high as possible.

Step 3. ARP Frequency: I will force you to be my friend.

To get our data capture increased we will need to start some traffic, namely we want to resend ARP requests back and forth to and from the target network. To accomplish this issue this command:

aireplay-ng -3 -b 'target bssid' -h 'client bssid' ra0

Breakdown:
** -3 is the arp replay attack
** -b is your targets bssid w/o the ” surrounding it
** -h is your mac address w/o the ” surrounding it
** ra0, close the command with your interface

A succesful command will yield a screen like this:

At first you will not receive any ARP packets, and that’s ok. Patience is the key. Eventually the target network will launch an ARP request, and when it does the above command will resubmit the request over and over. There are several methods of generating more traffic in hopes it will coax the initial ARP request. Open a new terminal and try this:

aireplay-ng -1 6000 -q 10 -o 1 -e 'target essid' -a 'target bssid' -h 'your mac addy' ra0

Breakdown:
** -1 is the fake auth attack
** 6000 is the reauthentication time in seconds
** -q 10 sends keep alive packets every 10 seconds
** -o 1 sends 1 packet at a time

The above command will repeat the fake auth attack on the target network ensuring you have data flowing back and forth. Eventually you will get an ARP packet and the ARP count will start to rise giving you more usable data packets.

Step 4: Breaking Encryption: It’s time for you to tell me

your secrets….

Once your airodump-ng window shows around 100,000 or more #Data packets you can ctrl-c to stop it and run aircrack to break the encryption.

Issue this command:

aircrack-ng -z /path/to/cap file

Breakdown:
** -z invokes the ptw attack method
** point to the cap file you created with airdump-ng -w earlier

A successful command will yield a screen like this:

It took aircrack-ng using the ptw attack method about 3 seconds to generate the encryption key.

This post is in now way condoning illegal behaviour.  I think much can be learned about your wireless hardware and wireless routing in general by doing this project.  Supply your own router for the target and have fun!!

Links:

BackTrack ver. 3

Aircrack-ng

LIST OF COMPATABLE CHIPSETS & DRIVERS

ASUS WL-107G

More on ARP

More on RC4 Stream Cipher