Good day to all of the Duthcode hackers out there, both the experienced and the knowledge-hungry! I had some free time in my hands and decided to write a story for all of you to read! I call it :
WHY WEP IS NO LONGER WITH US
In this small write-up, I will try to clarify why we don't use the Wired Equivalent Privacy (WEP) anymore to secure our networks! But! Since I know you are a person of action like me, I will be including a short tutorial, in the end, showing you how to crack any WEP password protected network easily with 2 methods called Fake Authentication Attack & ARP Request Replay Attack.
But first the Story...
The early years of WEP
WEP or Wired Equivalent Privacy network protocol was introduced in the vicinity of the new millennium and was supposed to secure the previously open Wi-Fi and other 802.11 networks. It was designed to give wireless networks the equivalent level of privacy protection as a comparable wired network. But it failed miserably.
How it works
The WEP encryption uses the RC4 (Rivest Cipher 4) key scheduling algorithm. It implements a data encryption scheme that uses a combination of user and system generated values.
When deployed over a wireless network it encrypts the client's data using a key, it then sends the encrypted packet in the air and to the router where the packet gets decrypted using the same key.
A quick note, The algorithm, and the way RC4 works is quite fine actually. The problem is how WEP implements the algorithm.
The protocol, as I mentioned above, was officially brought to the light in 1999. Two years later, mathematicians showed that it was severely flawed, but the attackers would need around 4 million packets of data in order to calculate the original key. Since then, several flaws found in the algorithm, and the cracking time was reduced down to minutes.
I, once, read on an article that was written back in 2007 that it took a 1.7GHz Pentium-M computer 2 minutes to crack a 104-bit WEP secure key, and it had a 95% success rate. My current machine has an Intel Core i7-7700HQ CPU @ 2.80GHz and the largest WEP secure key available is 256-bit. I believe that you have already begun to imagine why WEP failed as an encryption protocol. [source]
Quick Steps to WEP Encryption
The WEP encryption can be easily broken down in 4 bullets detailing its key elements:
- Each packet is encrypted using a unique keystream
- Random initialization vector [IV] is used to generate the key streams
- The IV is only 24 bits
- IV + given password = KeyStream
What is the problem exactly?
Ok yeah, we got the point, WEP is shit. But, why? The main reasons are :
- IV is too small (only 24bits)
- The IVs are sent in plain text
The main result of these points above is that
- IVs will be repeated on a very busy network
- This repetitive behavior makes WEP vulnerable to an attack method called Statistical (Paper on Statistical Attack for the nerdier Bunch)
- Repeated IVs can be used to determine the keystream
By putting all the aforementioned bullets into perspective, with the help of aircrack-ng, we can exploit the core vulnerability of WEP, crack its encryption, and determine the password accurately.
Cracking WEP Encryption with aircrack-ng
In my very humble opinion, a hacker needs to have the knowledge of cracking even the most outdated vulnerability. Also, do you think it would be wise to call yourself a hacker without knowing how to crack WEP?
Personal Experience: I remember I started wireless hacking back in 2012. Back then there was this Mobile Network Operator in Greece who would only install Routers with WEP as the default network privacy protocol, so I, the new wireless hacker apprentice had a reason to learn how to crack WEP. As the years went by, even they changed to WPA2. So I never needed the WEP cracking methodology again.
That was until two months ago! DUN DUN DUUUUUN! No seriously! My father caught the Drone fever, and decided that it would be a good idea to spend his money on a new 500$ Xiaomi Drone! Well, guys and gals, you guessed it! The drone's mobile application was communicating with the smartphone via WEP! :)
There are always outdated vulnerabilities out there! Prepare for the worst but god forbid if you are not prepared for the easy stuff!
[END OF P.E]
As I have mentioned above, if you want to crack a WEP encryption you need a busy network because you also need a large number of IVs. But what happens if the network you are trying to attack is idle?
You could always do what a skilled Hacker has to do on most of the occasions, wait patiently.
But!!! We only wait if it is the last thing left for us to do!
Introducing the Fake Authentication
Official Description: The fake authentication attack allows you to perform the two types of WEP authentication (Open System and Shared Key) plus associate with the access point (AP). This is only useful when you need an associated MAC address in various aireplay-ng attacks and there is currently no associated client. It should be noted that the fake authentication attack does NOT generate any ARP packets. Fake authentication cannot be used to authenticate/associate with WPA/WPA2 Access Points.
We need this authentication approach because APs only communicate with connected clients and if we are not somehow associated with it we can not even start the main attack.
Associating with the AP before launching the attack
Please do not confuse this method. We are not connecting with the target AP, we just want to let it know that we want to communicate with it so it wouldn't block our requests. So let's associate with our target network.
STEP 1st | Monitor for targets
Put your wireless card in monitor mode:
airmon-ng start wlan0
And then search for targets:
airodump-ng wlan0mon BSSID PWR Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 50:C7:BF:DC:4C:E8 -25 30 78 0 1 270 WEP WEP duthcode_AP
In this result, we see that our target is duthcode_AP
- BSSID : 50:C7:BF:DC:4C:E8
- ENC: WEP
- CIPHER: WEP
And once you acquire the targets BSSID as we did then you run the following command and leave it running:
----------------------------------------------------------------------------- airodump-ng --bssid 50:C7:BF:DC:4C:E8 --channel 1 --write arpreplay wlan0mon ----------------------------------------------------------------------------- CH 1 ][ Elapsed: 18 s ][ 2019-03-03 13:48 BSSID PWR RXQ Beacons #Data, #/s CH MB ENC CIPHER AUTH ESSID 50:C7:BF:DC:4C:E8 -15 100 188 0 0 1 270 WEP WEP duthcode_AP BSSID STATION PWR Rate Lost Frames Probe
This is a very simple command that I have used before in my previous tutorials it goes like this:
- airodump-ng: we use airodump-ng to capture data from a network
- -- bssid: The BSSID of the network
- -- channel: The channel in which the network is running
- -- write: Write everything in a file called arpreplay
This is a monitoring process!!! Please do not close the monitoring process, just leave it monitoring as is!
Notice that under the AUTH the field is empty and also no STATION is found!
Step 2nd | Associate with the Network
To achieve this Fake Association we will use the tool aireplay-ng.
aireplay-ng --fakeauth 0 -a 50:C7:BF:DC:4C:E8 -h 00:27:19:B2:D5:65 wlan0mon
- --fakeauth: because we want to do a Fake Authentication attack
- 0: Because we are only doing this once
- -a: Mac Address of the network
- -h: Mac Address of our wireless adapter
To find the MAC Address of our wireless adapter we type ifconfig and we copy the first 12 digits of the unspec field and replace the minuses with semicolumns
wlan0mon: flags=867<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI> mtu 1500 -----> unspec 00-27-19-B2-D5-65-30-3A-00-00-00-00-00-00-00-00 txqueuelen 1000 (UNSPEC) RX packets 491071 bytes 149637165 (142.7 MiB) RX errors 0 dropped 479748 overruns 0 frame 0 TX packets 0 bytes 0 (0.0 B) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
- wlan0mon: The name of our wireless adapter in monitor mode
When we press enter and execute this command we should see, under the AUTH field that previously was empty, OPN and we should also have a new client associated with the network that has the same MAC Address as our wireless adapter.
Now we need to communicate with the network in a way to force it into generating new packets with new IVs which will help us crack the key very quickly!
ARP Request Replay Attack
Description: The classic ARP request replay attack is the most effective way to generate new initialization vectors (IVs), and works very reliably. The program listens for an ARP packet then retransmits it back to the access point. This, in turn, causes the access point to repeat the ARP packet with a new IV. The program retransmits the same ARP packet over and over. However, each ARP packet repeated by the access point has a new IV. It is all these new IVs which allow you to determine the WEP key.[Source]
What is ARP?
ARP is address resolution protocol: A TCP/IP protocol used to convert an IP address into a physical address, such as an Ethernet address. A host wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP network. The host on the network that has the address in the request then replies with its physical hardware address.
aireplay-ng --arpreplay -b 50:C7:BF:DC:4C:E8 -h 00:27:19:B2:D5:65 wlan0mon
Very similar command as the one we ran before! Just instead of --fakeauth 0 -a we wrote --arpreplay -b. Once you run the command wait for an ARP packet to be sent in the air. Once you see the ARP number increasing very fast you can run the last cracking command.
And that's it! Just wait for a few minutes and the key will appear!
KEY FOUND! [ 64:75:74:68:63:30:64:65:52:75:6c:65:7a ] (ASCII: duthc0deRulez) Decrypted correctly: 100%
Because WEP is THAT MUCH VULNERABLE!
That was it! Thank you for reading! If you liked that article here are some other articles that you will most definetely love:
- Crack WPA2 with Kali Linux
- Deauthentication Attack using Kali Linux
- Kali Linux bootable USB - A Hacker's swiss army knife
- Top 10 Movies for Hackers
- Get started with hacking
You can show your support by liking our Facebook Page ! Support our efforts on Ko-Fi ! And you can get in contact with us either by sending us a message on Facebook or via the e-mail on the footer of the Page!
Thanks again! Have a lovely day... Or night!