WEP Cracking: Is Your Wi-Fi Secure?

In this tutorial we will cover the basic infrastructure of a wireless network, how the data inside the network is transferred, how that data is encoded, and how we can crack a WEP code based on that data. Understanding Wi-Fi Wi-Fi allows users to connect to the Internet, wirelessly, within the range of[/indent] their wireless local area network (WLAN). We more specifically refer to WLANs as the linking of two or more computers with network interface cards (NICs). This linking technology is based on radio waves. In WLANs, we refer to connected devices as stations. There are two categories of stations; Access Points (APs), and clients. An AP is the base station of a wireless network, and is the device which sends and receives information. This is the information with which the clients communicate. These stations are collectively known as the Basic Service Set (BSS). Each station is identified by its BSSID. The BSSID is also known as the MAC address. Each BSSID is unique to its station, and is associated with the stations NIC. The AP broadcasts its SSID, which can then be picked up by other stations within range. This is name you see when connecting to a network. Here are the SSIDs, as they would appear in your Airport Utility. Attached File 1.png (35.89K) Number of downloads: 365 Data Streams (Packets) So, your computer has picked up the SSID of a service set. Data is no longer transferred to and from the AP and client through a wire; it is now sent as packets over the WLAN. A computer does not need physical access to a computer to pick up these packets. Thus while transferring packets (which would be happening simultaneously while using the internet), a secure connection is at its weakest security point. You may wonder, How is my security threatened when I have a wireless encryptions. There are two main kinds of encryption forwireless networks, WEP and WPA. WEP-Wired Equivalent Privacy: WEP, WEP2, WEP+ (same vulnerability) 3 key lengths 64, 128, 256 bits (WEP 64, WEP 128, WEP 256) WEP does not have a high level of security, but is compatible with all older devices making it popular in home and small business environments. A WEP key consists of an Initiation Vector (IV), and a passcode. This passcode is randomly generated for the user, but can be, and should be changed. WPA- Wi-Fi Protected Access: WPA, WPA2 WPA was created to supply different passcodes (keys), to each client. It can also be, and is still widely used in a pre-shared key (PSK) setting. In this setting, WPA is not as secure, and uses the same key for each client. There are many fixes in WPA security, the most prominent of which is the 48 bit IV (2x the size of WEPs) Packet Sniffing 1Packet Sniffing is the term used to describe the process of stealing encoded packets from a secure WLAN. Every packet contains a 24-bit (WEP), or a 48-bit

(WPA) IV. The pre-shared key, is static and therefor would be easy to obtain with an IV. The IV encrypts each packet with a different key. The IV is constantly changing, therefor to decrypt a passkey we need the IV. As the potential hacker, our goal is to obtain the network key, which would be impossible if every IV was unique. However, they are not, and will eventually repeat, which is known as a collision. If you do the math, there are 16 million unique values that can be used. Doing even more math, and knowing that the IV is randomly chosen, theres a 50% probability of packet repetition after as few as 5,000 packets. So, how do we sniff the packets? Luckily there is a very easy to use, convenient program.KisMac Cracking Requirements: Mac OS X, KisMac, (USB Wi-Fi Device {optional}) 1. Obtain the program KisMac here... 2. Drag KisMac to your Apps folder 3. Simply open KisMac Attached File 2.png (114.45K) Number of downloads: 446 Configuring and Scanning We need to configure our drivers (NICs) so that KisMac knows which one to use: 1. Click the KisMac tab, and then preferences 2. We must now select our driver, from the drop down menu 3. Choose Apple Airport Extreme Card (Passive) 4. Then select All channels, and Keep Everything 5. Lastly add the driver, it should now appear as 6. You can close preferences Preferences: Attached File 4.png (28.03K) Number of downloads: 894 Settings: Attached File 3.png (114.84K) Number of downloads: 1409 Begin Scanning 1. Once you are back in the main window of KisMac, you can start your scan (bottom right corner) 2. You will be asked for your admin password, go ahead and enter it. KisMac wants to save your data, so it needs the privileges to do so. 3. Your Networks should appear in a second 4. Find your network and select itNotice what channel it is on 5. Go back to preferences and change your Airport card passive settings, so that it only scans the channel of your network. (If you want to collect packets from all channels at once than skip this step). 6. You are now effectively sniffing the packets and collecting the unique IVs Info:Attached File 6.png (56.47K) Number of downloads: 1407 The Actual Cracking Note that we must collect enough packets to have enough unique IVs. We want IV repeats! The suggested minimum is 130,000 Unique IVs, but more never hurts. 1. Once you have your 130,000+ Unique IVs, we can begin the cracking

2. Navigate to the Network tab, then Crack, then Weak Scheduling Attack, then Against Both (This is assuming you dont know the bit of the password, if you do, feel free to specify it) 3. Depending on the complexity of the password, the processing power of your computer, and the luck of your Unique IVs, this had been known to take from 5 seconds to hours. Find it: Attached File 7.png (123.97K) Number of downloads: 955 With luck, and time KisMac will eventually recover your key. Success!-Attached File 8.png (25.42K) Number of downloads: 570 Learn how to crack WPA and how to speed up you packet collection here...WPA Cracking