After the emergence of WLAN technology, "security" has always been a shadow around the word "wireless". Attacks and cracking against security authentication and encryption protocols involved in wireless network technology have emerged. Currently, there may be hundreds or even thousands of articles on how to attack and crack WEP on the Internet, but how many people can truly break WEP's encryption algorithm? Next I will introduce some knowledge about WEP encryption methods, as well as the methods that cainiao can successfully crack the WEP Key as long as they follow the steps. Of course, the ultimate goal is to enable reporters to set security settings to better prevent cracking attacks. There are two articles in this series. The first article mainly introduces how to crack WEP, and the second article describes how to set WLAN security settings for better defense.
I. WEP: the initial protector of Wireless Network Security
Compared with wired networks, data is more easily eavesdropped when sent and received over a wireless LAN. To design a complete Wireless LAN system, encryption and authentication are two essential security factors. The most fundamental purpose of applying encryption and authentication technology in a wireless LAN is to enable wireless businesses to reach the same security level as wired businesses. To address this goal, the standard adopted the WEP (Wired Equivalent Privacy: wired peer-to-peer confidentiality) Protocol to set up a special security mechanism for business flow encryption and node authentication. It is mainly used for the confidentiality of link layer information data in Wireless LAN. WEP adopts symmetric encryption mechanism, and data encryption and decryption adopts the same key and encryption algorithm. WEP uses an encryption key (also known as the WEP Key) to encrypt the data portion of each packet exchanged on the 802.11 Network. After encryption is enabled, two 802.11 devices must have the same encryption key and be configured with encryption. If one device is configured to use encryption and the other device does not, communication fails even if the two devices have the same encryption key. (1)
Figure 1: WEP Encryption
WEP encryption process
WEP supports 64-bit and 128-bit encryption. For 64-bit encryption, the encryption key is 10 hexadecimal characters (0-9 and A-F) or 5 ASCII characters; for 128-bit encryption, the encryption key is 26 hexadecimal characters or 13 ASCII characters. 64-bit encryption is sometimes called 40-bit encryption; 128-bit encryption is sometimes called 104-bit encryption. 152-bit encryption is not a standard WEP technology and is not widely supported by client devices. WEP relies on the keys shared by both parties to protect the encrypted data frames. The data encryption process is as follows.
1. Check summing ).
(1) Integrity Verification and calculation of input data.
(2) combine the input data with the calculated checksum to obtain the new encrypted data, also known as plaintext, which serves as the input for the next encryption process.
2. encryption. In this process, the plaintext data obtained in the first step is encrypted using an algorithm. Encryption of plaintext has two meanings: encryption of plaintext data to protect unauthenticated data.
(1) run the 24-bit initialization vector and the 40-bit key connection for verification and calculation to obtain the 64-bit data.
(2) input the 64-bit data to the virtual random number generator, which encrypts the checksum and calculation values of the initialization vector and key.
(3) The plaintext and the output encrypted stream of the virtual random number generator after verification and calculation are encrypted by bitwise XOR operation, that is, the ciphertext.
3. transmission. Concatenates the initialization vector and ciphertext to obtain the encrypted data frame to be transmitted and transmit it on the wireless link. (2)
Figure 2: WEP encryption process
WEP decryption process
In the security mechanism, the decryption process of the encrypted data frame is only a simple inverse of the encryption process. The decryption process is as follows.
1. Restore the initial plaintext. Re-generate a cipher stream and perform an exclusive or operation on the received ciphertext information to restore the initial plaintext information.
2. Check the checksum. The receiver checks the checksum Based on the restored plaintext information, separates the restored plaintext information, recalculates the checksum, and checks whether it matches the received checksum. This ensures that only data frames with correct checksum will be accepted by the receiver.
Figure 3: WEP decryption process
Ii. Preparations before cracking the WEP Key
In the following two sections, I will gradually introduce how to crack the WEP Key. This method does not require any special hardware devices. It only requires two (only one) laptops with wireless NICs, the entire attack process only uses shared and free software and does not require professional tools. Readers who understand this article and learn how to operate do not need to be a network expert, but must be familiar with some network terms and basic principles. At least, you should know how to ping another machine to test whether the network is smooth and open a Windows Command Prompt window, know how to enter related commands and learn about Windows Network Properties window. This is the basic requirement. Otherwise, how can we call it a method that cainiao can learn.
1. Create an experiment environment
Before we begin, our first step was to build an experimental environment where you could not use others' networks to crack your work. This would violate the law and be an immoral act. To build a wireless network platform in an experimental environment, Wireless AP is indispensable. In addition, three laptops with wireless NICs can also be used on desktops with wireless NICs) A simple network can meet the requirements. Figure 4 shows the network topology.
Figure 4: Create an experiment environment
In the network shown in figure 4, we use a NETGEAR product named wgt624v2 for the selection of Wireless AP. It will act as the target of the attack in the future, it will be called the target AP later. Among the three machines used, one is the client machine that serves as the target of the attack, which is now called "target". The other two laptops perform active attacks to generate network traffic, so that many packets can be captured within a short period of time, and this machine is called "attack "; the remaining notebook is used to sniff and capture packets generated by active attacks. It is called "sniff ". Of course, although the entire cracking process can be completed in a notebook, I do not recommend this practice. using only one notebook will make future work very troublesome, in addition, if this method is used, eavesdropping may cause a small problem. In a low-usage WLAN, the chance of using active attacks is greater than that of passive detection. It can generate more packets for the WLAN in a short period of time, thus accelerating the cracking of WEP.
In this lab environment, you must use a notebook. We can also use a desktop PC or desktop PC to mix with a notebook. However, if you use a notebook, it has better portability, it also provides better compatibility with the current wireless PC Card.
The wireless network card used by target has nothing to do with the chip. As long as it is based on 802.11b, any manufacturer's products can meet the requirements. The attack and sniff machines use two prism chip-based 802.11b wireless NICs. Although many tools (such as kismet) used in subsequent operations can support a wide range of wireless network adapters, we recommend using a prism 2 Chip-based network adapter, this chip can be supported by all the tools we need to use during the cracking process.
Wireless NICs generally have two types of antennas: External antennas and built-in antennas. If the purchased wireless NICs do not have built-in antennas, you must purchase another one. However, the advantage of an external antenna is higher gain and better sensitivity. It can adjust the direction of the antenna to receive better signals. The built-in antenna can be carried more conveniently, the disadvantage is that the antenna direction cannot be adjusted. I have seen a mobile external antenna, which is very convenient to use. There are several small cups of rubber material at the bottom of the mobile antenna, it can be easily adsorbed on the top of the notebook. If it is used in the car, it can also be firmly sucked on the blank window glass of the car. See Figure 5.
Figure 4: Mobile Antenna
2. Experiment WLAN settings
It is very important to set up this experiment environment properly, because we only want to complete all the operations in this experiment environment. In the attack process described below, A client connected to the AP will be forcibly terminated. This attack may cause serious damage to wireless users in the neighboring region. To prevent users from being attacked, it is to protect users who do not belong to the lab WLAN. If the operating environment is located in a complex office, office building, or other area covered by many wireless networks, try this solution, please wait until no one is working at night and the network is no longer busy to avoid "fire in the city, affecting the pool ".
The first step is to connect and set the wireless LAN of the attacked experiment. As described above, this WLAN includes an access point (wireless router) and only one wireless client, the wireless LAN is protected by the WEP Key we want to crack. Set the SSID (System Set ID) of the target AP to "Starbucks". The SSID is used to distinguish different networks, also known as network names. The wireless workstation must display the correct SSID, which is the same as the SSID of the Wireless Access Point AP to access the AP. If the displayed SSID is different from the ap ssid, then the AP will refuse to access the Internet through the service area. It can be considered that the SSID is a simple password, which provides a password mechanism to achieve certain security. And configure a 64-bit WEP Key on this WAP for protection.
Record the following information for future use.
① MAC address of the AP. It is usually displayed on the web configuration menu of the AP, and the local MAC address may also be recorded on the bottom or side of the AP.
② The SSID of the AP.
③ AP wireless channels ).
④ WEP Key. If the key displayed by the Wireless AP is in a format like 0xffffffffff (replace the set value with the value of F), write down each letter except 0x.
The second step is to connect the target client to the target AP. Now we need to connect this client to the target AP for further configuration (the following are all in Windows XP), right-click the "Network Neighbor" icon on the desktop, you can also click "start", click "properties", double-click "wireless network connection", and open the window shown in Figure 5. Multiple available wireless networks are displayed, however, if there is only one wireless network, only the newly configured AP named "Starbucks" may be displayed in this window. Double-click the corresponding SSID name to connect to the target AP.
Figure 5: connect to the target WLAN
Because the AP has enabled WEP protection, Windows requires a password (6) during connection ), enter the WEP Key you just set (paste it from the notepad or Wordpad document). After a while, Windows will report that it has been connected to the network. Check whether the connection is successful. ping a computer in a wired network to test the connection. or, if the WLAN of this experiment has been connected to the Internet, open a Web site and check whether the site can be connected. If you cannot successfully ping a machine with a known address or cannot open a normal Web site, open the properties of the wireless network card and click "support, check whether a correct IP address has been obtained on the wireless network. If not, check whether the DHCP server in the network is enabled, check whether the TCP/IP attribute of the wireless network adapter is set to "automatically obtain the IP address". If everything is normal, click "Repair" in the wireless connection to correct it.
Figure 6: Enter the WEP Key
Step 3: record the MAC address of the target machine. Once successfully connected to the network, the MAC address of the target computer under attack is recorded. There are two methods. One is to open a command prompt window and enter the ipconfig/all command to view the MAC address, the content of this window is shown in Figure 7 (the MAC address of the wireless network card is displayed in High Brightness ).
Figure 7: Enter the ipconfig/all command to find the MAC address
In Windows XP, you can obtain the MAC address from the "wireless connection status" window, click "support", and then click "details ", the MAC address is displayed on the right side of the window (shown in Figure 8). Of course, different machines may display different names, in addition, the computer may display descriptive information such as "physical address. In this window, the letters and numbers that constitute the MAC address are separated by dashes. The purpose of dashes is to make these characters clearer, however, the actual MAC address does not have these dashes.
Figure 8: MAC address displayed in network connection details
3. Laptop settings
First, we need to prepare several tools (kismet, airodump, void11, aireplay, and aircrack) required to crack the WEP Key. Kismet is used to scan the WLAN throughout the region, find the target WLAN used in the experiment and collect relevant data (SSID value, channel, AP, and MAC address of the client connected to it); airodump: scans the target WLAN and captures the data packets it generates to a file. void11: verifies a computer from the target AP and forces the client to connect to the target AP again, to make it an ARP request; aireplay: accept these ARP requests and send them back to the target AP, and intercept the ARP request as a valid client; aircrack: accept the capture file generated by airodump and extract the WEP Key from it.
They are shared or free software with open source code. All these tools can be found on a shared CD called "auditor security collection live CD, this disc is a boot system disc that can guide an improved kanotix Linux. This Linux version requires no hard disk access and is directly installed in the memory when it is started, it can automatically detect and configure multiple wireless NICs after startup. The auditor security collection live CD used in this article is the latest version, and the version number is auditor-150405-04. It is burned for recorder (or other recording software, attack and sniff machines each.
First, insert the wireless network card into the notebook (if the machine has a built-in wireless network card, it is better), then set the notebook to boot from the CD, and put auditor security collection CD into the optical drive. After selecting the appropriate screen resolution from the auditor boot menu, kanotix Linux will be installed in the memory and run and the auditor Start Screen appears (9 shown ).
Figure 9: Start Screen of Auditor
In this auditor system, the two most important icons are the programs and command line icons located in the lower-left corner of the screen. Many of our subsequent operations will basically be completed through them. 10.
Figure 10: Position of program and command line
Before doing anything else, make sure that the wireless network adapter on our machine can pass auditor verification. Click the command line icon to open a command line window, and enter the iwconfig command. In the information displayed by auditor, you will see information about "wlan0, it is a name determined by auditor Based on the card of the prism chip. If the screen of the laptop used to operate the attack shows the window shown on the 11th, it indicates that auditor has detected the wireless network card, now you can start the next step. Repeat the same steps for another notebook.
Figure 11: Use the iwconfig command to check the wireless network card
Well, the preparation work is now basically completed. In the next part of this article, we will start the actual solution process.