How to test the security of your WEP network

It is pretty easy to “guess” the key of a WEP protected wireless network using the right tools.
The steps are the following:

  • capture packets exchanged on the network.
  • identify packets that are ARP requests, and repeat those requests over and over (WEP does not prevent this), getting ARP replies, until you captured a fair amount of packets (50,000 for 64bit key, 300,000 for 128bit).
  • run a statistical crack on the capture file, looking at the “data IV” part of the packets, giving you the key more or less quickly.

To do all that, you can use 2 great tools:

  • weplab: great to capture and crack key, but can’t generate packets to accelerate capture.
  • aircrack-ng: full-featured suite of application, that can do everything. But I found weplab to guess the key more reliably.

Those 2 packages are readily available in package form for Ubuntu and other distribs.

Identify the target

You should first identify the network you want to gain access to.
Set your card to scan:
$ iwconfig eth1 essid any ap any mode Managed key off
And scan:
$ iwlist eth1 scan

From the result note 3 important values of the access point:

  • essid
  • bssid or nwid or ap
  • channel

Prepare card

The most difficult part is to get the right drivers for your wifi card, that enable a “Monitor” mode (you can see every packet passing by) and “packet injection” (so that you can send nicely crafted packets to the peers).

For my ipw3945 card, the normal drivers give you monitor mode, but no injection. It is easy to find online specific drivers to do that, called ipwraw-ng.

Once found, go to the directory and do, as root:
$ make && make install_ucode && make install # to compile and install driver and firmware
$ modprobe -r ipw3945 # that's to remove original driver
$ ./load

You should get 2 new interfaces: wifi0 and rtap0. wifi0 is the one to use.
$ iwconfig
lo no wireless extensions.

eth0 no wireless extensions.

wifi0 unassociated ESSID:off/any
Mode:Monitor Channel=6 Bit Rate=54 Mb/s

rtap0 no wireless extensions.

Capture packets

From there you should make sure wifi0 is in Monitor mode and on the same channel as the target AP:
$ sudo iwconfig wifi0 mode Monitor channel 6

Then you can start listening on your interface to capture all packets passing by:
Using weplab:
$ weplab -i wifi0 -c ./capture.pcap
Using airodump:
$ airodump-ng -i -w airodump -c 6 wifi0

Good to know: depending on the program you use for capturing, you should use the same for cracking the key, since the log files are not perfectly compatible. I found weplab to be better for cracking, so I used weplab for capturing.

If there is a lot of activity going on on the network, you will get your quota of 100,000 or so quickly. But usually it is not that easy. If there is not much going on, just grab a couple thousands and go on to next section.

Packet generation

You should run airodump quickly at first, since it gives you the MACs of all wifi cards within range. This way you can basically see all computers attached to the target network, which can help for packet generation.

You can use aireplay to boost the capture. Give it your original capture file of a few thousands packets, the access point with -b, the source host with -h (should be one existing host on the network, so that packets look like they are from that host), the packet rate with -x (faster means less discreet). “-3″ means that it uses ARP packets within capture file.
$ aireplay-ng -r ./capture.pcap.2 -b 00:18:F8:CB:41:0F -h 00:90:4B:2E:6C:B5 -x 20 -3 wifi0
Saving ARP requests in replay_arp-0729-190833.cap
You should also start airodump-ng to capture replies.
Invalid packet length 38400.
Read 283153 packets (got 17219 ARP requests), sent 55976 packets...

Start aireplay while you are capturing the packets. You should see a huge increase in the number of logged packets. Basically for every packet you send, you should get one back. If you send 20 per second, it’s 72000 per hour, which makes 144000 packets total.

Find out the key

Once you think you have enough packets, use weplab or aircrack to guess the key.

$ weplab -r -k 64 capture.pcap
weplab - Wep Key Cracker Wep Key Cracker (v0.1.5).
Jose Ignacio Sanchez Martin - Topo[LB] <topolb@users.sourceforge.net>

Not BSSID specified.
 Detected one packet with BSSID: [00:18:F8:CB:41:0F]

Total valid packets read: 81719
Total packets read: 81920

 81919 Weak packets gathered:
Statistical cracking started! Please hit enter to get statistics.
It seems that the first control data packet verifies the key! Let's test it with others....

Key: ba:c2:e4:5d:71
Right KEY found!!
Key cracked in 565 seconds

Should give you the key within minutes. With aircrack:
aircrack-ng -a 1 -n 64 -e linksys -b 00:18:F8:CB:41:0F airodump-01.ivs


Cracking a WEP key seems disturbingly simple. If the target ap uses a 64bit WEP key, you can capture about 100,000 packets using ARP spoof in about 15 minutes (longer if you want to be discreet), then it takes about 5 minutes to find out the key.

Comments are closed.

Trackback this Post |