Wireless AttacK Defense: detailed explanation of cracking WEP keys

Source: Internet
Author: User

After the emergence of WLAN technology, "security" has always been a shadow around the word "wireless". Attacks and cracking against security authentication and encryption protocols involved in wireless network technology have emerged. Currently, there may be hundreds or even thousands of articles on how to attack and crack WEP on the Internet, but how many people can truly break WEP's encryption algorithm? Next I will introduce some knowledge about WEP encryption methods, as well as the methods that cainiao can successfully crack the WEP Key as long as they follow the steps. Of course, the ultimate goal is to enable reporters to set security settings to better prevent cracking attacks. There are two articles in this series. The first article mainly introduces how to crack WEP, and the second article describes how to set WLAN security settings for better defense.
I. WEP: the initial protector of Wireless Network Security
Compared with wired networks, data is more easily eavesdropped when sent and received over a wireless LAN. To design a complete Wireless LAN system, encryption and authentication are two essential security factors. The most fundamental purpose of applying encryption and authentication technology in a wireless LAN is to enable wireless businesses to reach the same security level as wired businesses. To address this goal, the standard adopted the WEP (Wired Equivalent Privacy: Wired peer-to-peer confidentiality) Protocol to set up a special security mechanism for business flow encryption and node authentication. It is mainly used for the confidentiality of link layer information data in Wireless LAN. WEP adopts symmetric encryption mechanism, and data encryption and decryption adopts the same key and encryption algorithm. WEP uses an encryption key (also known as the WEP Key) to encrypt the data portion of each packet exchanged on the 802.11 Network. After encryption is enabled, two 802.11 devices must have the same encryption key and be configured with encryption. If one device is configured to use encryption and the other device does not, communication fails even if the two devices have the same encryption key. (1)

498) this. style. width = 498; "border = 0>
Figure 1: WEP Encryption


WEP encryption process
WEP supports 64-bit and 128-bit encryption. For 64-bit encryption, the encryption key is 10 hexadecimal characters (0-9 and A-F) or 5 ASCII characters; for 128-bit encryption, the encryption key is 26 hexadecimal characters or 13 ASCII characters. 64-bit encryption is sometimes called 40-bit encryption; 128-bit encryption is sometimes called 104-bit encryption. 152-bit encryption is not a standard WEP technology and is not widely supported by client devices. WEP relies on the keys shared by both parties to protect the encrypted data. The data encryption process is as follows.
1. Check Summing ).
(1) Integrity Verification and calculation of input data.
(2) combine the input data with the calculated checksum to obtain the new encrypted data, also known as plaintext, which serves as the input for the next encryption process.
2. encryption. In this process, the plaintext data obtained in the first step is encrypted using an algorithm. Encryption of plaintext has two meanings: encryption of plaintext data to protect unauthenticated data.
(1) run the 24-bit initialization vector and the 40-bit key connection for verification and calculation to obtain the 64-bit data.
(2) input the 64-bit data to the virtual random number generator, which encrypts the checksum and calculation values of the initialization vector and key.
(3) The plaintext and the output encrypted stream of the virtual random number generator after verification and calculation are encrypted by bitwise XOR operation, that is, the ciphertext.
3. transmission. Concatenates the initialization vector and ciphertext to obtain the encrypted data frame to be transmitted and transmit it on the wireless link. (2)

498) this. style. width = 498; "border = 0>
Figure 2: WEP encryption process WEP decryption process
In the security mechanism, the decryption process of the encrypted data frame is only a simple inverse of the encryption process. The decryption process is as follows.
1. Restore the initial plaintext. Re-generate a cipher stream and perform an exclusive or operation on the received ciphertext information to restore the initial plaintext information.
2. Check the checksum. The receiver checks the checksum Based on the restored plaintext information, separates the restored plaintext information, recalculates the checksum, and checks whether it matches the received checksum. This ensures that only data frames with correct checksum will be accepted by the receiver.
498) this. style. width = 498; "border = 0>
Figure 3: WEP decryption process
Ii. Preparations before cracking the WEP Key

In the following two sections, I will gradually introduce how to crack the WEP Key. This method does not require any special hardware devices. It only requires two (only one) laptops with wireless NICs, the entire attack process only uses shared and free software and does not require professional tools. Readers who understand this article and learn how to operate do not need to be a network expert, but must be familiar with some network terms and basic principles. At least, you should know how to ping another machine to test whether the network is smooth and open a Windows Command Prompt window, know how to enter related commands and learn about Windows Network Properties window. This is the basic requirement. Otherwise, how can we call it a method that cainiao can learn.

1. Create an experiment environment

Before we begin, our first step was to build an experimental environment where you could not use others' networks to crack your work. This would violate the law and be an immoral act. To build a wireless network platform in an experimental environment, Wireless AP is indispensable. In addition, three laptops with wireless NICs can also be used on desktops with wireless NICs) A simple network can meet the requirements. Figure 4 shows the network topology.



Figure 4: Create an experiment environment

In the network shown in figure 4, we use a Netgear product named WGT624v2 for the selection of Wireless AP. It will act as the target of the attack in the future, it will be called the target AP later. Among the three machines used, one is the client machine that serves as the Target of the attack, which is now called "Target". The other two laptops perform active attacks to generate network traffic, so that many packets can be captured within a short period of time, and this machine is called "Attack "; the remaining notebook is used to Sniff and capture packets generated by active attacks. It is called "Sniff ". Of course, although the entire cracking process can be completed in a notebook, I do not recommend this practice. using only one notebook will make future work very troublesome, in addition, if this method is used, eavesdropping may cause a small problem. In a low-usage WLAN, the chance of using active attacks is greater than that of passive detection. It can generate more packets for the WLAN in a short period of time, thus accelerating the cracking of WEP.

In this lab environment, you must use a notebook. We can also use a desktop PC or desktop PC to mix with a notebook. However, if you use a notebook, it has better portability, it also provides better compatibility with the current wireless PC Card.

The wireless network card used by Target has nothing to do with the chip. As long as it is based on 802.11b, any manufacturer's products can meet the requirements. The Attack and Sniff machines use two PRISM chip-based 802.11b wireless NICs. Although many tools (such as Kismet) used in subsequent operations can support a wide range of wireless network adapters, we recommend using a PRISM 2 Chip-based network adapter, this chip can be supported by all the tools we need to use during the cracking process.

Wireless NICs generally have two types of antennas: External antennas and built-in antennas. If the purchased wireless NICs do not have built-in antennas, you must purchase another one. However, the advantage of an external antenna is higher gain and better sensitivity. It can adjust the direction of the antenna to receive better signals. The built-in antenna can be carried more conveniently, the disadvantage is that the antenna direction cannot be adjusted. I have seen a mobile external antenna, which is very convenient to use. There are several small cups of rubber material at the bottom of the mobile antenna, it can be easily adsorbed on the top of the notebook. If it is used in the car, it can also be firmly sucked on the blank window glass of the car. See Figure 5.



Figure 4: Mobile Antenna 2. Experiment WLAN settings

It is very important to set up this experiment environment properly, because we only want to complete all the operations in this experiment environment. In the attack process described below, A client connected to the AP will be forcibly terminated. This attack may cause serious damage to wireless users in the neighboring region. To prevent users from being attacked, it is to protect users who do not belong to the lab WLAN. If the operating environment is located in a complex office, office building, or other area covered by many wireless networks, try this solution, please wait until no one is working at night and the network is no longer busy to avoid "fire in the city, affecting the pool ".

The first step is to connect and set the wireless LAN of the attacked experiment. As described above, this WLAN includes an Access Point (wireless router) and only one wireless client, the wireless LAN is protected by the WEP Key we want to crack. Set the SSID (System Set ID) of the target AP to "starbucks". The SSID is used to distinguish different networks, also known as network names. The wireless workstation must display the correct SSID, which is the same as the SSID of the Wireless Access Point AP to access the AP. If the displayed SSID is different from the ap ssid, then the AP will refuse to access the Internet through the service area. It can be considered that the SSID is a simple password, which provides a password mechanism to achieve certain security. And configure a 64-bit WEP Key on this WAP for protection.

Record the following information for future use.

① MAC address of the AP. It is usually displayed on the WEB configuration menu of the AP, and the local MAC address may also be recorded on the bottom or side of the AP.

② The SSID of the AP.

③ AP wireless channels ).

④ WEP Key. If the key displayed by the Wireless AP is in a format like 0xFFFFFFFFFF (replace the set value with the value of F), write down each letter except 0x.

Step 2:

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.