Home
Login/Register/Logout
Articles
Free Tools
AD & CS
AD Disable Users
Certificate List Utility
PVE Find AD User
Exchange Transport Agents
Attachment filter
Attachment rename
Networking
Cisco switch backup utility
Network monitoring with powershell
TCP Ping
PVE POP3 Collector
PVE POP3 Collector on the net
Security Related Tools
pvefindaddr Immunity Dbg PyCommand
All downloads on this blog
Public Files
Forums
Security
Corelan Team Exploits
Corelan Team Members
Corelan Team Security Advisories
Exploit writing – forum
Exploit writing tutorials
Metasploit
Simple FTP Fuzzer – Metasploit Module
Nessus/Openvas ike-scan wrapper
pvefindaddr.py ImmDbg Plugin
Vulnerability Disclosure Policy
Shellcode to Javascript encoder
Links
Terms of use
Donate
corelan.be:8800/…/cheatsheet‐cracking‐w… 1/14
3/20/2010 Cheatsheet : Cracking WEP with Backtrack…
About me
About me
LinkedIn Resume
Visitor Map
About you
Corelan public keys
SSL
« Juniper Screenos : Redundant multi-exitpoint ISP routing failover using multiple vrouters, multiple OSPF areas
and eBGP
Cheatsheet : Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper »
I know, there a probably already a zillion number of websites that show how to crack WEP.
So I guess this will be website zillion+1 learning how to audit your own WEP security. To be honest, the main
reason I’m putting this info on this blog because I just wanted it as a quick reference- or cheatsheet, in case I
forget some about particular commands/parameters again :-) And why rely on other websites that may or may
not be reachable when you need them :-)
In this scenario, I have 2 clients that are currently connected to the wireless network.
My auditor laptop (and old IBM T22) runs backtrack beta 4, and has a PCMCIA network card (Proxim,
Atheros chipset) and a Dlink USB Wireless Adapter (DWL-G122). Both adapters will work just fine, however
I get better results with the proxim PCMCIA card because it has a range extender.
In all cases, in all scenario’s, the most important component is verifying that you can associate with an AP. You’ll
learn some techniques on how to do this in this blog. But let’s not jump ahead.
root@bt:~# airmon-ng
The wifi0 adapter is the proxim pcmcia card. wlan0 is the Dlink USB adapter. For this test, we’ll use the
proxim card (wifi0). The mac address of this card is 00:20:A6:4F:A9:41 (you can get the mac address by
running ‘ifconfig wifi0’)
A new interface called “ath1” has been created. This interface is the one we are going to use in order to find the
wireless networks. Launch “airodump-ng ath1” to hop all channels and show the wireless networks that can be
found, and the clients (if any) that are currently associated with an Access Point :
Ok, so we have found a network with ESSID “TestNet”, operating at channel 11. Apparently there are 2 clients
connected to this AP.
Let’s see if we can associate with Access Point with MAC (BSSID) 00:14:BF:89:9C:D3
First, run airodump-ng again, but set it to look at channel 11. This is required for the AP
association/authentication (via aireplay-ng) to operate at channel 11 as well (because you cannot specify the
channel to use when running aireplay-ng) :
Leave the airodump-ng running for now and run the following aireplay-ng command to perform a ‘fake
corelan.be:8800/…/cheatsheet‐cracking‐w… 3/14
3/20/2010 Cheatsheet : Cracking WEP with Backtrack…
authentication’ attempt :
Ok – Authentication failed, so the AP does MAC filtering. We could try to use the MAC address of one of the
clients that are already connected (by specifying its MAC address using the –h parameter), but we’ll change the
MAC address on our interface (which will make all future commands shorter)
First, kill the airodump-ng process. Take wifi0 (ath1) out of monitoring mode :
root@bt:~# airmon-ng
Bring wifi0 down, change the mac address of wifi0, bring wifi0 up again and then put the interface back in
monitor mode :
corelan.be:8800/…/cheatsheet‐cracking‐w… 4/14
3/20/2010 Cheatsheet : Cracking WEP with Backtrack…
Let’s see if it makes a difference. Run airodump-ng again (airodump-ng –c 11 ath1) and then try to perform
the fake authentication again
If you are connecting to an AP that is a bit picky, then you have some options to tweak the aireplay-ng behaviour
:
-q 12= send keepalive packets every 12 seconds (sometimes, it works better without this last parameter)
From this point forward, you should be able to associate with the AP. If not, there’s no use in continuing with the
process.
Ok, now let’s try to crack the key. First, stop the existing airodump process and run airodump-ng with the
option to save the iv’s to a file (parameter –i or –ivs):
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
The number of #Data packets is most likely still very low and does not go up as fast as we want it to. So we
need to grab an ARP packet and inject it.
(leave this running – wait until an ARP request is seen. The tool will then automatically attempt to inject the ARP
packets, thus increasing the number of data packets (and iv’s) on the network). Some AP’s require you to be
associated (or will perform disassociate after a while). It might take a couple of minutes before an ARP is seen. If
you don’t have a lot of time, it might help trying to associate yourself again :
corelan.be:8800/…/cheatsheet‐cracking‐w… 5/14
3/20/2010 Cheatsheet : Cracking WEP with Backtrack…
If that does not generate the required ARP packet(s), which should set off the ARP injection, then try to
deauthenticate the existing clients. (which may not work very well if the AP has MAC filtering enabled. If you
have a second client MAC address, you can set your own MAC address to one of the clients and try to deauth
the other client…)
Keep the aireplay-ng and airodump-ng running and run the deauth attack.
If this works, the valid client will be disconnected. When the client connects again (in most cases, this happens
automatically), and after max. a couple of minutes, you should see that the ARP injection process starts to work :
At the same time, you should start to see the number of data packets increasing rapidly :
BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID
For a 128bit WEP key, you’ll probably need between 80000 and 250000 data packets. However you don’t
need to wait until you’ve gathered all those packets. You can already try to break the key using the ivs file that is
being generated. As long as the key is not found, and the number of packets keeps growing, the crack process
will automatically reread the file and attempt to crack the key.
By the time I wrote the last 2 lines of text, I had already captured 140000 IVs, which appears to be sufficient to
crack the key in one shot. So if your coverage is good, signal is strong, and the injection works well, it may go
very fast.
corelan.be:8800/…/cheatsheet‐cracking‐w… 6/14
3/20/2010 Cheatsheet : Cracking WEP with Backtrack…
KB depth byte(vote)
0 0/ 1 A3(203120) 73(160718) 31(256416) 18(156160) DD(154112) FE(153344)
1 0/ 9 EA(193816) 22(150440) AD(254880) 0D(153856) 9B(153856) 4B(153600)
2 0/ 1 D3(212716) AD(197696) 22(135904) E6(153601) 4A(153334) 89(151208)
3 7/ 3 AA(153630) 1F(122064) B0(141808) BB(151552) 3C(151040) F8(150724)
4 13/ 4 DD(150086) 23(139760) 05(129534) E4(149504) 04(149248) 70(149238)
If you would not have had enough IVs, the aircrack-ng process would just sit and wait until the file has grown
bigger and would then attempt to crack the key again.
If the packets all of a sudden stop increasing, then stop the injection process, start it again, re-associate, perhaps
deauthenticate an existing client and it should continue to grow.
In my case, the key was cracked in 1 second. The total process took about 10 minutes.
The key is 26 characters, so if we assume that the key is in hex, we are dealing with 128bit WEP. This mode is
also called WEP104
(In case you forgot : WEP40 = 64bit, WEP104 = 128bit, WEP1xx = 256bit)
Ok, first of all, if MAC filtering is enabled and there are no active clients, it’s going to be difficult to get a valid
MAC address that is allowed to associate with the AP. I guess it makes the wireless network a bit safer, but a
whole lot more useless as well. :-)
So assuming that there is no MAC filtering, or you have managed to get a valid MAC address of a client (earlier,
or by bruteforcing mac addresses :) ), then this is what you can do if there are no active clients connected to the
network at the time of the audit :
The first 3 steps are similar to scenario 1. I’ll assume that you are able to associate yourself with the AP (either
using any MAC or using a valid MAC from the MAC filter list) and that you have your airodump-ng running,
capturing ivs to a file.
corelan.be:8800/…/cheatsheet‐cracking‐w… 7/14
3/20/2010 Cheatsheet : Cracking WEP with Backtrack…
Wait until you are asked whether you want to use a packet that was captured. Review the packet (BSSID, dest
mac, source mac) and make sure the packet comes from the Access Point.
Sometimes you will need to try a couple of times before the system will respond correctly
BSSID = 00:14:BF:89:9C:D3
Dest. MAC = 01:00:5E:7F:FF:FA
Source MAC = 00:14:BF:89:9C:D1
0x0000: 0862 0000 0100 5e7f fffa 0014 bf89 9cd3 .b....^
........
0x0010: 0014 bf89 9cd1 9032 f342 c600 ec3e bc5d .......2.B...>.]
0x0020: 49b8 962e 631e f086 80e5 4337 dd4f 37a4 I...c.....C7.O7.
0x0030: 9e06 e370 1feb eb0e c38b 76d6 9ad7 8118 ...p......v.....
0x0040: 24e1 5d7e 5399 2fea 234c 7d1b 668c 23b5 $.]~S./.#L}.f.#.
0x0050: fd83 d7de 7cf8 09df 85ba b692 8a62 a5bd ....|........b..
0x0070: d00e a197 2ca3 6446 60e6 0fc7 ab67 64d6 ....,.dF`....gd.
0x0080: edab 525f 8cf1 9645 dadf cbce c12f 439d ..R_...E...../C.
0x0090: b0c3 6b7a 011e 3ced 00d5 2ed3 696c 4aae ..kz..<.....ilJ.
0x00a0: 638d 122a e307 9e62 4ed7 3475 2679 6168 c..*...bN.4u&yah
0x00b0: f465 4811 b31c 3d5e 0129 dc79 07c0 805a .eH...=^.).y...Z
0x00c0: 22df 4e38 bb98 6136 2177 7062 8dea 8a4a ".N8..a6!wpb...J
0x00d0: 492d 62a6 52bc 2ef7 41f0 18b1 e12d 409d I-b.R...A....-@.
--- CUT ---
Ok, now you can use the .xor file to generate and ARP packet that can be injected and will help to get IVs. In
this command, you will have to specify the local MAC address (so make sure to use the correct MAC address.
If you are using a fake MAC, then use this fake mac in the commandk)
(I’ve put the command on 3 lines to improve readability – just make sure to put everything in one line)
Ok, now the arp packet is ready. Let’s inject it into the network
BSSID = 00:14:BF:89:9C:D3
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:1C:BF:90:5B:A3
0x0000: 0841 0201 0014 bf89 9cd3 001c bf90 5ba3 .A............[.
0x0010: ffff ffff ffff 8001 0043 c600 1c3b d684 .........C...;..
0x0020: 8ffc a071 7759 1075 474b caae b7a6 5ad2 ...qwY.uGK....Z.
0x0040: 5c4c 2447 \L$G
Enter “y” and see if the data packets are now increasing. (switch to the airodump-ng output)
In most cases, this attack works well. However, if you have not been able to successfully get a .xor file using this
procedure, you can use the chopchop attack as well :
BSSID = 00:14:BF:89:9C:D3
Dest. MAC = 01:00:5E:7F:FF:FA
Source MAC = 00:14:BF:89:9C:D1
0x0000: 0862 0000 0100 5e7f fffa 0014 bf89 9cd3 .b....^
........
0x0010: 0014 bf89 9cd1 201a 2639 c800 8354 3936 ...... .&9...T96
0x0020: d88c 8958 fedb 0f68 330c 78f9 944f 7840 ...X...h3.x..Ox@
0x0030: 1871 95b8 2d56 8a21 0af2 8b1e 0953 4e67 .q..-V.!.....SNg
0x0040: 5c10 a065 99bb 907b 3a84 8cd0 d159 e4ce \..e...{:....Y..
0x0050: 83da 1e42 5630 b0e6 0171 0fcb 3ad7 57ab ...BV0...q..:.W.
0x0060: 0e5f f49b ca99 b107 2d1d ab9c 039f ad7c ._......-......|
0x0070: 0729 627c 838e f247 b581 771d 7e3f bc3c .)b|...G..w.~?.<
0x0080: 4068 d8b3 0300 0da4 90b1 a0b2 046c 6920 @h...........li
0x00a0: 11fc 073c bcb3 f8ed a240 08c2 d706 adf3 ...<.....@......
0x00b0: 9ac9 3787 b4cb 8994 4a94 5969 b741 765d ..7.....J.Yi.Av]
0x00c0: 4cd5 f2dd 14ac ccfe bca0 d769 aa37 cbc1 L..........i.7..
0x00d0: 9577 bad9 7a1d 2a60 4a80 54bc 418d df57 .w..z.*`J.T.A..W
--- CUT ---
if you get this message, try running a aireplay-ng –fakeauth while running the chopchop attack.
Enter “y” to select a packet. Wait until the process has reached 100% and you should have your .xor file. This
process can take multiple minutes. Don’t worry, as long as it keeps running, you’re fine.
BSSID = 00:14:BF:89:9C:D3
Dest. MAC = 01:00:5E:7F:FF:FA
Source MAC = 00:14:BF:89:9C:D1
0x0000: 0862 0000 0100 5e7f fffa 0014 bf89 9cd3 .b....^........
0x0010: 0014 bf89 9cd1 4003 3c39 c800 a4b4 4b96 ......@.<9....K.
0x0020: 94d4 525e b994 7f52 f494 6cd9 2e85 9a96 ..R^..
R..l.....
0x0030: fd15 2a16 684e da3b 2296 c849 4660 2b06 ..*.hN.;"..IF`+.
0x0050: 029d a52b f305 a77c bae0 8013 1887 5cd9 ...+...|......\.
0x0060: 26ee ddec 5316 8065 bb06 14ec a7a6 005e &...S..e.......^
0x0070: c6b5 2b42 e618 6ab1 475e 5bdd 73c9 ff74 ..+B..j.G^[.s..t
0x0080: d312 6c5f 9c95 f185 6967 51ca 180d b844 ..l_....igQ....D
0x0090: bb62 190a 4e53 3d1b e4cd bc51 37d8 feaf .b..NS=....Q7...
0x00a0: 9579 02e3 fe9f 6c6a 9776 eff1 7c75 fb10 .y....lj.v..|u..
--- CUT ---
corelan.be:8800/…/cheatsheet‐cracking‐w… 10/14
3/20/2010 Cheatsheet : Cracking WEP with Backtrack…
Follow the same steps that were used when we created a .xor file using the fragmentation attack : create an arp
packet (packetforge-ng), inject the packet (aireplay-ng), capture the IVs and crack the key.
Inject :
BSSID = 00:14:BF:89:9C:D3
Dest. MAC = FF:FF:FF:FF:FF:FF
corelan.be:8800/…/cheatsheet‐cracking‐w… 11/14
3/20/2010 Cheatsheet : Cracking WEP with Backtrack…
Source MAC = 00:1C:BF:90:5B:A3
0x0000: 0841 0201 0014 bf89 9cd3 001c bf90 5ba3 .A............[.
0x0010: ffff ffff ffff 8001 3c39 c800 a4b4 4b96 ........<9....K.
0x0020: 94d4 5258 fc95 766a fe90 6cd8 2f88 d317 ..RX..vj..l./...
0x0040: 5994 1ab1 Y...
Verify that the number of #Data packets increases fast, wait a couple of minutes and start cracking
Well, aireplay-ng --fakeauth will not just work… It will detect that Open System is cannot be used, and will
then attempt to get the shared key. In fact, it needs to see a client successfully authenticate to the AP before it
will be able to grab the SKA and use it.
As long as a client has not associated, the AUTH column in airodump-ng will stay empty. When Shared Key is
used, and after a client has connected, the column will state SKA. From that point forward, you can use the
Shared Key to do fake auth.
First, launch airodump-ng and write all data to disk (airodump-ng –w /tmp/filesout ath1)
When a client authenticates, airodump-ng will write a .xor file to disk, containing the PRGA xor bits. Of course, if
it takes too long before a client authenticates, you can try to deauthenticate an existing client (if any)
If the .xor file is saved on disk, you can attempt to do the fake auth by providing the .xor file :
Hooray – from this point forward, you can use the same techniques as explained in the first 2 scenario’s
Note : if the number of Packets stops increasing, just stop sending packets, do a re-associate (fake auth) and
start sending packets again. In most cases, this will kick off the data packet increase again.
© 2009, Peter Van Eeckhoutte. All rights reserved. Terms of Use are applicable to all content on this
blog. If you want to use/reuse parts of the content on this blog, you must provide a link to the original
content on this blog.
corelan.be:8800/…/cheatsheet‐cracking‐w… 12/14
3/20/2010 Cheatsheet : Cracking WEP with Backtrack…
airodump, airodump-ng, arp, backtrack, crack, OPN, packetforge-ng, SKA, wep, wireless
Related Posts:
Cheatsheet : Cracking WPA2 PSK with Backtrack 4, aircrack-ng and John The Ripper
Backtrack 4 cheat sheet
WPA TKIP cracked in a minute – time to move on to WPA2
Juniper ScreenOS : Active/Passive clustering
Creating and installing lzm modules in Backtrack 2
Leave a comment
Peter says:
» ... « If you want to be the first to know about new posts/tools/tutorials on this blog, then subscribe to the
mailinglist. Use the 'Subscribe to updates via email' link below (in the Stay posted section)
Your profile
Actions
Register
Log in
Entries RSS
Comments RSS
WordPress.org
Stay posted
Search
Last 5 search keywords : | juniper | windows vpn | route based site to site VPN | installing backtrack 4 pre
final hard drive | cracking wep backtrack 4 |
Top 10 search keywords : | crack wpa with backtrack 4 | free download backtrack 3 | cracking wep
backtrack 4 | backtrack 4 password list | how to install password list in bt4 | basic command for juniper firewall |
backtrack 3 WPA 2 PSK | dual wan juniper | installing backtrack 4 pre final hard drive | this network requires
encryption be enabled |
corelan.be:8800/…/cheatsheet‐cracking‐w… 13/14
3/20/2010 Cheatsheet : Cracking WEP with Backtrack…
Categories
Select Category
Terms of Use | Copyright © 2009 Peter Van Eeckhoutte´s Blog. All Rights Reserved.
Your IP address : 173.68.249.174 | 118 queries. 1.120 seconds | www.corelan.be - artemis.corelan.be
corelan.be:8800/…/cheatsheet‐cracking‐w… 14/14