Author is not responsible if the reader uses this information to do some illegal activity.
INRODUCTION
If you are using wireless routers or WLAN (Wireless Local area Network) in your home or in your organization, configuring your device to work on WEP (Wired Equivalent Privacy) security and thinking that your router or WLAN is secured from hacking attacks or unauthorized access then you must read this article before your neighbor hacks your routers or WLAN. In the rest of the article we will see how the WEP encryption and decryption works, how to crack them and how to secure them.
What you will learn…
• How WEP protection works
• Vulnerabilities in WEP protection
• Exploiting WEP Vulnerability using GERIX Graphical User
interface based tool
• How to secure Wi-Fi against hackers
What you should know…
• Back Track 5 or basic Linux command
• Setting up wireless router
for connecting every device, and, most importantly, it removes the complexity of connecting those wires. As we know every technology comes with pros and cons, the same is applicable to wireless technology. In rest of the article we will see one of the major security threats in wireless network which can lead to compromising your network and your system.
WEP (Wired Equivalent Privacy) is a security algorithm for IEEE 802.11 (Institute of Electrical and Electronics Engineering) wireless networks. WEP was introduced in 1997 and, as its name suggests, it has been made to provide the security equivalent to wired security, but few years after the introduction of WEP, the serious crypto-graphical vulnerability was discovered in WEP algorithm.
As the time progressed, the attacks became easier on WEP security feature of wireless network. In the current time of processing power, it takes only 30 seconds to break the WEP security. Now you can imagine how much vulnerable this is. In the rest of the article we will see how this algorithm was made to work, why it becomes so much vulnerable, how one can crack WEP key and what measures to take, in order to avoid the security breaches in your WLAN.
How WEP Works?
In WEP there are 4 main components which work together to provide the security and encryption.
• In the second process, RC4 algorithm applied on key to generate key sequence.
• XOR operation is performed on Key sequence and plain message with CRC to get the cipher text.
• Then, IV is added with CIPHER TEXT and the same is transmitted over the wireless network to the client or a station. WEP Decryption process In Figure 2 we can see decryption process followed by the WEP.
• Once the cipher text is received, with IV value.then IV is separated from it and security key is combined with this IV to generate the key.
• Then, RC4 algorithm is applied on this key to generate the key sequence.
• Then the key sequence is XOR with CIPHER TEXT.
• After XORing it, we get the Plain MSG with their CRC value.
• New CRC value is generated with Plain MSG.
• Then, both CRC are compared and, based on the comparing results, the quality of MSG is decided and recovery is done accordingly.
Now we know how WEP encryption and decryp tion works, let’s see why it is vulnerable.
Why is WEP vulnerable?
Below are few points that lead WEP to be cryptographically vulnerable.
• If we analyze the encryption and decryption process closely, then we come to know that the length of IV remains unchanged, that is 24 bit, so based on this we can say that there is total 224 combinations that can be generated for IV. Once these combinations are generated, IV combination starts getting repeated.
• We can see in encryption and decryption process that XOR is used. Let’s see how XOR works.
• RC4 algorithm is a stream bit cipher algorithm and also has some vulnerability. To know how it contributes in vulnerability of WEP, read the document www.airscanner.com/pubs/wep.pdf.
• One of the major weaknesses in WEP is its use static encryption key, or security key (password or shared key).
• Now we know that the key is the combination of IV and security key and the security key remains static. So, we have the IV as plain text and now we have derived the static security key. Above are few basic points because this WEP becomes vulnerable.
Now we will see how we can crack WEP key using free or open source tools available on the Internet. Before that, I would like to mention that all the information shared below are for informational purpose and are used to spread the awareness. Author is not responsible if the reader uses this information to do some illegal activity.
How WEP Works?
Below is the list of requirement for carrying out this attack.
SOFTWARE:
• BACKTRACK OS ISO http://www.backtrack-linux.org/downloads/
• Computer with wireless card adapter which is capable to work on BACKTRACK.
• List of BackTrack supported wireless cards can be found here: http://www.backtrack-linux.org/wiki/index.php/Wireless_Drivers
• One access point or WLAN which is working on WEP security.
• One 4 GB USB drive or DVD.
Once you have bootable DVD or USB, you have o change the boot priority in BIOS from hard disk
to USB media or to CD ROM in case if you are us ing the DVD. Steps for changing boot priority can be found on following link:
http://www.hiren.info/pages/ bios-boot-cdrom or Google it to search for your PC. Once you have changed the boot priority and cre ated the bootable DVD or USB, it's time to boot the Backtrack OS. Insert the DVD or USB and restart the PC. Now, boot the backtrack in text mode. Once boot process is completed, type startx command on console and press ENTER. Graphical user inter face will be displayed for backtrack. Now, follow the steps mentioned below to crack the WEP key.
Step 1
Start the console and type iwconfig command. This command gives you the list of wireless cards on your machine. In Figure 3 we can see that wlan0 is shown.
Now we need to put the wireless LAN card in monitor mode, so that you can monitor all traffic generated between the WLAN and stations (connected to WLAN). To put the card in monitor mode, type the below command
Wlan0 is the name of WLAN as you can see in Figure 3.
Now start the gerix-wifi-cracker-ng. You can start this application by going this path:
Step 4
Go to configuration tab in gerix you can see the screen shown in Figure 7. Now select the mon0 in window and click on Rescan Networks. Make sure channel is selected as ‘all channels’ so that it can scan on all the channels available. Once scan is completed you can view all the WLAN networks running in the range of your Wi-Fi card.
In the Figure 8 you can see that we have found one network with Essid Secure_Tech_Point (Essid is the name of WLAN) with Encryption type WEP. Now, select the WLAN on which you want to carry out the attack.
Step 5
Now go to WEP tab in Gerix. You can see the screen shown in Figure 9. Now click on 'start sniffing and logging' button. This will start sniffing and logging the packet from air and one new screen will be shown, as you can see in the Figure 10. Here you can see the number of packets is sniffed and logged.
• BSSID (Basic service set identifcation): BSSID is the MAC address of the wireless access point.
• STATION: Station is the MAC address of client connected to the wireless access point.
• CH: CH is the channel on which service is running.
• Beacons: Beacons are the packets which an nounce the presence of wireless networks. Now you have to wait until the number of frames goes to more than 5000.
Step 6
Once the number of frames goes above the count of 5000 then go to cracking tab of gerix and click on 'Aircarck-ng – Decrypt WEP password' as shown in Figure 11.
• Use higher level of security available in WLAN device you are using, such as WPA/WPA2.
• Restrict the number of devices that can connect to your WLAN using MAC or IP fltering technique.
• Stop all unwanted services on WLAN.
• Change all the default passwords on WLAN devices.
• Restrict the physical access of WLAN devices.
• Restrict the range of WLAN device.
Conclusion
WEP key was made to provide the security level the same as compared to security in wired devices but as the use of WEP increased, more and more vulnerabilities were found in the WEP. In current scenario, WEP rolled out and its place is taken over by WPA/WPA2 which is known as the bullet proof security for WLAN.
If you are running any WLAN on WEP security, then change it to WPA/ WPA2 or on higher level of security feature supported by your WLAN device as soon as you finished reading this article. Who knows if the person in next door isn't using your WLAN for some illegal activity.
BE SAFE AND BE SECURE.
How WEP Works?
In WEP there are 4 main components which work together to provide the security and encryption.
• Security Key (Password or shared key).
• Initialization vector (IV).
• RC4 stream cipher algorithm.
• Message.
• Initialization vector (IV).
• RC4 stream cipher algorithm.
• Message.
WEP comes in three variants based on the key lengths, that are: WEP 64 bit key, WEP 128 bit key and WEP 256 bit key. All variants are vulnerable against the hacking attacks. The only difference in cracking WEP with higher key length is that it takes more time to crack it. The length of security key changes the different variant of WEP, as mentioned above, and the size of IV remains unchanged as 24 BIT.
Note : Value of security key remains unchanged in the process of communication and the value of IV’s keeps changing in every iteration.
• WEP 64 BIT KEY = 40 BIT SECURITY KEY
(10 Hexadecimal characters) + 24 BIT IV
(10 Hexadecimal characters) + 24 BIT IV
• WEP 128 BIT KEY = 104 BIT SECURITY KEY
(26 Hexadecimal characters) + 24 BIT IV
(26 Hexadecimal characters) + 24 BIT IV
• WEP 256 BIT KEY = 232 BIT SECURITY KEY
(58 Hexadecimal characters) + 24 BIT IV
(58 Hexadecimal characters) + 24 BIT IV
Range of Hexadecimal characters: 0-9 and A-F.
WEP Encryption process
Figure 1 shows an encryption process followed by the WEP.
• Security Key is combined with IV to cre ate the KEY, for example, if security key is ‘abc’ and IV is ‘xyz’ then your key will be ‘abcxyz’.
• In the second process, RC4 algorithm applied on key to generate key sequence.
• CRC of plain massage is calculated.
• Plain MSG and CRC are combined together.
• XOR operation is performed on Key sequence and plain message with CRC to get the cipher text.
• Then, IV is added with CIPHER TEXT and the same is transmitted over the wireless network to the client or a station. WEP Decryption process In Figure 2 we can see decryption process followed by the WEP.
• Once the cipher text is received, with IV value.then IV is separated from it and security key is combined with this IV to generate the key.
• Then, RC4 algorithm is applied on this key to generate the key sequence.
• Then the key sequence is XOR with CIPHER TEXT.
• After XORing it, we get the Plain MSG with their CRC value.
• New CRC value is generated with Plain MSG.
• Then, both CRC are compared and, based on the comparing results, the quality of MSG is decided and recovery is done accordingly.
Why is WEP vulnerable?
Below are few points that lead WEP to be cryptographically vulnerable.
• If we analyze the encryption and decryption process closely, then we come to know that the length of IV remains unchanged, that is 24 bit, so based on this we can say that there is total 224 combinations that can be generated for IV. Once these combinations are generated, IV combination starts getting repeated.
• We can see in encryption and decryption process that XOR is used. Let’s see how XOR works.
For example, key sequence 10011010 and plain text in bit form is 11100100. Now XOR
this value (Listing 1). Looking at the results we can say that whenever the value is 0 in result, the values in key sequence and plain text are the same. It leads to simplifying the process of decoding the key.
this value (Listing 1). Looking at the results we can say that whenever the value is 0 in result, the values in key sequence and plain text are the same. It leads to simplifying the process of decoding the key.
• RC4 algorithm is a stream bit cipher algorithm and also has some vulnerability. To know how it contributes in vulnerability of WEP, read the document www.airscanner.com/pubs/wep.pdf.
• Now we know that the key is the combination of IV and security key and the security key remains static. So, we have the IV as plain text and now we have derived the static security key. Above are few basic points because this WEP becomes vulnerable.
Now we will see how we can crack WEP key using free or open source tools available on the Internet. Before that, I would like to mention that all the information shared below are for informational purpose and are used to spread the awareness. Author is not responsible if the reader uses this information to do some illegal activity.
How WEP Works?
Below is the list of requirement for carrying out this attack.
SOFTWARE:
• BACKTRACK OS ISO http://www.backtrack-linux.org/downloads/
• Computer with wireless card adapter which is capable to work on BACKTRACK.
• List of BackTrack supported wireless cards can be found here: http://www.backtrack-linux.org/wiki/index.php/Wireless_Drivers
• One access point or WLAN which is working on WEP security.
• One 4 GB USB drive or DVD.
First of all, we have to burn the ISO image on the DVD. I have made my USB drive bootable using
the Unetbooting application. The process of mak ing pendrive bootable can be found here:
http://unetbootin.sourceforge.net/#install.
the Unetbooting application. The process of mak ing pendrive bootable can be found here:
http://unetbootin.sourceforge.net/#install.
Once you have bootable DVD or USB, you have o change the boot priority in BIOS from hard disk
to USB media or to CD ROM in case if you are us ing the DVD. Steps for changing boot priority can be found on following link:
http://www.hiren.info/pages/ bios-boot-cdrom or Google it to search for your PC. Once you have changed the boot priority and cre ated the bootable DVD or USB, it's time to boot the Backtrack OS. Insert the DVD or USB and restart the PC. Now, boot the backtrack in text mode. Once boot process is completed, type startx command on console and press ENTER. Graphical user inter face will be displayed for backtrack. Now, follow the steps mentioned below to crack the WEP key.
Start the console and type iwconfig command. This command gives you the list of wireless cards on your machine. In Figure 3 we can see that wlan0 is shown.
Step 2
Now we need to put the wireless LAN card in monitor mode, so that you can monitor all traffic generated between the WLAN and stations (connected to WLAN). To put the card in monitor mode, type the below command
airmon-ng start wlan0
Wlan0 is the name of WLAN as you can see in Figure 3.
Now you can see card is in monitor mode, as shown in Figure 4 monitor mode enabled on mon0.
Step 3
Now start the gerix-wifi-cracker-ng. You can start this application by going this path:
• Click on Application.
• Go to backtrack.
• Go to Exploitation Tools.
• Go to Wireless Exploitation Tools.
• Go to WLAN Exploitation.
• Click gerix-wif-cracker-ng
Once the application is started you can see the window as shown in Figure 6.
• Go to backtrack.
• Go to Exploitation Tools.
• Go to Wireless Exploitation Tools.
• Go to WLAN Exploitation.
• Click gerix-wif-cracker-ng
Step 4
Go to configuration tab in gerix you can see the screen shown in Figure 7. Now select the mon0 in window and click on Rescan Networks. Make sure channel is selected as ‘all channels’ so that it can scan on all the channels available. Once scan is completed you can view all the WLAN networks running in the range of your Wi-Fi card.
Step 5
Now go to WEP tab in Gerix. You can see the screen shown in Figure 9. Now click on 'start sniffing and logging' button. This will start sniffing and logging the packet from air and one new screen will be shown, as you can see in the Figure 10. Here you can see the number of packets is sniffed and logged.
• BSSID (Basic service set identifcation): BSSID is the MAC address of the wireless access point.
• CH: CH is the channel on which service is running.
• Beacons: Beacons are the packets which an nounce the presence of wireless networks. Now you have to wait until the number of frames goes to more than 5000.
Step 6
Once the number of frames goes above the count of 5000 then go to cracking tab of gerix and click on 'Aircarck-ng – Decrypt WEP password' as shown in Figure 11.
Once you clicked on Aircarck-ng – Decrypt WEP password button, then one new windows will open and it will be showing the cracking process on the captured packets, as shown in the Figure 12. Next thing you have do is to wait and watch the screen till it produced the WEP key for you.
As you can see in the Figure 12 KEY FOUND! [01:47:25:83:69 ]. Now remove the colon (:) and it produced the WEP key 0147258369. In the above case, it has taken only 2 seconds to crack the key.
Now, next question is how to secure WLAN. Below are the few points that can help you making you WLAN secure.
How To Secure WlAN?
• Use higher level of security available in WLAN device you are using, such as WPA/WPA2.
• Restrict the number of devices that can connect to your WLAN using MAC or IP fltering technique.
• Stop all unwanted services on WLAN.
• Change all the default passwords on WLAN devices.
• Restrict the physical access of WLAN devices.
• Restrict the range of WLAN device.
Conclusion
WEP key was made to provide the security level the same as compared to security in wired devices but as the use of WEP increased, more and more vulnerabilities were found in the WEP. In current scenario, WEP rolled out and its place is taken over by WPA/WPA2 which is known as the bullet proof security for WLAN.
If you are running any WLAN on WEP security, then change it to WPA/ WPA2 or on higher level of security feature supported by your WLAN device as soon as you finished reading this article. Who knows if the person in next door isn't using your WLAN for some illegal activity.
BE SAFE AND BE SECURE.
Piyush KR is the Founder of BeingHacker. He writes about how to, tutorials especially on Android, Computer, Internet, Social Networks etc. Apart from this he is an Ethical Hacker. He loves to share his knowledge with others through blogging.
You can contact me at admin@beinghacker.net
No comments:
Post a Comment