Argentina
Australia
Austria
Belgium
Brazil
Bulgaria
Canada
Chile
Colombia
Cyprus
Czechia
Denmark
Ecuador
Egypt
Estonia
Finland
France
Germany
Great Britain
Greece
Hungary
India
Indonesia
Ireland
Italy
Japan
Latvia
Lithuania
Luxembourg
Malaysia
Malta
Mexico
Netherlands
New Zealand
Norway
Philippines
Poland
Portugal
Romania
Russia
Singapore
Slovakia
Slovenia
South Africa
South Korea
Spain
Sweden
Switzerland
Taiwan
Thailand
Turkey
Ukraine
United States
In this chapter, we will cover the Wired Equivalent Privacy (WEP) protocol and its vulnerabilities, showing how to crack the WEP keys with some of the tools included in Kali Linux, namely, the Aircrack-ng suite and Fern WiFi Cracker.
We will cover the following topics:
Introduction to WEP
WEP cracking with Aircrack-ng
WEP cracking with automated tools
The WEP protocol was introduced with the original 802.11 standard as a means to provide authentication and encryption to wireless LAN implementations. It is based on the RC4 (Rivest Cipher 4) stream cypher with a preshared secret key (PSK) of 40 or 104 bits, depending on the implementation. A 24 bit pseudo-random Initialization Vector (IV) is concatenated with the preshared key to generate the per-packet keystream used by RC4 for the actual encryption and decryption processes. Thus, the resulting keystream could be 64 or 128 bits long.
In the encryption phase, the keystream is XORed with the plaintext data to obtain the encrypted data, while in the decryption phase the encrypted data is XORed with the keystream to obtain the plaintext data. The encryption process is shown in the following diagram:
Now that we have explored WEP vulnerabilities and its relative attacks, we are ready to begin the hands-on part. In this section, we will see how to crack WEP keys with the Aircrack-ng suite.
In the reconnaissance phase, we have collected information about each network to be tested, such as the BSSID, the channel on which it operates, and the security protocol used. Here, we focus on a WEP-protected network and we start capturing the frames exchanged by the AP and the associated clients on the relative channel.
We can try this attack ourselves by setting our Wi-Fi router to use WEP. We assume that the BSSID of the AP is 08:7A:4C:83:0C:E0 and the channel is 1. The first step is to start the monitor mode on channel 1, as we have seen in the previous chapter:
airmon-ng start wlan0 1
To capture the traffic of our target network, we will execute the following command:
airodump-ng --channel 1 --bssid 08:7A:4C:83:0C:E0 --write wep_crack mon0
The rest of the chapter is locked
© 2015 Packt Publishing Limited All Rights Reserved
