Hands-On Ethical Hands-On Ethical Hacking and Network Hacking and Network

DefenseDefense

Lecture 14Lecture 14Cracking WEPCracking WEP

Last modified 5-11-09

Legal ConcernsLegal Concerns Defeating security to enter a network Defeating security to enter a network

without permission is clearly illegalwithout permission is clearly illegal Even if the security is weakEven if the security is weak

Sniffing unencrypted wireless traffic may Sniffing unencrypted wireless traffic may also be illegalalso be illegal It could be regarded as an illegal wiretapIt could be regarded as an illegal wiretap The situation is unclear, and varies from state The situation is unclear, and varies from state

to stateto state In California, privacy concerns tend to In California, privacy concerns tend to

outweigh other considerationsoutweigh other considerations See links l14v, l14wSee links l14v, l14w

EquipmentEquipment

Wireless Network Interface Cards Wireless Network Interface Cards (NICs) and Drivers(NICs) and Drivers

The GoalThe Goal

All wireless NICs can connect to an All wireless NICs can connect to an Access PointAccess Point

But hacking requires more than that, But hacking requires more than that, because we need to dobecause we need to do Sniffing Sniffing – collecting traffic addressed to other – collecting traffic addressed to other

devicesdevices Injection Injection – transmitting forged packets which – transmitting forged packets which

will appear to be from other deviceswill appear to be from other devices

Windows v. LinuxWindows v. Linux

The best wireless hacking software is The best wireless hacking software is written in Linuxwritten in Linux The Windows tools are inferior, and don't The Windows tools are inferior, and don't

support packet injectionsupport packet injection

But all the wireless NICs are designed for But all the wireless NICs are designed for WindowsWindows And the drivers are written for WindowsAnd the drivers are written for Windows Linux drivers are hard to find and confusing to Linux drivers are hard to find and confusing to

install install

Wireless NIC ModesWireless NIC Modes

There are four modes a NIC can useThere are four modes a NIC can use Master modeMaster mode Managed modeManaged mode Ad-hoc modeAd-hoc mode Monitor modeMonitor mode

See link l_14jSee link l_14j

Master ModeMaster Mode

Master ModeMaster Mode Also called Also called AP AP or or Infrastructure modeInfrastructure mode Looks like an access pointLooks like an access point Creates a network withCreates a network with

A name (SSID)A name (SSID) A channelA channel

Managed ModeManaged Mode

Managed ModeManaged Mode Also called Also called Client modeClient mode The usual mode for a Wi-Fi laptopThe usual mode for a Wi-Fi laptop Joins a network created by a masterJoins a network created by a master Automatically changes channel to match the Automatically changes channel to match the

mastermaster Presents credentials, and if accepted, Presents credentials, and if accepted,

becomes becomes associated associated with the masterwith the master

Typical Wireless LANTypical Wireless LAN

Access Point in Master Mode

Clients in Managed

Mode

Ad-hoc ModeAd-hoc Mode

Nodes in Ad-hoc Mode

Peer-to-peer networkPeer-to-peer network No master or Access PointNo master or Access Point Nodes must agree on a channel and SSIDNodes must agree on a channel and SSID

Monitor ModeMonitor Mode

Does not associate with Access PointDoes not associate with Access Point Listens to trafficListens to traffic Like a wired NIC in Promiscuous ModeLike a wired NIC in Promiscuous Mode

Monitor Mode

Master Mode

ManagedMode

Wi-Fi NICsWi-Fi NICs

To connect to a Wi-Fi network, you need a To connect to a Wi-Fi network, you need a Network Interface Card (NIC)Network Interface Card (NIC)

The most common type is the PCMCIA The most common type is the PCMCIA cardcard Designed for laptop Designed for laptop

computerscomputers

USB and PCI Wi-Fi NICsUSB and PCI Wi-Fi NICs

USBUSB Can be used on a Can be used on a

laptop or desktop PClaptop or desktop PC

PCIPCI Installs inside a Installs inside a

desktop PCdesktop PC

Choosing a NICChoosing a NIC

For penetration testing (hacking), consider For penetration testing (hacking), consider these factors:these factors: ChipsetChipset Output powerOutput power Receiving sensitivityReceiving sensitivity External antenna connectorsExternal antenna connectors Support for 802.11i and improved WEP Support for 802.11i and improved WEP

versionsversions

Wi-Fi NIC ManufacturersWi-Fi NIC Manufacturers

Each wireless card has two manufacturersEach wireless card has two manufacturers The card itself is made by a company like The card itself is made by a company like

NetgearNetgear UbiquitiUbiquiti LinksysLinksys D-LinkD-Link many, many othersmany, many others

But the chipset (control circuitry) is made by a But the chipset (control circuitry) is made by a different companydifferent company

ChipsetsChipsets

To find out what chipset your card uses, To find out what chipset your card uses, you must search on the Webyou must search on the Web Card manufacturer's don't want you to knowCard manufacturer's don't want you to know

Major chipsets:Major chipsets: PrismPrism Cisco AironetCisco Aironet Hermes/OrinocoHermes/Orinoco AtherosAtheros

There are othersThere are others

Prism ChipsetPrism Chipset

Prism chipset is a favorite among hackersPrism chipset is a favorite among hackers Completely open -- specifications availableCompletely open -- specifications available Has more Linux drivers than any other chipsetHas more Linux drivers than any other chipset

See link l_14dSee link l_14d

Prism ChipsetPrism Chipset

Prism chipset is the best choice for Prism chipset is the best choice for penetration testingpenetration testing

HostAP Linux Drivers are highly HostAP Linux Drivers are highly recommended, supporting:recommended, supporting: NIC acting as an Access PointNIC acting as an Access Point Use of the iwconfig command to configure the Use of the iwconfig command to configure the

NICNIC See link l_14hSee link l_14h

Cisco Aironet ChipsetCisco Aironet Chipset

Cisco proprietary – not openCisco proprietary – not open Based on Prism, with more featuresBased on Prism, with more features

Regulated power outputRegulated power output Hardware-based channel-hoppingHardware-based channel-hopping

Very sensitive – good for wardrivingVery sensitive – good for wardriving Cannot use HostAP driversCannot use HostAP drivers Not useful for man-in-the-middle or other Not useful for man-in-the-middle or other

complex attackscomplex attacks

Hermes ChipsetHermes Chipset

Lucent proprietary – not openLucent proprietary – not open Lucent published some source code for Lucent published some source code for

WaveLAN/ORiNOCO cardsWaveLAN/ORiNOCO cards Useful for all penetration testing, but Useful for all penetration testing, but

requirerequire Shmoo driver patches (link l_14l) to use Shmoo driver patches (link l_14l) to use

monitor modemonitor mode

Atheros ChipsetAtheros Chipset

The most common chipset in 802.11a The most common chipset in 802.11a devicesdevices Best Atheros drivers are MadWIFI (link l_14m)Best Atheros drivers are MadWIFI (link l_14m) Some cards work better than othersSome cards work better than others Monitor mode is available, at least for some Monitor mode is available, at least for some

cardscards

Other CardsOther Cards

If all else fails, you could use Windows If all else fails, you could use Windows drivers with a wrapper to make them work drivers with a wrapper to make them work in Linuxin Linux DriverLoader (link l_14n)DriverLoader (link l_14n) NdisWrapper (link l_14o)NdisWrapper (link l_14o)

But all you'll get is basic functions, not But all you'll get is basic functions, not monitor mode or packet injectionmonitor mode or packet injection Not much use for hackingNot much use for hacking

Cracking WEPCracking WEP

Tools and PrinciplesTools and Principles

A Simple WEP CrackA Simple WEP Crack

The Access Point and Client are using The Access Point and Client are using WEP encryptionWEP encryption

The hacker device just listens The hacker device just listens

HackerListening

WEP-Protected

WLAN

Listening is SlowListening is Slow

You need to capture 50,000 to 200,000 You need to capture 50,000 to 200,000 "interesting" packets to crack a 64-bit "interesting" packets to crack a 64-bit WEP keyWEP key The "interesting" packets are the ones The "interesting" packets are the ones

containing Initialization Vectors (IVs)containing Initialization Vectors (IVs) Only about ¼ of the packets contain IVsOnly about ¼ of the packets contain IVs So you need 200,000 to 800,000 packetsSo you need 200,000 to 800,000 packets

It can take hours or days to capture that It can take hours or days to capture that many packetsmany packets

Packet InjectionPacket Injection

A second hacker machine A second hacker machine injects packets to create more injects packets to create more "interesting packet""interesting packet"

HackerListening

WEP-Protected

WLAN

HackerInjecting

Injection is MUCH FasterInjection is MUCH Faster

With packet injection, the listener can With packet injection, the listener can collect 200 IVs per secondcollect 200 IVs per second

5 – 10 minutes is usually enough to crack 5 – 10 minutes is usually enough to crack a 64-bit keya 64-bit key

Cracking a 128-bit key takes an hour or soCracking a 128-bit key takes an hour or so Link l_14rLink l_14r

AP & Client RequirementsAP & Client Requirements

Access PointAccess Point Any AP that supports WEP Any AP that supports WEP

should be fine (they all do)should be fine (they all do)

ClientClient Any computer with any Any computer with any

wireless card will dowireless card will do Could use Windows or LinuxCould use Windows or Linux

WEP-Protected

WLAN

Listener RequirementsListener Requirements

NIC must support Monitor ModeNIC must support Monitor Mode Could use Windows or LinuxCould use Windows or Linux

But you can't use NDISwrapperBut you can't use NDISwrapper SoftwareSoftware

Airodump (part of the Aircrack Suite) for Airodump (part of the Aircrack Suite) for Windows or Linux (see Link l_14q)Windows or Linux (see Link l_14q)

BackTrack is a live Linux CD with Aircrack on BackTrack is a live Linux CD with Aircrack on it (and many other hacking tools) it (and many other hacking tools) Link l_14nLink l_14n

HackerListening

Injector RequirementsInjector Requirements

NIC must support injectionNIC must support injection Must use LinuxMust use Linux SoftwareSoftware

void11 and aireplayvoid11 and aireplay Link l_14qLink l_14q

HackerInjecting

Sources Sources

Aircrack-ng.org (link l_14a)Aircrack-ng.org (link l_14a) Wi-Foo (link l_14c)Wi-Foo (link l_14c) Vias.org (link l_14j)Vias.org (link l_14j) smallnetbuilder.com (link l_14p)smallnetbuilder.com (link l_14p)