Cracking the WEP Key process (below)

Iii. Actual CRACKING PROCESS

　　1. Use Kismet for network detection

Kismet is a Linux-based wireless network scanning program. It is a very convenient tool to find the target WLAN by measuring the wireless signals around it. Although Kismet can also capture data communication on the network, there are other better tools (such as airodump ), here, we only use it to confirm whether the wireless network adapter works normally and to scan the wireless network, in the following sections, we will use different tool software to truly listen for and capture data communication on the network.

Click the Programs icon, then auditor, then wireless, then composer/analyzer, and finally Kismet to run the Kismet program. 12.

Figure 12: Run Kismet

In addition to scanning the wireless network, Kismet can capture packets in the network to a file for later analysis and use. Therefore, Kismet will ask the location of the file used to store the captured packets, to save these files to root/desktop, click "desktop" and select "OK", as shown in Figure 13. Then Kismet will ask the name of the prefix of the capture file. We can change the default name, for example, change it to "capture" and then click OK, in this way, Kismet will start with capture as the file name, and then add the sequence number to save the captured packets to different files.

Figure 13: Specify the file storage location in kismet

When Kismet starts running, it will display all wireless LAN addresses it finds in this region, the content displayed in the "name" column is the SSID value of the AP in the WLAN, then, of course, the target WLAN should also contain (the row with the name value of Starbucks). In this row, the value of the CH column (the channel used by the AP) it should be the same as the one written at the beginning. The information displayed on the rightmost side of the window is the number of WANs found by Kismet, the captured data packets, the number of encrypted data packets, and so on. See Figure 14. If Kismet finds many adjacent access points, you should move the experiment environment farther away from these aps or disconnect any high-gain antenna connected to your Internet.

Even when the target computer is disabled, Kismet can detect data packets from our target AP because the target AP keeps sending "beacons ", it tells the computer with a wireless network card that there is an AP in this range. As we can imagine, this AP announced, "My name is XXXXX. Please connect with me."

Figure 14: content displayed by Kismet

The default Kismet runs in autofit mode, and the display content is disorganized. We can sort the APS in any meaningful and ordered order, press "S" to go to the "sort" menu, where you can press a letter to sort the searched AP, for example, the "f" Key is sorted by the first letter of the AP name, and the "c" Key is sorted by the channel used by the AP, "l" is sorted by time and so on.

Now let's take a look at the details of the AP in the target WLAN, press the "S" key, and then press the "c" key to sort the entire AP list by channels, move the highlighted key to the SSID that indicates the target AP, and then press the Enter key, A description window (SSID, MAC address, and channel) showing the details of the selected AP is displayed ). In this way, most of the basic information required to crack the WEP Key for an encrypted WLAN is here. As shown in the 15th. Some WLAN security tests hide the SSID or shield the SSID broadcast, which can prevent the use of netstumbler for scanning, but there is no way to hit kismet, it can easily detect hidden SSID. Kismet can capture more network information than netstumbler, and discover the SSID of an AP by tracking the session between the AP and the client connected to it.

Figure 15: Kismet displays details of an AP

The last piece of information to be learned is the MAC address of the Wireless Client Connected to the target AP in the WLAN. Kismet is easy to use. Return to Kismet and press "Q" to exit the Details window. The default option is still the target AP you just viewed. Use the "Shift + C" key, A list of clients related to the target AP is opened, and their MAC addresses are displayed on the left of the window. . The content displayed in this window not only contains the MAC address of the client connected to the AP, but also the MAC address of the AP, do you still remember the MAC address of the target AP recorded at the beginning of this article? In this case, the MAC address of the target AP is the client's MAC address.

Figure 16: Use Kismet to find the MAC address of the client

If you do not see the MAC address of the target computer, check whether it is on or connected to the target AP (start the target computer, connect to the target AP and open the web page ), about 10-30 seconds later, you will see the MAC address of the target computer pop-up in kismet. Of course, writing down the MAC addresses of all clients is also an old method, which can avoid blocking when a client does not appear during the cracking process.

2. capture data packets with airodump

Now we know the basic information needed for cracking. It's time to start using the airodump tool. The main task of airodump is to capture data packets and create a file containing captured data for aircrack. On either of the two computers used for attack and cracking, I use the attack computer. Open a shell window and enter the following command:

Iwconfig wlan0 mode monitor Iwconfig wlan0 channel thechannelnum CD/ramdisk Airodump wlan0 cap

Note: change the value of thechannelnum to the number of channels in the WLAN to be cracked. The/ramdisk directory is the location where the captured data files are stored. If there is another WAP near the WLAN environment in the experiment, you can attach the MAC address of the target AP to the back of the airodump command as a parameter, for example, airodump wlan0 cap1 macaddressofap. 17.

Figure 17: airodump Command Format

This command only enables airodump to write the captured data packet from the target AP to the generated data file (cap1 ). Press Ctrl + C to exit airodump, enter the LS-l command to list the contents in this directory, and check the size of the file with the extension. Cap. After several seconds of capture, if a packet is successfully captured, the generated package file is about several kb. If airodump uses the same parameter to stop or start a packet capture, the generated package file will be added in the order of the previous file. For example, if the first package is cap1, the second is cap2.

When airodump is running, the following bssid values displayed on the left of the window are the MAC address of the target AP. In the run window of this airodump, we will see that the packet and IV values are constantly increasing, because Windows detects normal network communication during the network, this is true even if the target client does not open a web page to send and receive emails. After a while, we will see that the IV value will only rise a few times. However, if you browse the Web page on the target computer, as each new page opens, the IV value in airodump is constantly increasing. 18.

Figure 18: IV value displayed by airodump

Here, we are not interested in the packet value because it does not help to crack WEP. The IV value is a very important number, because if we want to crack a 64-bit WEP key, capture About 50000 to 200000 IV, and crack a 200000-bit WEP Key requires about 700000 to IV.

You may notice that the IV value will not grow very fast under normal network communication conditions. In fact, in normal communication conditions, to successfully crack the WEP key, it may take several hours or even several days to capture enough packets from most WANs. Fortunately, there are several ways to increase the speed. The most effective way to quickly increase the IV value is to increase network traffic, make the target WLAN busy, and speed up data packet generation, by continuously pinging a computer or downloading a large file on the target computer, you can simulate this process and run airodump on the attack computer. You can see that the IV value is rising slowly, use the btsoftware to download a large file (such as a distributed Linux system. ISO files or movies), so that the IV value increases much faster.

Another method is to enter the following command in the Windows Command Prompt window for continuous Ping:

Ping-T-l 50000 address_of_another_lan_client

Here, the address_of_another_lan_client value is changed to the IP address of the target AP, router, or any other client that can be pinged in the local area network.

　3. Use void11 to generate more communication traffic

Void11 uses a mandatory verification process for a wireless client from the AP connected to it, that is, the client is disconnected. When it is disconnected from the WLAN, the wireless client automatically tries to reconnect to the AP. During this reconnection, data communication is generated. This process is usually called De-authentication or deauth attack.

Start the sniff computer and insert auditor CD into its optical drive. After auditor is started, open a shell command window and enter the following command:

Switch-to-hostap Cardctl eject Cardctl insert Iwconfig wlan0 channel thechannelnum Iwpriv wlan0 hostapd 1 Iwconfig wlan0 mode master Void11_penetration-d-s macofstation-B macofap wlan0

Note: replace thechannelnum with the number of channels of the target WLAN. Replace macofstation and macofap with the MAC address of the client and the AP code of the target WLAN respectively. The format is void11_penetration-d-s 00: 90: 4b: C0: C4: 7f-B 00: C0: 49: BF: 14: 29 wlan0. When void11 is run in auditor security collection CD, the error message "invalid argument error" may be displayed. This does not matter. Ignore this error.

When void11 runs on the sniff computer, let's take a look at the changes being made on the target computer. Generally, users who use this machine will find that the network suddenly becomes very slow, finally, it seems to have paused. After a few seconds, the connection to the network is completely lost. If you check the wireless client utility that comes with Windows XP, you will find that everything is normal before the void11 attack starts. Windows shows that you are connected to the AP. After void11 is started, the network status changes from the connection status to the disconnected status. 19. If void11 is stopped on the sniff computer, the target computer reconnects to the target AP in about a few seconds.

Figure 19: the target computer is disconnected

Let's go to the attack computer and check that it always runs airodump there. After void11 is running, the IV value increases by about 100-200 in a few seconds, this is because the network communication occurs when the target client machine tries to reconnect to the target AP.

4. Data Packet Delay Caused by aireplay

When a deauth attack process is used to force communication, it usually does not produce enough IV values we need. However, airodump is suitable for tools that interfere with normal WLAN operations. To generate more network communication traffic, we need to use a different method called replay attack to intercept valid data packets generated by the target client, then, the client is spoofed by some means, and data packets are delayed in three places. This delay process is more frequent than normal use. Because the communication traffic seems to come from a valid client on the network, it does not interfere with normal network operations, but is quietly engaged in generating more IV Responsibilities behind the scenes.

Capture the Data Packet Generated by deauth attack of void11, stop the deauth attack process, and then start a replay attack process using the captured data packets. The best packet we want to capture during the cracking process is the ARP packet, because they are very small (68 bytes long) and have a fixed and easy to detect format. Restart attack and sniff. attack only runs aireplay, which is only used to generate data traffic (and IV) in the network) to shorten the time used to crack the WEP key, the sniff computer is not used to run deauth attack (through void11), but to capture communication traffic (through airodump ), finally, use the aircrack tool to crack the captured data.

Start aireplay first, open a shell window on the attack computer, and enter the following command (as shown in Figure 20 ):

Switch-to-wlanng Cardctl eject Cardctl insert Monitor. WLAN wlan0 thechannelnum CD/ramdisk Aireplay-I wlan0-B macaddressofap-M 68-N 68-D FF: FF

Note: switch-to-wlanng and monitor. WLAN are script commands from Auditor CD to simplify operations and reduce input. Change thechannelnum to the number of channels of the target WLAN. Let's take a look at the results of this operation command. First, nothing is too exciting. We can see that the aireplay report has captured some types of data packets, however, these data packets are basically not what we need (the target MAC address is a 68-byte packet of FF: ff ).

Figure 20: Start aireplay

Now, operate the target computer, open its wireless utility, monitor its network connection status, and start a void11 deauth attack on the sniff computer. Once void11 is started, at this time, we can see that the targets computer has been disconnected from the target AP. Of course, the data packet rate displayed by aireplay has increased faster.

After capturing the relevant data packets, aireplay will ask if they match what you want. In this attack, the data packets we need to capture have the following features:

Fromds-0

Tods-1

Bssid-MAC address of the target AP

Source Mac-MAC address of the target computer

Destination MAC-FF: FF

If the data packet does not match these conditions, input N (indicating no) and aireplay will capture the data packet again. After aireplay successfully finds the data packet that matches the preceding conditions, in response to Y (YES), aireplay will switch from capture to replay mode and start the replay attack. Immediately return to the sniff computer to stop the deauth attack of void11. 21.

Figure 21: matched data packets captured by void11

If aireplay does not capture the corresponding data packet in thousands of data packets, you can use void11 for assistance. void11 can interfere with the target AP and its clients, give them any chance to complete the reconnection. Manually stop void11 (press Ctrl + C), restart it, and add the "D" parameter to the command line of void11 (the delay value is microseconds ), try to use different values to allow the time for the AP to reconnect to the client.

If the target client is idle, it may be difficult to capture ARP packets through deauth attacks, which may not happen in a real-world WLAN, however, the WLAN environment in this experiment has become a problem. If aireplay does not capture the expected data packet cracking, you can run a continuous ping or download task on the target client computer before starting deauth attack. If void11 does not work properly at all, you can run aireplay on the attack computer, disable void11 on the sniff computer, operate on the target computer, disconnect the wireless network, and then reconnect, within thirty seconds, when it re-connects to the WLAN and requests to obtain an IP address, the aireplay on the attack computer will be able to see the ARP packet sent by the target computer.

5. The final cracking time

After a period of operation, the replay attack running on the attack computer generated enough IV, and now is the final time to crack the real WEP, and void11 is stopped on the sniff computer, enter the following command to set airodump to capture data packets.

Switch-to-wlanng Cardctl eject Cardctl insert Monitor. WLAN wlan0 thechannelnum CD/ramdisk Airodump wlan0 cap1

Replace thechannelnum with the number of channels of the target WLAN. If there are multiple WAP addresses in this region, add the MAC address of the target AP to the end of airodump as a parameter, for example: airodump wlan0 cap1 macaddressofap. As airodump writes the iv into a file, we can run aircrack simultaneously to find the WEP Key contained in the file, so that airodump can continue to run and open another shell window, in the new command window, enter the following command to start aircrack.

CD/ramdisk Aircrack-F fudgefactor-M macaddressofap-N wepkeylength-Q 3 cap *. Cap

Note: The value of fudgefactor is an integer (the default value is 2). macaddressofap is the MAC address of the target AP. Wepkeylength is the length of the WEP Key you tried to crack (64,128, etc ). As shown in 22nd.

Figure 22: aircrack Command Format

Aircrack reads the IV value from the captured packet file, and uses the IV value to crack the WEP Key, aircrack uses a slow mode by default to find the WEP Key. However, this mode is slow, but it has a high chance of finding the WEP Key; another mode is to use the-F parameter, which is quite fast, but the chances of success are much smaller than the previous one. If you are lucky, you will see that the WEP Key is successfully found. As shown in 23.

Figure 23: successfully cracked the WEP Key

It takes five minutes to crack a 64-bit WEP, which is composed of several operations running on replay attack at the same time: using airodump to scan, use aircrack to crack, and use aireplay to generate network communication traffic. However, there are many lucky points. Sometimes, to crack a 64-bit WEP key, you need to collect about 25000 pieces of IV, it takes longer. You must input the length of the WEP Key you are trying to recover to aircrack. No tool can provide this length. You can certainly know this information about the WLAN in your own experiment environment, however, in other network environments that you do not know about, you can use the 64 or 128 key lengths to try.

Better configuration can help speed up the process of cracking, it is a good way to copy the captured packet file to another machine with a larger memory and a faster processor to complete the final cracking action, on this machine, you only need to run the aircrack tool, and aircrack can use the-P option to support multi-processor. Using AMD and Intel's new dual-processor devices can make the cracking process faster. This is especially true for keys with a length of bits.