Hacking Exposed 5th Edition
| ||
| ||
|
A few tools are available that automate or aid in the automation of exploiting WEP weaknesses. In most cases, the tools use a combination of packet-capturing and packet-cracking techniques to leverage these weaknesses.
AirSnort
Popularity: | 8 |
Simplicity: | 7 |
Impact: | 9 |
Risk Rating: | 8 |
The AirSnort tool (http://airsnort.shmoo.com) is a collection of the scripts and programs derived from the research conducted by Tim Newsham, the University of Maryland, and the University of California at Berkeley. It is by far the most popular and best-known Linux tool in the industry specifically used for wireless packet cracking. Originally, it was a command-line Linux-based tool that merely captured 802.11b wireless packets and attempted to crack the packets via the weak IV flaw. It has since evolved to include a GUI, allowing for the quick configuration of the channel to scan and the ability to specify the strength of the WEP key.
To use AirSnort, you must first compile and install the source code. At the time of this release, the common ./configure && make && make install worked for AirSnort installation. Then you just execute AirSnort from the command line, and as long as you are in an X Window System session, you will be able to use the GUI. In this case, you would first want to run AirSnort in a scanning mode to determine what APs are in range and if any traffic is being transmitted over the wire. As you can see in the following illustration, AirSnort has identified six APs, two of which have implemented WEP functionality. Differentiating numbers of packets must be captured for different attacks to work, but the AirSnort GUI simplifies that process by adding the meaningful buttons Start and Stop for your convenience.
AirSnort Countermeasures
Currently, the countermeasures for all WLAN packet sniffers and crackers are rather simplistic. First, it is pertinent that you implement WEP on all your APs with the 128-bit key strength. When selecting a WEP key, it is critical that you select a secret key not found in a dictionaryone that contains a mix of numeric, alphabetic, and special characters, if possible. Also, a WEP key over eight characters in length is ideal because it increases the time required by magnitudes to brute-force the keyspace over a six-character passphrase. The SSID for your AP should be changed from the default setting, and if the vendor provides any type of fix for the WEP algorithm, such as WEP-Plus, then it should be implemented. The last recommendation is to change your WEP key as often as possible. Remember that anyone within range has access to your data transmitting through your 802.11 network. Therefore, protecting that data should be a multilayer and constant process.
WLAN-Tools
Popularity: | 10 |
Simplicity: | 8 |
Impact: | 9 |
Risk Rating: | 9 |
The WLAN-Tools (or, as it should be named, the Godfather of Wireless Cracking) was created by Tim Newsham (http://www.lava.net/~newsham/wlan). It was the original posting of coded exploits for utilizing the weaknesses within the WEP algorithm. Programmed to work in the Linux environment, WLAN-Tools, if properly modified, will also work on many flavors of UNIX, including BSD and Solaris. The toolset includes programs for 802.11 packet capturing and WEP-encrypted packet cracking. The toolkit is an excellent resource for learning the coding aspect behind the vulnerabilities, and it also contains patches for the sniffer drivers. We thought it necessary to inform you of this toolset because it was the original exploiter, but due to user interface and program robustness, we believe it to be outdated . Our recommendation is to use the DWEPUtils from Dachb0den Labs, if possible, or AirSnort.
WLAN-Tools Countermeasures
Refer to the recommendation in the "AirSnort Countermeasures" section, earlier in the chapter, for details on mitigating some of the risk associated with your WLAN.
DWEPCrack
Popularity: | 5 |
Simplicity: | 4 |
Impact: | 9 |
Risk Rating: | 6 |
DWEPCrack, written by Dachb0den Labs (http://www.dachb0den.com/projects/dweputils.html), is a tool specifically used to crack WEP-encrypted packets via the BSD platform. Dachb0den Labs prides itself as a security coalition dedicated to security and wireless research and is located in Southern California. The Dachb0den toolkit is divided into specific functions, thereby allowing each one to be used individually or scripted to work together with other functions. It is by far the most comprehensive toolkit available for exploiting numerous weaknesses within the WEP algorithm. In addition, the toolkit allows an attacker to exploit other infrastructure-based weaknesses, such as MAC-based access control lists, with a brute-force algorithm that attempts to brute-force the keyspace of the MAC address in aspirations of unauthorized AP association. DWEPCrack allows you to specify a dictionary list for brute-forcing the WEP key, in addition to the option of brute-forcing the entire keyspace until the proper key is found. Realize that if the AP is using a 128-bit WEP key, it is quite possible that the key will be changed before you come across it. If you want detailed information on cracking or encryption, refer to the "WEP" section or Google.com.
DWEPCrack parses through the log, determining the number of packets, unique IVs, and corresponding cipher keys used to XOR the payload of the packet. When it determines whether the proper prerequisites exist for attempting a WEP attack, it attempts to brute-force and output the WEP key. Here is what you might expect to see when you execute DWEPCrack from the command line when you provide it a WEP-encrypted log of packets:
cloud@gabriel ~$ dwepcrack -w ~/sniffed_wlan_log * dwepcrack v0.4 by h1kari <h1kari@dachb0den.com> * * Copyright (c) Dachb0den Labs 2002 [ht*p://dachb0den.com] * reading in captured ivs, snap headers, and samples... done total packets: 723092 calculating ksa probabilities... 0: 88/654 keys (!) 1: 2850/80900 keys (!) 2: 5079/187230 keys (!) 3: 5428/130824 keys (!) 4: 14002/420103 keys (!) (!) insufficient ivs, must have > 60 for each key (!) (!) probability of success for each key with (!) < 0.5 (!) warming up the grinder... packet length: 48 init ventor: 58:f4:24 default tx key: 0 progress: ..................................... wep keys successfully cracked! 0: XX:XX:XX:XX:XX * done. cloud@gabriel ~$
DWEPCrack Countermeasures
Refer to the recommendation in the "AirSnort Countermeasures" section, earlier in the chapter, for details on mitigating some of the risks associated with your WLAN.
WEPAttack
Popularity: | 8 |
Simplicity: | 8 |
Impact: | 9 |
Risk Rating: | 9 |
One of SourceForge 's latest project additions in the wireless security space is WEPAttack. The WEPAttack tool is similar in design to the other dictionary brute-forcing engines, but with the major advantage of being able to parse in Kismet output.
The WEPAttack utility requires a traffic dump file to run its cracks against. The Kismet suite of wireless intrusion and vulnerability tools can automatically generate this file. Other methods of creation include Ethereal, Windump, and good ol' TCPDUMP. WEPAttack's usage is quite straightforward, as shown here:
usage: wepattack -f dumpfile [-m mode] [-w wordlist] [-n network]
The following table shows WEPAttack's usage options:
-f dumpfile | The network dumpfile to read from |
-m mode | Runs WEPAttack in different modes. If this option is empty, all modes are executed sequentially (default): 64 WEP 64, ASCII mapping 128 WEP 128, ASCII mapping n64 WEP 64, KEYGEN function n128 WEP 128, KEYGEN function |
-w wordlist | The wordlist to use; without any wordlist stdin is used. |
-n network | The network number, which can be passed to attack only one network. The default is to attack all available networks (recommended). |
Here is an example of the WEPAttack usage for the command line:
wepattack -f Kismet-Oct-21-2002-3.dump -w wordlist.txt
Another excellent feature of WEPAttack is that it can work in conjunction with John the Ripper. John the Ripper, also known as "John," is the world's most popular opensource cracking engine. Binaries and the source for John can be downloaded from http://www.openwall.com/john. John can generate a wordlist that WEPAttack could then utilize to assist in the brute-forcing. Here is an example of this usage:
wepattack_word dumpfile
The WEPAttack wordlist can be downloaded from the WEPAttack team at https ://sourceforge.net/projects/wepattack. This wordlist is 30MB in size .
WEPAttack Countermeasures
Refer to the recommendation in the "AirSnort Countermeasures" section, earlier in the chapter, for details on mitigating some of the risk associated with your WLANin particular, the encryption strength of your over-air traffic.