WarDriving and WEP Cracking
After Wardriving through the main roads of Malé on a Friday late afternoon with my HP iPAQ 6365, I was able to find more than 100 wireless networks. Out of this more than 50% of the wireless networks are OPEN (even without the least bit of security). The rest was encrypted with WEP encryption which is known to be crackable.Follows is a simple tutorial to crack wep using Auditor and a wireless card (Proxim 8470-WD).
Introduction:
This tutorial explains how to crack most WEP encrypted Access Points out there. The tools used will be as follows:
Airodump
Aireplay
Aircrack
As for wireless cards, i recommend any Prism , Orinoco , or Atheros based cards (i used the Atheros based card mentioned above).
Getting Started:
Let's see, First thing you are going to want to do is charge your laptop to the top (aireplay and aircrack drain the battery quite a bit) Next you are going to want to load up your favourite live CD (i used Auditor final) or Linux OS, then stumble across a encrypted WLAN, use Kismet to do so.
First off you are going to want to set your wireless card to the right mode, depending on what chipset depends on what commands you have got to use:
Since my Proxim card uses madwifi, I have to place the card in pure 802.11b mode first:
iwpriv ath0 mode 2
Then change the card into monitor mode
iwconfig ath0 mode monitor
Then bring the card up
ifconfig ath0 up
Going for the kill:
Open a terminal window and fire up Airodump to sniff the packtes.
airodump ath0 tocrack
Ok so now you have got a stream of packets from your target, you see the IV column, those are whats known as 'weak key' packets, we want as many of them as we can get (500k+ is a nice number, the more the better). Now we are going to capture a 'weak key' packet from on the network we are targeting and going to flood the Access Point with it in hope that we get lots of 'weak key' replies sent out so we can eventually crack the password. So now open another terminal window and execute aireplay
aireplay -i ath0
Here we are going to grab a few packets from the Access Point until we catch a 'weak key' packet which then aireplay will ask you if you want to use to then flood the Access Point with that packet. when it asks you if it can use one of the packets hit 'y' then return, but do not choose a packet with a destination address of FF:FF:FF:FF:FF:FF
If you flick back to your terminal with airodump running you should see the packets being captured will increase by a huge amount and with that the IV packets should also be increasing pretty damn fast aswell, if all went well in about 10mins you should have enough packets to then dump into aircrack.
Run aircrack to crack the wep from the captured file.
aircrack -q 3 -f 2 tocrack.cap
What i did there was set aircrack to read my packet file called tocrack.cap (what airodump creates). If all goes well you will get the key in a few mins.
This is a "lo-fi" version of the main content. To view the full version with more information, formatting and images, please click here.
Happy WarDriving.
Note: some portions of the texts of this article are copied from the WEP Cracking by UmInAsHoE.
posted by asoa @ 1:36 AM
11 Comments:
asoa.. question..!!
its has been goin on that WEP is crackable.. what about WPA? isnt it the new emerging standard for wifi security? has WPA been cracked?
question 2
lets say there is a WEP encrypted network.. and the WEP key is cracked... and so does that mean instant access to the network?
what if the access is limited by MAC filters? is there a way to bypass MAC filters on the WIFI routers/AP's?
so is it possible to secure ur WiFi network even with WEP using MAC filters?
wpa is tough and so far no such weaknesses as this wep thing. wep is outdated actually and most to the new access points dont even have wep anymore.
one more thing, it would have been nice to give credit to the original author of this writing when putting down a copy paste job like this. im sorry but i had respect for this blog until i saw this piece. the wordings were familiar so i had to google:
http://www.governmentsecurity.org/archive/t15149.html
and more find:
http://www.google.com/search?hs=eM3&hl=en&lr=&client=firefox-a&rls=org.mozilla%3Aen-US%3Aofficial&q=Here+we+are+going+to+grab+a+few+packets+from+the+Access+Point+until+we+catch+a+%27weak+key%27+packet+which+then+aireplay+will+ask+you+if+you+want+to+use+to+then+flood+the+Access+Point+with+that+packet.+when+it+asks+you+if+it+can+use+one+of+the+packets+hit+%27y%27+then+return%2C+but+do+not+choose+a+packet+with+a+destination+address+of&btnG=Search
also, the given method would take possibly hours to crack an access point. you can however do it under 3 minutes using the FBI demonstrated style, using 2 laptops. aireplay must be run on a second laptop and about 10,000 IVs are needed, the replay and dump will be done simultaneously with 2 connections.
WPA is also crackable now. MAC filtering can be easily by passed by spoofing MAC address.
With WEP and MAC filtering you would be able to skip off the script kiddies cos they will divert it to the easy ones but an elite hacker will crack WEP and even bypass your MAC filter.
I guess the article has a similarity with the words but is not a copy paste job to give the credit to the author mentioned in the article by primary0. If ur interested check the differences :)
It didn't take me hours to get 10,000 IV's. I got more than 20'000 IV's in 5 mins. Also we don't need two laptops to do the job. One is more than enough.
The FBI method cannot be used in most of the cases as void11 will disassociate the clients from the Access Point and this reassocation attemps will alert the users/admins.
well, credit has been given where credits due..
now about that MAC filter.. you response asoa.. that MAC can be spoofed.. i agree.. question is...how would an attacker spoof a mac address he dosent know about?
eg: the ap is configured to allow access only to AA:BB:CC:DD:EE:FF
but how does tha attacker know that the router is configured to allow access to ONLY AA:BB:CC:DD:EE:FF
assuming attacker has no prior knowledge of the network
With your scanner, you can already see which clients are associated to that AP and communicating with it. And also you get to see their MAC addresses. So I guess this is not a real big job.
cool thats wat i wanted to ask :D
so.. how can a wifi network be be secured?
there is nothing much we can do to secure these low-end wireless routers or access points .. the best we can do is use WPA which will be more difficult to crack ... but some AP's do not support WPA ....
good at fighting and pulling legs!!hmmmm..have you ever wondered why a gatway address is needed to access a VLAN when there was no InerVLAN enabled??
NO MATTER WHAT YOU DO, ITS AS BAD AS YOU THINK, THEY ARE OUT TO GET YOU!! - Bumper Sticker
Probably the best option for securing securing your wireless networkn is IPSec. IPSec provides data integrity through hashing algorithms such as MD5 and SHA1, and data confidentiality through encryptions through algorithms such as DES and 3DES.Both the clients and APs need to be configured for IPSec.It may slow down your wireless network, but it remains the best option for securing a wireless environment.
A new form of Wireless, called Type-1 wireless, is emergin to provide strong security. Type-1 is a NSA certified standard using Type-1 encryption.it availabe for US Military, though plans are in works by Harris Corporation to provide a modified form of this technology for users with public sector
Being the orginal author of this article i give thanks for the credit i got eventually ;)... Also WPA is deffinalty crackable with the newer versions of Aireplay.
To the person who was saying this would take hours, thats not true... my best time for cracking a network was 9mins using this method with a 64bit key.
This article is quite dated now as whax and auditor have turned into back:track and it uses a newer version of aireplay (even easier tbh)
Thanks for reading my article, hope to be posting more soon.
Bye
UmInAsHoE
Post a Comment
<< Home