19/04/11

WEP Key recovery with Commview and Aircrack

This is the WINDOWS PROCEDURE

With this procedure you can see how it is EASY to crack the WEP key of your Wireless connection; this is to show the importance to use a good encryption for your wireless! You can test this procedure ONLY with your own wireless connection using a WEP key, because: cracking somebody’s else WEP key is ILLEGAL.
  • START
1. Capture the packets using CommView for WiFi:
This document is intended for study only and not for any illegal concerns on cracking somebody else’s WEP key. This material is given to you to show how you can test the security of your own wireless connection
protected using the weak WEP encryption. To hack your own web key you need mainly 2 tools, for gathering the packets in the air and one for their analysis. This step by step guide explains you a way to recover your WEP key using: 

CommView for WiFi and AirCrack.
a. Install CommView for Wifi
b. Install the modified drivers for your card, those drivers enable the monitoring features of your wireless adapter. Do following the instructions provided here:

 
c. Search for the WiFi networks


2. Enable the advanced rules:
I have been asked to give a very simple explanation on how it works… here it is… If you start capturing all the packets you can see that there are a lot of them, but those needed for the WEP de-encryption are only ARP response packets. To generate those ARP response packets we need to wait a “legitimate” client to connect to the Access Point (AP)… connecting, a client automatically sends an ARP request to the AP and the AP will reply with the response we are looking for. Those connections are not frequent, so we need (somehow) to disconnect a client, so that it can re-connect to the AP and send his ARP request. WLAN traffic is encrypted, so we cannot investigate on the packets to see which packet is an ARP or not… so we can just guess. We know that an ARP packet can be 68 or 70 bits long, is sent to all the MAC addresses in the LAN and has the “To Distribution System” – ToDS bit set to 1. So let’s set a rule that captures those packets only, as follows: Go to the the Rules tab and Enable Advanced Rules as in the following picture:



3. Start capture

4. Gather ARP request packets:

You can do it in 2 ways:
a. Wait for a client to send it
b. Force a client to send it Forcing a client to send an ARP request means “disconnect and re-connect” and can be done by     CommView for WiFi: go to Tools -> Node Reassociation
-Choose how many packets to send and an interval, the default should be ok(you can try few or many, as you wish).
-Choose the AP (YOUR Access Point, the one you would like to hack)
-Choose whether to disconnect one client or all the clients
-When you are OK, click Send Now

Normally doing this, the clients should reassociate with the AP sending a ARP request packets.


5. Send the ARP requests to the Access Point:
Thanks to the rule enabled before, now in the Packets tabs you should be able to see only the ARP requests. If you cannot see any of them, go back to the step 4 and keep on disconnecting the client, or wait for the client to reassociate by its own. Once you have one or more ARP requests packets logged (ENCR.DATA) sent to Broadcast do the following:

a. Select one or more of those packets
b. Right click on them, Send Packet(s) -> All  At this point, the Send Packet window should appear

6. Disable the rule:
Now you have to disable the rule, because now we have to gather all the packets. We need IV Packets (Initialization Vector), which are all different between them and no rule can be created for those packets.

7. Send the packets:
Here you can even choose to send a lot of packets, and very fast… try, every network is different, but after having sent some packets you should see the counter of the packets captured increasing very fast.

8. Number of Packets:
There is no theory about how many packets you need to have gathered in order to recover a WEP key. It depends most of all on the WEP Encryption, whether it is a 64, 128 or 256 bit. Usually for a 64 bit if you have about 1.000.000 packets, then the cracking of the key lasts 1 second… but it depends. For sure the more packets you get, the more possibilities to crack it faster you have :) 

9. Export the packets captured:
From CommView go to File -> Save Packet log As -> and choose the tcpdump .cap format

10. Download Commview + Aicrack for Windows :
You can download it from here: CommviewForWifi63 and aircrack-ng-11-win or download the other at http://www.aircrack-ng.org/doku.php?id=downloads . Run the bin/GUI, choose first the file .cap exported from CommView, Choose WEP encryption, choose a keysize (start from 64) you should know the Key you are using!

And the Launch
Good luck

0 komentar:

Posting Komentar

Entri Populer