Crack WEP encryption in Backtrack 2 Linux

You can use the BackTrack 2 Linux CD to start the boot system. This mode is to load the Linux in the CD to the memory for operations. It is very convenient for people who need to temporarily build an attack test environment, however, this method depends on the stability of the optical drive and the memory margin.

In general, professional wireless security personnel will install BackTrack 2 Linux on the hard disk, which is not only easier to start, but also easier to load the wireless Nic when testing other projects as an attack. For detailed installation methods, see Appendix A of this book. In addition, if you are using a USB external wireless network card similar to WUSB54G, you can also use the vmwarevm for boot, so that you do not need to install multiple operating systems. The following describes how to crack the wireless WEP.

Step 1: after entering the BackTrack 2 Linux system logon interface, you will be prompted in the instructions. By default, enter the account name root and password toor To Go To The Linux Shell.

Input: startx. Wait a moment to enter the graphic interface. Open a Shell in the graphic interface, as shown in Figure 3-5, and enter "ifconfig-a" to view the current Nic.

Here we will use the USB wireless network card WUSB54Gv4 as an example. We can see that there is a network card named rausb0, the status is not loaded, here first load the USB network card driver, enter the command:

Ifconfig-a rausb0 up

After successfully loading in Linux, you can directly view the wireless network card under the ifconfig Command, as shown in Figure 3-5.

Figure 3-5 load the USB wireless NIC Driver

Step 2: We can use tools such as Kismet and AirSnort to scan the AP of the current wireless network. If Kismet is used, the result is 3-6, the software clearly shows the AP channel, traffic, and encryption status.

Figure 3-6 Use Kismet to test the network to find the AP
 

You can also use AirSnort for Wireless AP detection. As shown in Figure 3-7, you can see that an AP is found. This AP enables WEP encryption and writes down its MAC and channel, it is shown in the Channel column.

Figure 3-7 use AirSnort to find a Wireless Access Point

Step 3: Activate the NIC to the monitor mode for subsequent cracking. The command is as follows:

Airmon-ng start rausb0 6

Among them, 6 is the AP channel that was previously detected. You can leave it blank, but the input will increase the accuracy. Run the following command to capture wireless data packets:

Airodump-ng-w ciw. cap -- channel 6 rausb0

Ciw. cap is the file name of the packet capture file set by the author. Press enter to see the page 3-8.
 

Figure 3-8 capture wireless data packets using airodump-ng

Step 4: ArpRequest injection attacks can be carried out to accelerate the acquisition of IV (initialization vector). This is very important for WEP attacks and will be used for actual intrusion, this can effectively increase the number of captured packets and increase the cracking speed. The command is as follows:

Aireplay-ng-3-B APs MAC-h Clients MAC-x 1024 rausb0

Parameter description:

*-3 refers to ArpRequest injection attacks;
*-B, followed by the MAC address of the AP to be intruded;
*-H: it is recommended to use it. The effect will be better, followed by the monitored client MAC address;
*-X num refers to the number of data packets sent per second. The num value can be adjusted to a lower value according to the actual situation, but generally the maximum value is 1024, if someone is not worried that the network card will become stuck during the attack, set it to 4096.

The USB wireless Nic is specified, as shown in Figure 3-9.

 

Figure 3-9 Using aireplay-ng for ArpRequest Injection

As you can see, the ArpRequest injection attack is very effective. In actual testing, you can view it with the content shown in 3-8, and the increasing number of data packets will be found.

Step 5: Enable aircrack-ng for Synchronous cracking. The command is as follows:

Aircrack-ng-x-f 2 ciw01.cap

Parameter description:
*-X indicates the brute-force cracking mode;
*-F indicates that the password complexity is 2;

At the end of the command is the packet capture file that we saved instantly. Note that the file name has changed automatically. After you press enter, you can see the content shown in 3-10.
 

Figure 3-10 aircrack-ng in WEP cracking

Note: The cracking time depends on the number of injected packets, network card support, memory, CPU, and so on, mainly the first two.

Generally, it takes about 20 minutes to crack WEP encryption. The shortest time is 3 minutes, as shown in Figure 3-11 and Figure 3-12. This refers to the total time required to use synchronous cracking, instead of the time it takes to save the hour-long sniffing packet for the first lines described in some so-called tutorials on the Internet to the local device, and then crack it, the latter may only require 1 ~ 3 minutes, but it is based on a long period of wireless sniffing in the early stage. Such a method cannot be called wireless intrusion.
 

Figure 3-11 interface after 64-bit WEP encryption is successfully cracked

Figure 3-12 128-bit WEP after successful Encryption

Step 6: Now that you have obtained the WEP encryption password, you can configure it on your wireless network card. Then you can access the Internet through the AP. In other words, you can connect to the peer intranet. In this way, no matter how powerful the firewall and IDS configuration architecture the other party uses on the wired network, or the B1-Level Operating System, malicious attackers can bypass all wireless network intrusions and directly attack the Intranet. The next step is simple. After all, it is much easier to change to intranet intrusion. Therefore, the unplanned establishment of wireless access points for any organization will seriously damage the overall security architecture. From this perspective, wireless connection is sometimes a nightmare of Wired connection.