‘WEP is insecure and breakable’ – No surprise here, everyone knows this is the case. But there can be a large difference between knowing something is theoretically possible and seeing the security provisions fall over merely by being looked at. Recent InfoSanity research has shown WEP is still found on 30% of real-world access points. This means that WEP security is still a valuable skill for anyone working within information security.
One of the best sources for wireless security information is the Aircrack Project (site currently unavailable, Google cache can be of assistance for the impatient). The tutorial section of the site contains many great walkthroughs and guides to all aspects of wireless security I’m not going to attempt create an all encompassing guide to WEP security, but merely to provide a real-world example of compromising WEP.
First phase of any wireless compromise is to locate and identify the target network, this could be achieved with any number of tools, personally I activate airodump-ng from the aircrack suite with minimal parameters (bt ~ # airodump-ng wlan0). From the target network collect the station MAC address (BSSID), network name (ESSID) and operating channel.
Whilst not a necessity, testing the ability of your equipment to inject packets into the target network can prevent wasting time and resources with an unsuccessful compromise attempt. The ability to inject packets will have a large impact on the ability to compromise a WEP key and the time required to make the compromise. Again the Aircrack suite has good tools for the job, this time in the form of aireplay. In my case the required command was:
bt ~ # aireplay-ng –test -b 00:0F:B5:DC:DE:B7 -e mist wlan0
where -b and -e parameters are the targets BSSID and ESSID respectively. The output will show if packet injection is possible, and the reliability of that injection. The Aircrack documentation states that injection rate should be at or near to 100%. Whilst this is beneficial, I have successfully completed an engagement with injection as low as 15%.
Next step is set up a packet sniffer, airodump does the job nicely. Adding some additional parameters ( -c # ) to fix the capture to the targets operating channel will increase success rate and reduce capture times as your card doesn’t lose packets whilst channel hopping across the wireless spectrum. Again, in my case I used:
bt ~ # airodump-ng -c 13 –bssid 00:0F:B5:DC:DE:B7 -w WEP-example wlan0
-w filename, specifies the file to write captured traffic to.
Before injection packets, the injecting interface needs to associate with the target base station. Aireplay-ng to the rescue again:
bt ~ # aireplay-ng –fakeauth 0 -a 00:0F:B5:DC:DE:B7 wlan0
Aireplay-ng also provides a function for implementing an ARP injection attack:
bt ~ # aireplay-ng –arpreplay -b 00:0F:B5:DC:DE:B7 wlan0
This is where the packet injection ratio determined by the –test function comes into play, the Alfa card with RealTek 8187 chip in use during this engagement generally injects packets at a rate of 500 packets per second, in this scenario the test function report 92% success, airodump-ng reported capturing approx 490 packets per second.
Final stage is to actually crack the collected packets, Aircrack documentation suggests collecting 250,000 IV packets to ensure compromise. In this case I collected 100,000 packets and the key was cracked in under a second, in previous engagements I have successfully gained the encryption key with as few as 10,000 collected packets:
bt ~ # aircrack-ng WEP-example-01.cap
In this case overall engagement required less than 15 minutes from finding network point to obtaining network key. From here it’s trivial to get a machine connected to the wireless network, in many cases this provides direct access to the soft and fluffy internal network, and from there? World (target network) is your oyster…..
— Andrew Waite