Blogging Hub show why you must never protect your wireless network with WEP
Think you’re secure with basic WEP? You’re not. We’re going to demonstrate exactly why you need to tighten up your Wi-Fi security by showing you how easy it is to hack a relatively unprotected network. We’ll give a working demonstration of the weakness in your network’s security and how they can easily be exploited. This is the best way of creating the incentive to shore up that security by using together encryption.
In this case, we’re going to crack wide open the WEP security that far too many home users still rely on. Whether this is through a lack of knowledge or the belief that they have no assets worth stealing is neither here or there. WEP is insecure, as we’ll show you.
Before we begin, however it’s imperative that we make it absolutely clear that this not a technique you should ever try in the wild. Doing so is clearly illegal and we do not condone hacking of any kind. The tools and techniques we will be demonstrating here are not toys and they could wreak havoc in the wrong hands. So please be responsible with what we’re about to show you.
For this demonstration, we’re going to use some of the tools that come bundled with the Swiss Army Knife of online security: BackTrack Linux. This contains all the security tools that the network security professional and the hardened hacker alike would need to carry out a completely exhaustive examination of a network. Everything we need is installed, configured and ready to go. Being Linux, it’s also open source and therefore free to download. The developers have just released a new version called BackTrack 5.2. You can download the ISO file here: www.backtrack-linux.org/downloads. This is designed to run from the DVD drive as a live CD, so copy it to a fresh DVD using you favorite ISO burner. If you don’t have one, you can download and install ImgBurn free from www.imgburn.com.
After creating the BackTrack DVD, boot it from a computer with a wireless networking card. When the Boot: prompt appears, press [Enter]. Select the default text-only version from the bootup menu, and when it finishes booting you should be met with a # prompt and a cursor. Type the word startx and press [Enter] to load the graphical desktop.
At the top of the screen you’ll see a menu bar with a picture of a terminal. Click this and a terminal window appears. Enter the command iwconfig and a list of network interfaces appears. One of these should be call wlan0. This indicates that the wireless drivers supplied with BackTrack can see your wireless network card.
The utilities we’ll use are all compatible with several industry standard Wi-Fi chipsets – namely rtl8187, rt2570 and rt73. This means that just about all modern wireless cards should be okay to use. However, if wlan0 doesn’t show up, you could try booting BackTrack on a different computer instead. Otherwise, borrow a USB Wi-Fi dongle to see if BackTrack recognises it.
The standard advice is never to use WEP to secure a Wi-Fi network, but why is this? Put simply, it’s because when given enough packets to analyse, cracking software can recover the password (called a passphrase in Wi-Fi speak) to join such a network, as we’ll demonstrate.
Any hacker worth their salt begins by passively collecting data about potential targets, and this is exactly how we’ll begin. In a terminal window enter the command airmon-ng start wlan0.
This command begins collecting data about nearby wireless networks and sending it to a special dump where other programs can pick it up and use it.
When you type in the command, you may get a warning about DHCP. Ignore this and look instead for the message ‘Monitor mode enabled on mon0’, which indicates that everything is running as it should be in the background. We’ll now find out what is being recorded to this mysterious mon0. Start by entering the command airodump-ng mon0.
Note the extra letter ‘o’ in the airodump-ng command that wasn’t present in the airmon-ng. This catches many people out. The screen begins to fill with a list of networks. The BSSID (basic service set identification) column contains the globally unique hardware MAC address of each router or base station within range. The ESSID (extended service set identification) column is the given, friendly name of each of the networks.
Below this is a shorter list of connections being made to those networks to which they’re connecting are displayed in the BASSIC column, and the MAC addresses are also displayed in the Station column. Usefully, the Probe column gines you the name of the network that’s currently being accessed.
If you live in an area with lots of Wi-Fi networks and plenty of activity, both lists will expand and contract of ten, making them difficult to read. To prevent this, with the terminal selected, press the [R] key twice. This switches off the auto sort facility. Pressing [R] again will switch it back on again. You can also cycle through the columns and have the program sort by these using the [S] key.
To stand any chance of gaining access to a WEP network, there must be a current connection to it. On the basis that you’re cracking your own network, connect a computer to it and it will appear as a station in the lower portion of aidodump-ng’s output. Next, make a note of the station MAC address and then leave the utility running for a few minutes until all networks within range are recorded, then press [Ctrl]+[C] to stop the program.
Next, we need to collect data running between just the router in question and the computer connected to it. To do so, we re-run airodump-ng, but with some filtering switches in place: airodump-ng -c
By running this command, you only see your router and the computer connecting to it. The collected data is also captured in the dump file (actually more than one dump file, but we don’t need to worry about that).
As the command runs, pay special attention to the #Data column in the top of airodump-ng’s output. These are the actual packets going between the computer and the router, and they contain the WEP passphrase. The problem is that we need between 5,000 and 25,000 packets to crack the passphrase.
We need to generate a large number of packets, and luckily BackTrack contains another utility that will do this for us. Enter the following command, where
Note the double dash before arpreplay. Airplay-ng generates packets that are faked to seem to have come from a particular computer and spewed to the router. You define the MAC address of the source PC with the -h switch. In this case, it’s the computer connected to the router.
Every packet sent from the router contains an encrypted version of the WEP passphrase. The reason for generating lots of extra packtes is that with a large enough sample of encrypted passphrase, we can use another utility to analyse the captured data and start to make a statistical guess at what the underlying plain text might be.
Airebplay-ng might be slow to get going, but after a few minutes it suddenly begins generating plenty of extra traffic. Let it keep on going until airodump-ng shows something over about 5,000 in the #Data column, after which time you can stop it using [Ctrl]+[C]. You can also stop the airodump-ng command at this point. It doesn’t matter at all if you massively exceed the number of packets. In fact, more data makes it easier to crack the passphrase.
Note that while you’re generating these packets, the WLAN light on the router should usually be flashing to say that data is being sent and received. As the associated internet light isn’t also flashing to signal through traffic, the target of the packets must be the router itself. This serves as a quick method of telling if someone is attempting this kind of attack against your own network, even (or rather, especially) when none of your own computers are connected at the time.
With the results of bombarding the router with packets containing the encrypted WEP passphrase stored in a temporary file, we can finally attempt to crack it. To do so, we use the aircrack-ng utility. There’s no guarantee that this will work first time, but if it fails, you just need to collect more than the previous 5,000 or so packets. To run aircrack-ng, enter the following command: #aircrack-ng -z -b
If Aircrack fails to recover the passphrase, it will tell you and give a recommendation for the number of packets it thinks it’ll need to make an accurate guess. A WEP passphrase of ‘hello’ took nearly 15,000 packets to crack, but once aircrack-ng had these at its disposal, the whole process took 10 seconds. With 30,000 packets, this time dropped to just four seconds.
So, now we have the passphrse to the WEP router we have compromised it to the point where we can join the network from Windows just like any legitimate user would. Once joined, open a command prompt and then type the command ipconfig to check your network connection.
You can surf through the compromised WEP network, use a network mapping utility like our friend Zenmap (www.nmap.org/zenmap) to find other computers on the network and, in some cases, even mount network shares to read the information they contain or deploy a network traffic sniffer to possibly capture some useful username and password pairs. This is why WEP security is no security at all. If, during the process of working through this tutorial, you discover one or more WEP protected networks in you vicinity, it would be illegal to hack them, but the act of a good neighbour would be to knock on the door and help bring th eowner into the 21st century.