Sean_LaPlante - Term Paperx

useumpireSoftware and s/w Development

Dec 2, 2013 (3 years and 8 months ago)

96 views









Sean LaPlante


NCS350


Wireless Systems and Security


Date: 12/04
/2012


Assignment: Homework 7
-
9 (Term Paper)











1


How to hack WEP and WPA2

Sean LaP
lante

Abstract


WEP and WPA are two types of encryption
standards used to secure connections between clients
and access points in wireless networks. WEP is a very
weak encryption due to vulnerabilities in the RC4
cipher. WPA2 is only as secure as the password
created by t
he user.

I.

Introduction

Both WEP and WPA2 have been around
for a while. WEP
(Wired Equivalent Privacy)
is an 802.11 security algorithm for securing
wireless networks. As of 2004 it was
depreciated due to its several weaknesses [3].
WPA2 (Wi
-
Fi Protected Acc
ess II) is a much
stronger encryption that was made in response
to the weaknesses discovered in WEP [4].

WEP uses a key made up of 10
-
26
hexadecimal digits.
There are two types of
WEP; 64 bit and 128 bit. 64
-
bit WEP was the
first. Because of government reg
ulations on
encryption, the key size could not be any
larger. After this restriction was lifted 128
-
bit
WEP was created [3].

In standard (64
-
bit) WEP, a 24
-
bit
Initialization Vector (IV) is combined with a
40
-
bit key to make the RC4 key. WEP’s
major vulner
ability is that part of the key is
transmitted with every packet that is sent.
This combined with the fact that the IV is
only 24
-
bits makes WEP very easy to crack
[3].

WPA2 is much stronger than WEP and
fixes every known flaw. WPA2 uses AES
encryption [4
]. AES is a block cipher with a
128
-
bit block size and either a 128, 192, or
256
-
bit key size [5]. The only weakness with
WPA2 is password strength. If a user creates
a very common password a simple brute force
of a captured WPA2 handshake will
give the
at
tacker access very quickly [4].


II.

Motivation

Security and the weaknesses that come
with it have always been of interest to me. I
first hacked WEP a few years ago just to see
2


if I could. When WPA and WPA2 came out I
was excited to here that they too could
be
hacked. It took a long time for the first
successful exploits to come around but when
they did I was sure to test them all.

I decided to do this project because I want
to show other students, who may not have
experimented as much as I have, how much
fun

it can be to learn and try these new things
as they come out.

I picked WEP attacks to start because they
are the simplest to do and they do not require
any specialized hardware (besides a monitor
mode enabled Wi
-
Fi adapter). I also decided
to show a WPA2
attack just to demonstrate
that even the strongest types of security are
vulnerable if not setup appropriately.

III.

Background

For this project I used two programs to
carry out my attacks: Pyrit and the aircrack
-
ng
suite.

Pyrit is
a WPA/WPA2
-
PSK encryption

brute
-
force cracking tool. This means that the
program will try every possible combination
of characters until the password is discovered.
A more efficient approach that may find the
password faster involves using a large list of
common passwords and iter
ating through it
trying each one until the password is found.
The second approach, however, does not
guarantee that you will find the password

[1]
.

Pyrit is unique when compared to other
brute
-
force applications because it takes
advantage of new high speed

graphics card
technologies. Pyrit can use ATI
-
Stream,
NVidia
-
CUDA, and Open
-
CL. These
technologies allow a programmer to write
parall
el processing programs that use

the
hundreds of stream processors in a graphics
card. Pyrit takes advantage of these
techn
ologies to test anywhere between
thousands and millions of passwords per
second depending on the graphics card you
are using [1].

3


The aircrack
-
ng suite is a compilation of
programs that allow an attacker to capture
packets, analyze packets, and attack net
works
[2].

There are many tools that make up the
aircrack
-
ng suite. The tools I used are:
aircrack, airmon, aireplay, and airodump

[2]
.

Aircrack is a program that exploits the
vulnerabilities in the RC4 algorithm used in
WEP and allows an attacker to hack
a WEP
password with a certain number of captured
packets (about 50,000 for 64
-
bit WEP)

[2]
.

Airmo
n gives the attacker an easy way

to
switch his/her wireless NIC into monitor
mode. This allows the

attacker to capture
packets going over the network no matte
r
what the source or destination is

[2]
.

Aireplay is a packet injector. This program
has many pre
-
defined attacks built in making
it easy for an attacker to take advantage of a
vulnerable network

[2]
.

Airodump is a packet sniffer. This program
takes advan
tage of the attackers wireless card
in monitor mode and allows him/her to save
all the captured packets to a file for
attacking/analysis later

[2]
.

IV.

Wireless Attacks

For my project I attack two types of WEP
networks and a WPA2 network. For both
WEP network
s I use the aircrack
-
ng suite.
For
the WPA2 network I use
Pyrit in combination
with NVidia
-
CUDA to go through a common
password file of approximately 19 million
passwords at an average of 26,000 passwords
per second.

V.

Wireless Attack Procedures

This section
of the paper
is designed to be
a step
-
by
-
step walkthrough
for accomplishing
these attacks.

A.

WEP encryption, no MAC filter

This attack demonstrates how to crack a
WEP encrypted access point that is not using
MAC address filtering for client
auth
entication.

4


1.

Start by placing your wireless adapter in
monitor mode. This step requires that you
have a wireless adapter that is able to
enter monitor mode.

airmon
-
ng start wlan0

To figure out which adapter to place in
monitor mode simply type:
arimon
-
ng
.
T
his will list all of your available network
interface cards. (In my case the one I wanted
was wlan0).

The above step will create a new interface
called “mon0”. This new interface will be
used in all the following commands.

2.

Once you receive the “monitor mod
e
enabled on mon0” message type:

airodump
-
ng mon0

This will use your wireless card to scan
for all available networks. Once you find one
with WEP encryption write down or copy its
BSSID

and channel
.

3.

Now that you have found the network to
attack we need to
refine our airodump
-
ng
command. Type the following filling in
“bssid” and “channel” with the
appropriate information:

airodump
-
ng
--
channel “channel”
--
bssid
“bssid”

w ./cap mon0

The “
-
w” option selects the location and
name to save the packet capture fil
e to. You
may make this whatever you want. The
capture file will get
-
01.cap appended to it. (if
you save it as “cap” it will be “cap
-
01.cap”).

4.

Once you run the above command you
have begun to capture packets from the
target network. Now, open another
term
inal and type:

aireplay
-
ng
-
1 0

a “bssid” mon0

This will authenticate you with the access
point. As always, fill in the target bssid in for
“bssid” (without quotes).


5.

Once you are authenticated you can start
to generate traffic. This will allow you to
5


crack the network faster. Optionally you
can skip this step and just wait until the
“#Data” column in your airodump
-
ng
command reaches 50,000. Since this will
usually take too long type the following:

aireplay
-
ng
-
3

b “bssid” mon0

This will begin an ARP
replay attack causing
the router to send several replies per second
which will generate data packets very quickly.

6.

Once the data packets have reached
approximately 50,000

type the following:

aircrack
-
ng

a 1 ./cap
-
01.cap


This will begin to attack the capt
ured
packets and should return the key within
seconds if you have enough

data packets
. (this
command assumes you named the file “cap”
as in step 3).

B.

WEP encryption with MAC filter

This attack is a very simple modification
from the previous attack. If an a
ccess point
does not allow you to authenticate using the
command in step 4 above, then it is most
likely using MAC address filtering. To bypass
this you need to know a MAC address that is
allowed on the network. When running
“airodump
-
ng” make note that it

will display
all associated clients and the station they are
associated with in a row underneath the
network list.

All you need to do is wait for an
authorized client to associate with the
network and write down the address under the
“STATION” column. Onc
e you have this
only a few modifications to the above
procedure are necessary.

1.

Follow steps 1 through 3 in the above
procedure.

2.

Modify step 4 by inserting the STATION
address for “station”:

aireplay
-
ng
-
1 0

a “bssid”

h “station”
mon0

3.

Modify step 5:

aireplay
-
ng
-
3

b “bssid”


h “station”

mon0

6


4.

Once you have 50,000 packets follow step
6.

C.

WPA2 encryption

To crack a WPA2 encrypted network you
have to hope that the user used a weak
password or a common password that occurs
in a common password file. Since I created
the network that I was attacking I could
ensure that the password would be in the file I
was c
hecking.

To accomplish this attack you will need

to
first install Pyrit and the appropriate graphics
card driver.

Then you will need
to have a mid to high
end GPU. It will work with only the processor
but it will run very slow.
Finally you will
need to se
arch the internet for a good
common password file or dictionary file to
use for your attack.

Once you have all of the requirements you
will need to capture a WPA2 handshake. Use
steps 1 through 3

from the first procedure

to
find a WPA2 network and start c
apturing
data. Once you notice that a few clients have
connected you can check your capture file for
handshakes using:

pyrit

r “name of cap file” analyze

If this command tells you that you have a
valid handshake you can begin attacking it.
Use the
following command to attack a
handshake by going through a password text
file:

pyrit

r “cap file”

i “password file”
attack_passthrough

VI.

Conclusion

WEP and WPA2 may seem similar to the
untrained in network security. But to those
that have been paying atten
tion, WPA2 is
much more secure than WEP and with an
appropriately random password of decent
length, WPA2 can be impenetrable.

VII.

References


1.

http://code.google.com/p/pyrit/Source 2

2.

http://en.wikipedia.org/wiki/Aircrack
-
ngSource 4

3.

http://en.wikipedia.org/wiki/Wired_Equivalent_Privacy

4.

http://en.wikipedia.org/wiki/Wi
-
Fi_Protected_Access

5.

http://en.wikipedia.org/wiki/Advanced_Encryption_Standa
rd