Sign in to follow this  
Followers 0
Bi0X

How to crack WEP like the feds, in 3 mins.

27 posts in this topic

Hi.

I was recently reading an article here: http://www.hellboundhackers.org/articles/4...-fbi-style.html

explaining how to get the WEP key for a network in 3-4 mins.

I am very interested in this, and wish to try it out on my own network. Sadly I am having some trouble using the 2 main programs mentioned in this article "Kismet" and "Aircrack".

I am using Ubuntu at the moment, and am having some slight trouble downloading these two. (Sorry, I only started with Linux a week or two ago :( )

I can probably get by without Kismet, as I know the SSID and Channel of my current network, but for me to try this out, I really need Aircrack.

Could someone please help me in downloading these programs and give any ideas which might help as I am slightly confused on some things mentioned in this article.

Thanks very much.

0

Share this post


Link to post
Share on other sites

Hak5 did an episode using aircrack. It is here. http://www.hak5.org/episodes/episode-3x06-release

Maybe I watch this show too much, but I do like it!

If I remember correctly they use backtrack. It has many security tools built into a dedicated Linux distribution. This may be easier than setting it all up in Ubuntu. It can also be ran from a bootable CD or USB drive. You can learn more about Backtrack at http://www.remote-exploit.org/backtrack.html.

Good luck. I'm not sure you'll get it in 3 minutes unless the password is weak, bet the Feds don't either.

0

Share this post


Link to post
Share on other sites

How he said you can't crack a WEP in only 3 minutes!!:) but it is easy to do with any linux distro where are installed both aircrack-ng suite and kismet....if you search on google you can find a lot of tutorial that explain this attack!!;)

0

Share this post


Link to post
Share on other sites

use apt or synaptic... e.g.

apt-get install kismet

0

Share this post


Link to post
Share on other sites

I think that in ubuntu repository there aren't kismet and aircrack-ng...you can check it with this simple code

sudo apt-get update /* update your repository first */

sudo apt-cache search aircrack-ng /*find any associations with "aircrack-ng" in your list */

sudo apt-get install aircrack-ng /* if you find it, you can install it with this command.. and the same procedure you can use for kismet */

;)

0

Share this post


Link to post
Share on other sites

Kismet and Aircrack are indeed in Ubuntu's repos. But you may as well install them from source. There's a completely new and improved version (e.g. an entire rewrite of the codebase) of Kismet that isn't in the repository yet.

0

Share this post


Link to post
Share on other sites

Listen to Spyril

0

Share this post


Link to post
Share on other sites

Obiusly, if you follow Spyril's suggest, you can download kismet from here and aircrack-ng from here

Enjoy!;)

0

Share this post


Link to post
Share on other sites

How he said you can't crack a WEP in only 3 minutes!! :) but it is easy to do with any linux distro where are installed both aircrack-ng suite and kismet....if you search on google you can find a lot of tutorial that explain this attack!! ;)

I scoff when everybody says they can crack WEP in two minutes. You can on some hardware, but you can't on some others. And if there are no clients on the WLAN, you can't do a deauth attack, because you can't deauth what's not authenticated. There are a lot of 'it depends' issues.

Doing a traditional passive air-snort style WEP crack can be done quickly only on a VERY busy network, and some vendors (e.g. Cisco) implemented WEP better than others, so you can pass 45 gigs of data thru a Cisco AP running WEP and you'll get around 100 IV collisions. Without enough interesting packets, you can't crack WEP, period. As they say in the South, ya'll can't get there from here.

You can only generate enough traffic by forcing deauthentication with aireplay, but if there are no clients on the WLAN at the time, there's nothing to deauth. Now if it's a garden-variety Netgear or Symbol box, and it's got a couple of clients, that's another story, because you get plenty of IV collisions to wor with.

The real speed happens when you start forcing traffic with tools like aircrack-ptw which deals with ARP packets only. I'm not a Cisco bigot, but most of their APs are an embedded *NIX box, and these boxes can send SNMP traps alerts to your IDS console. So if somebody is deauth attacking a Cisco AP running WEP or WPA on a managed WLAN, it's gonna be setting off alarms, big time, at the console.

2

Share this post


Link to post
Share on other sites

The best time I have cracked 104 bit (That is 104 Bit Enc and 24 bit IV together make 128 bit, Just a recap for some) was 5 Min and 8 Sec. That is from start to finish on an untested unknown network.

I was asked to make a step by step (AKA a Script Kiddies wet dream) on cracking WEP and have produced one. Cracking WEP is not all that complicated, and the method used is explained on Aircrack's website.

Here is the Step by Step for any who need it.

This is only to be used to see how it is done.

I take no responsibility with what you do with it....

Etc, Etc.. other release of liability BS... Etc

Cracking it within 3 min, like others have stated everything needs to be perfect and have a Sh*t load of luck I guess.

I know there is a way to crack WEP in 20 Seconds, but the people need hardware (router) that Verizon FiOS gives out.

I have a mini paper written up and that sent out on how I found this security flaw, just need to find it. I wrote it and sent it a long time ago.

Well good luck with your WiFi adventures

CrackingWEP.txt

0

Share this post


Link to post
Share on other sites

You will probably need to patch your drivers too. Also, it is possible to crack wep in minutes with the chop-chop and fragment attacks; no clients needed.. With each the longest part (if you've got two Atheros with properly patched drivers) is entering in the long ass commands. Atheros, from what I've experienced have the best patches and when one is injecting and the other capturing, WEP can be cracked in under 15min. The newest PTW brute-force algorithm will crack 104bit (128bit) WEP basically on the fly, with enough IVs (about 50K to 100K).

0

Share this post


Link to post
Share on other sites

The best time I have cracked 104 bit (That is 104 Bit Enc and 24 bit IV together make 128 bit, Just a recap for some) was 5 Min and 8 Sec. That is from start to finish on an untested unknown network.

I was asked to make a step by step (AKA a Script Kiddies wet dream) on cracking WEP and have produced one. Cracking WEP is not all that complicated, and the method used is explained on Aircrack's website.

Here is the Step by Step for any who need it.

This is only to be used to see how it is done.

I take no responsibility with what you do with it....

Etc, Etc.. other release of liability BS... Etc

Cracking it within 3 min, like others have stated everything needs to be perfect and have a Sh*t load of luck I guess.

I know there is a way to crack WEP in 20 Seconds, but the people need hardware (router) that Verizon FiOS gives out.

I have a mini paper written up and that sent out on how I found this security flaw, just need to find it. I wrote it and sent it a long time ago.

Well good luck with your WiFi adventures

Cool Mini paper. I will give this a shot when I get a spare minute. I admit that it's been awhile since I've cracked wep, and am itching to see how WPA/WPA2 secured devices hold up. It's interesting the work that Elcomsoft is doing with nVidia GPUs to 'recover lost WPA or WPA2 keys'.

0

Share this post


Link to post
Share on other sites

Nice tute, Biosphear.

I have a few notes to add:

  • First of all, in order to crack wifi, your wireless adapter must be capable of these two functions: monitor mode and packet injection. You can think of monitor mode as sort of like "hyper-promiscuous mode for wireless cards." In monitor mode you can listen to all traffic on the air from any AP or other 802.11 device within range. "Packet injection" means crafting custom packets and sending them out on the air through your wireless adapter. If your wireless adapter's chipset does not support monitor mode and packet injection, or if there's no driver or patch available that supports these features, then sorry; you're not going to be cracking wifi networks with that adapter.
    There's a limited number of chipsets with available drivers to support monitor mode and injection, but luckily most of them are extremely popular so finding one is not too difficult. All the Atheros, most Realtek and Railink, and some Broadcom chipsets are supported. In some cases a special driver is required, and sometimes it might even be necessary to apply a kernel patch :o to enable these features. If your adapter just won't work or will require a lot of trouble to get working, you can always buy an external USB wifi adapter. They're pretty cheap these days.
  • If you do need a replacement adapter, I strongly recommend the Alfa AWUS036H. Retailing at $30-45, it's a freaking bargain considering its performance over similarly-priced adapters by Linksys and Netgear.
    qyesuq.jpg
    It may be ugly, but this adapter is the wardriver's best friend. It's built on a well-supported Realtek chipset, and its 500mW transceiver provides perhaps the best range of any USB Wifi adapter. The best part is, you can plug in a high-gain replacement antenna which will take full advantage of the Alfa's performance. With a 7dBi antenna and optimum conditions, this thing can pick up networks a quarter-mile away.
  • Regarding step 4 in Biosphear's tutorial: The device ID that Linux gives to your wireless adapter may vary from device to device and from distro to distro. Sometimes you'll see "wlan0," sometimes "ath0" or "eth1." The Alfa AWUS036H (which I pimped in the paragraph above) shows up on my netbook as "wlan0" until I use airmon-ng to put it into monitor mode, whereupon a new device ID is created with the name "mon0". When you run ifconfig, it's really not too difficult to figure out which device is your ethernet and which is your wireless. Just be aware that the device IDs may not be consistent with tutorials you find on the Internets.
  • Before you start any cracking, type "sudo cd /root" and sudo mkdir a new directory called .ac-ng in your /root directory. If you do all your cracking from this directory you can keep all your stuff organized. All aircrack-ng tools must be run as root, so either sudo them or else type "sudo -s" at the start of every cracking operation to get a root prompt. (If you choose the second option, be sure to close the terminal after you're done working as root!)
  • Regarding step 7 in Biosphear's tutorial: When using airodump-ng to choose a target network to crack, look for a network with a high power (PWR) and preferably one with at least a few nodes connected. Of course, you'll want one with "WEP" specified in the encoding (ENC) column. Another good thing to look for is any network with an SSID containing "2WIRE". (More about this later ;) )
  • Once you've selected your target network, mkdir a new subdirectory inside /root/.ac-ng, name it after the target network's SSID, and cd into there before pointing airodump-ng at the target AP. This method will keep all your data organized by network and avoid having a crap-ton of .cap files piling up all over the place.
  • Make a note of the network's BSSID and also the channel it's operating on. It's a good idea to open up a text editor and copy/paste all this info into a text document, along with the MAC addresses of any hosts connected to the target network. Name this text document after the network SSID and save it in the /root/.ac-ng/<target network SSID> directory. Go back to the terminal and hit Ctrl-C to quit airodump-ng. When you restart it, make sure to specify both the BSSID ("-b") and the channel ("-c") of the target AP, and don't forget to add "-w" followed by the filename you want to write the file to (you might want to use the target network's SSID for this as well).
  • Between steps 9 and 10, it's important to recognize whether the target AP is filtering clients by MAC address. If the target is set up for MAC filtering, then you'll need to use a slightly different approach to crack the network. When you run your fakeauth, if you're able to connect OK, then you know MAC filtering is not enabled and you can proceed as described in Biosphear's tutorial. If, however, you start receiving deauth packets then that's a good sign that MAC filtering is enabled on the AP.
    If you're getting filtered out by MAC address, then you'll need to see some connected hosts in order to attack the network. If another host is connected to the network, you can run a deauth attack against that host (specify its MAC address) and then fakeauth using its MAC address in place of your own. It's important to remember that deauth attacks against a connected host will bump that host offline. Because deauth attacks tend to be 'noisy,' you should keep them to a minimum. If people on the target network keep getting repeatedly knocked offline, they'll probably realize there's something wrong with the router and you might gain the attention of a network admin. A stealthier approach in the case of MAC addy filtering is to bide your time: make a log of all the client MAC addresses connected to the target AP, then try again at a time of day when there's little or no traffic. Find a MAC address on your list which is not connected, then carry out your dissociation/ARP replay attacks under the guise of that trusted client.
  • Finally, a (hopefully) useful bit of information: Due to a ridiculously stupid "ease-of-use" feature, many 2WIRE routers have a vulnerability that allows anyone who cracks the WEP key to easily gain full administrative access to the router (2WIRE wifi routers are standard equipment on AT&T, Bellsouth and Qwest home DSL networks, BTW). After cracking the WEP key of a 2WIRE router, you can easily gain admin access by the following method:

    • 1. Connect to the network using the cracked WEP key you acquired from aircrack-ng.
      2. Open a browser window and type the IP address of the 2WIRE router in the address bar. This should not be too hard to guess. For routers on AT&T service it will most likely be 192.168.1.254, but other companies might use different numbers. As usual, Google is your friend here.
      3. When you get to the router setup login page, click the link for "I forgot my password."
      4. The next page will have a text field with instructions to enter a number printed on a label on the bottom of the router. Instead, just enter the cracked WEP key you just used to log on to the network (the same one you acquired from aircrack-ng).
      5. You're in.

Now you can change any admin settings you please. If the router is filtering by MAC address, this would be a prime opportunity to add your own MAC address (spoofed, of course!) to the whitelist.

I don't know if this works on all 2WIRE routers, but it seems to work on quite a lot of them.

As always, this info is provided purely for educational purposes and should in no way be construed as encouragement or endorsement to fuck with other people's belongings without permission. OK?

Edited by Colonel Panic
2

Share this post


Link to post
Share on other sites

it's been a while since i've done any WEP cracking, i'll have to set up my fon and mess around with it.

but one thing, first. it seems that after I run kismet I can't get my wireless interface back in working order. i've got to run and take care of some stuff, but iirc, it just stays in monitor mode and won't come back out. any idea on how to fix this without having to reboot the machine?

0

Share this post


Link to post
Share on other sites

Have you tried:

airmon-ng stop <device ID of your wireless adapter> ?

Edited by Colonel Panic
0

Share this post


Link to post
Share on other sites

Nice tute, Biosphear.

Thank You :D

My step by step does assume a few things.

One:

You are root

Two:

You are using a supported WiFi card that can do both monitor mode and packet injection

Three:

The device you are trying to get into does not filter MACs

Four:

You do not have to mkdir, it will save to your root drive, but if you do want to keep it neat you can do that (mine is just if you are doing one crack, so you have only 3 files to deal with)

Five:

You own the router (Your method seems to be more on the black hat side, mine is so people can have a simple step by step to see how WEP cracking can be done)

Six:

The next page will have a text field with instructions to enter a number printed on a label on the bottom of the router. Instead, just enter the cracked WEP key you just used to log on to the network (the same one you acquired from aircrack-ng).

I think the number printed on the label on the bottom is the WEP Key.

Seven:

As always, this info is provided purely for educational purposes and should in no way be construed as encouragement or endorsement to fuck with other people's belongings without permission. OK?

Should of put that first

Good add ons to my file though CP. :D

I have a few more Step by Steps that I may have you look over, to make it easier to understand. They all work I and others test them, they just do not break it down as much. I have others Step by Steps that do that but they do that on a technical level not a user level.

Thanks for the input.

biosphear

Edited by biosphear
0

Share this post


Link to post
Share on other sites

My step by step does assume a few things.

One:

You are root

Two:

You are using a supported WiFi card that can do both monitor mode and packet injection

Three:

The device you are trying to get into does not filter MACs

Four:

You do not have to mkdir, it will save to your root drive, but if you do want to keep it neat you can do that (mine is just if you are doing one crack, so you have only 3 files to deal with)

Five:

You own the router (Your method seems to be more on the black hat side, mine is so people can have a simple step by step to see how WEP cracking can be done)

I tried to keep it neutral-sounding, but I guess the methodology implies that one would be cracking lots of routers and would therefore need to keep all one's cracking sessions organized.

If a "black hat" hacker was cracking lots of routers illegally, it would be unwise to retain all the data pertaining to numerous hacks right there on his hard drive for authorities to find (even if it is inside an obscurely-named hidden directory within /root). For a black-hat, it would be wiser to destroy all the incriminating data right after the crack is done.

Of course if a pen tester was legitimately hired to do security analysis of a company and he was profiling wireless vulnerabilities, he would certainly want to retain all the relevant data in an organized fashion.

Six:

The next page will have a text field with instructions to enter a number printed on a label on the bottom of the router. Instead, just enter the cracked WEP key you just used to log on to the network (the same one you acquired from aircrack-ng).

I think the number printed on the label on the bottom is the WEP Key.

It might be the original WEP key, but I have tried this out on my parents' 2WIRE DSL modem/router (my father had deliberately changed the security settings) and the new WEP key unlocked the router.

Seven:

As always, this info is provided purely for educational purposes and should in no way be construed as encouragement or endorsement to fuck with other people's belongings without permission. OK?

Should of put that first

^_^

Good add ons to my file though CP. :D

Thanks

I have a few more Step by Steps that I may have you look over, to make it easier to understand. They all work I and others test them, they just do not break it down as much. I have others Step by Steps that do that but they do that on a technical level not a user level.

Thanks for the input.

biosphear

You're welcome.

Maybe we could cobble all this together into an explicit tutorial and upload it to DocDroppers?

Edited by Colonel Panic
0

Share this post


Link to post
Share on other sites

Maybe we could cobble all this together into an explicit tutorial and upload it to DocDroppers?

Sounds good.

I have a few others that I have finished, and a 50 or so page (as it is looking like so far) on owning your first box step by step form getting into the network to garbing what you want off that system.

I'm also working on a more advance (I mean about 100 time more) then my Owning your first box on how to get pass network security messieurs.

PM me and lets see what we can get together :)

0

Share this post


Link to post
Share on other sites
I think the number printed on the label on the bottom is the WEP Key.

It might be the original WEP key, but I have tried this out on my parents' 2WIRE DSL modem/router (my father had deliberately changed the security settings) and the new WEP key unlocked the router.

Last weekend I did a little more poking around with my parents' DSL modem/router (a 2WIRE from AT&T) and it appears you're right.

How it works is this: The device ships with WEP enabled and a pre-set, good quality cryptographic key in place. That default WEP key is printed on a label adhered to the bottom of the router, along with the device's MAC addy and serial number. That original, default WEP key is used by the router as an alternative to an admin login in the event of a lost password.

Changing the WEP key is indeed possible, as is changing the security settings to use WPA and WPA2, but AT&T does not routinely provide its customers with any hard-copy documentation on how to change the admin settings of the device. Therefore, most users seem to have no idea that it's even possible, judging by the vast majority of 2WIRE routers "in the field" operating on WEP security with a default key. If the WEP key is changed by the owner, then a cracking attempt will reveal to the attacker the new WEP key and not the default, so administrative access to the router will not be as easily obtained.

Regardless, this is a really bad situation for AT&T DSL users, for several reasons:

  • If the default WEP key is not changed by the end-user, an attacker can easily gain administrative access to the router, and thereby the entire LAN. AT&T's installation and setup guide does not explain how to change the router's WEP key, and the DSL modem/router does not come with a user's manual.
  • Shipping routers with WEP enabled by default promotes a false sense of security to end-users, creating the impression that they're protected when in fact their entire network is up for grabs.
  • Even if the user does understand that WEP is inadequate, AT&T does not provide any instructions for how to change the security settings of the device without the user logging into his or her AT&T Broadband Web site and seeking out the 2WIRE router user's manual.
  • Enabling WPA-PSK security instead of WEP would not only provide better security against bandwidth stealing, but would also prevent wifi crackers from obtaining administrative access to the router. However, this information is not provided up-front by AT&T to its customers at the time of installation.
  • Even changing the WEP key to something other than the default (while not providing good security against bandwidth stealing) would at least help prevent attackers from obtaining administrative access to the router, but again this information is not provided up-front by AT&T to its customers at the time of installation.

This is another example of user security being sacrificed for ease-of-use. This is unfortunately common practice these days, as manufacturers and service providers dumb down their products' documentation and user interfaces in the interest of lowering their own tech support costs.

Edited by Colonel Panic
0

Share this post


Link to post
Share on other sites

Heh, funny this came up.

I recently did an entire walkthough of just how insecure WEP is for a 4H computer competition and ended up winning...

And 3-4 minutes is nothing, in my demo I got past my test network's 64-bit WEP in a little over 1:30!

0

Share this post


Link to post
Share on other sites

I recently did an entire walkthough of just how insecure WEP is for a 4H computer competition and ended up winning...

Congrats for the Win. :smile:

And 3-4 minutes is nothing, in my demo I got past my test network's 64-bit WEP in a little over 1:30!

3-4 minutes is for 104 bit WEP (Also known as 128 bit. 104bit+24IV= 128. I think I have covered that already, but just in case).

And do you have a video of you cracking it in 1:30. I would like to see how you did it.

And once again. Once I find my walk through, I will post how to get 20 WEP Passwords in 30 seconds.

biosphear.

0

Share this post


Link to post
Share on other sites

forgive me but isnt for WPA-PSK you need to capture the Handshake between a computer and the router ( thats how I learned it) then run it against a dic file?? using aireplay and airodump?

0

Share this post


Link to post
Share on other sites

But for WEP just use backtrack 4 and VMware but u'll need A usb wireless card (sorry about the double post) I can post a guide if you need one

Edited by icblkppl
0

Share this post


Link to post
Share on other sites

But for WEP just use backtrack 4 and VMware but u'll need A usb wireless card (sorry about the double post) I can post a guide if you need one

What do you need VMware for?

Backtrack can be booted from USB, CD or DVD.

0

Share this post


Link to post
Share on other sites

Quick question, and this is more aimed at AT&T Verizown and Comcast, WEP is riddled with security faults, granted I have been out of the scene for like a year or more, but WEP security was an issue in '06. Why on earth are routers still configured to use WEP by default? I really shouldn't talk, our router at home is completely unprotected, but seriously, people are still able to do this?

I guess the reason why I am having a hard time believing it is because I ran a kismet session as I drove up the highway from Boston to Amherst and the I only saw maybe 10 or 12 unencrypted networks (one of them was an insurance agency and another was a doctor's office *yikes*) and I only say maybe 9 WEP networks, the rest were WPA or WPA2. (I should mention that I snagged like... over 140 networks in total)

I would like to make another observation, most of the WiFi networks you are going to run into in the suburbs are not going to have a "SysAdmin" or "SysOP", or even in the cities for that matter (unless you are in a financial district or at an airport. Basically, I have pretty strong suspicion that your activity will go largely unnoticed until you do something like, turn of WEP or change the name of the network to "network-of-t3h-p\/\/n3d", "lul-usux" etc, etc.

Hell, I am not sure if a cop would even know what do with a kid if he caught them running kismet and aircrack-ng; this is assuming that you are not dressed in black crouching in the foliage with a laptop and smelling kind of odd... moving on.

I am intrigued though, I was never able to get WiFi cracking quite down, perhaps I was two impatient or my driver didn't support packet injection, it was most likely the latter.

Thanks for the link btw I will see about buying the Alfa, hell, looks like I could make my own amplifier for it!

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0