Hack 88 Cracking WEP with AirSnort: The Easy Way

Previous page
Table of content
Next page

figs/moderate.giffigs/hack88.gif

Use a dictionary attack to test the security of your WEP key.

While widely publicized for its ability to crack a WEP key in real time by attacking weaknesses in the implementation, AirSnort requires a potentially large amount of data to be gathered before the attack is successful. AirSnort also comes with a largely unknown utility that will perform a dictionary attack on a relatively tiny sampling of network traffic.

Using the aptly named decrypt utility, you can attempt to decrypt a WEP stream by trying a list of potential candidates from a word list. This attack can be carried out in a matter of minutes, rather than the hours that would be required to collect the large traffic samples needed to interpolate a WEP key.

To use the decrypt utility, you first need a packet dump from a utility that can capture raw 802.11 frames (such as Kismet [Hack #31]). You will also need a list of suitable candidates, namely words that are either 5 or 13 characters long (for 40-bit or 104-bit WEP respectively). Invoke the utility like this:

# decrypt -f /usr/dict/words -m 00:02:2D:27:D9:22 -e encrypted.dump -d [RETURN] out.dump Found key: Hex - 61:6c:6f:68:61, ASCII - "aloha"

Notice that you also need to specify the BSSID of the network you wish to attempt to decrypt. In this case, the BSSID is the same as the MAC address of the AP, but can be set to virtually anything. You can obtain this field from the Info pane inside Kismet when capturing the data [Hack #31]. If successful, the decrypt utility displays the WEP key, decrypts the entire stream (specified by the -e switch), and saves it to a file of your choice (specified by the -d switch).

This output file is suitable for import into any standard packet-analysis tool, such as tcpdump ([Hack #37]) or Etherereal [Hack #39].

Of course, this attack succeeds only if the WEP key actually appears in your list of words to try. Unix password crackers have developed utilities over the years that will not only try words from the dictionary, but will try common (and even unusual) variations on these words until a match is found. The use of these tools is left as an exercise to whatever demented individuals find it worth their while to do so.

Again, the point of this hack isn't to encourage you to go around breaking into people's networks, but to stress the importance of strong encryption and proper network configuration. It is just plain foolish to expect WEP to answer all of your security needs when tools like AirSnort so easily demonstrate its inherent weaknesses.

You can download AirSnort from http://airsnort.shmoo.com/. There is also a wealth of information there about passive monitoring, WEP implementations, and wireless security in general.


Previous page
Table of content
Next page
Wireless Hacks. 100 Industrial-Strength Tips and Techniques
Wireless Hacks. 100 Industrial-Strength Tips and Techniques
ISBN: N/A
EAN: N/A
Year: 2003
Pages: 158
BUY ON AMAZON
Absolute Beginner[ap]s Guide to Project Management
Inside Network Security Assessment: Guarding Your IT Infrastructure
Metrics and Models in Software Quality Engineering (2nd Edition)
Cisco IOS in a Nutshell (In a Nutshell (OReilly))
C & Data Structures (Charles River Media Computer Engineering)
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy