Attacking Encrypted Networks

One of the most common ways that administrators attempt to protect their wireless networks is with encryption. Unfortunately, the two primary means of protection, Wired Equivalent Protection (WEP) and WiFi Protected Access (WPA), have flaws that allow them to be exploited. This section discusses how to attack networks that are protected by WEP and WPA.

Attacking Wired Equivalent Protection (WEP) Encrypted Networks

The most commonly used form of encryption protecting wireless networks is WEP. WEP is a flawed implementation of the Rivest Cipher 4 (RC4) encryption standard. Scott Fluhrer of Cisco Systems, Itsik Mantin, and Adi Shamir of the Weizmann Institute detailed the flaws in WEP in their joint paper Weaknesses of the Key Scheduling Algorithm of RC4 (www.drizzle.com/~aboba/IEEE/_rc4_ksaproc.pdf).

In short, WEP utilizes a fixed secret key. Weak initialization vectors are sometimes generated to encrypt WEP packets. When enough weak initialization vectors are captured, the secret key can be cracked. There are a number of tools available on the Internet that can be used to crack WEP encryption. This section details how to use AirSnort on Linux and WEPCrack on Windows to crack WEP.

Attacking WEP with AirSnort on Linux

When enough weak initialization vectors are identified, AirSnort begins attempting to crack the WEP key. There are about sixteen million possible initialization vectors generated by wireless networks using WEP. Approximately nine thousand of these are weak. AirSnort considers these nine thousand weak initialization vectors as “interesting.” According to The Shmoo Group, most WEP keys can be guessed after collecting approximately two thousand weak initialization vectors.

AirSnort is a valuable tool that can be used by WarDrivers to locate wireless networks. It can also be used by attackers to crack WEP encryption on wireless networks.

Installing AirSnort is a relatively straightforward process. First, download the current version from Sourceforge (http://sourceforge.net/_project/showfiles.php?group_id=33358). Then uncompress and untar the source. Afterward, change into the AirSnort directory that is created:

root@roamer:/root# gunzip airsnort-0.2.2b.tar.gz root@roamer:/root# tar –xvf airsnort-0.2.2b.tar root@roamer:/root# cd airsnort-0.2.2b

For most systems, compiling and installing AirSnort requires only three steps:

root@roamer:/root/airsnort-0.2.2b# ./autogen.sh root@roamer:/root/airsnort-0.2.2b # make root@roamer:/root/airsnort-0.2.2b # make install

This compiles AirSnort and places the AirSnort binaries in the /usr/local/bin/ directory.

To start AirSnort, open a terminal window inside your X-Windows environment and issue the airsnort command. This opens the AirSnort program (see Figure 9.19).

root@roamer:/root/airsnort-0.2.2b # airsnort

Figure 9.19: AirSnort Opens

First, you need to select the network device to put into monitor mode. In order for monitor mode to work, you must follow the instructions provided in Chapters 4 and 5 of this book. Using the drop-down menu, select your wireless card (for example, Eth0, eth1, or wlan0).

Next, choose your Card type, as shown in Figure 9.20.

Figure 9.20: Choosing the Card Type

If you know the channel a specific access point is broadcasting on, you can choose to only monitor that channel. If not, or if you just want to discover any wireless networks in the area, choose “scan” to hop channels searching for wireless networks.

After all the settings have been set appropriately, click Start. AirSnort will place your card in monitor mode and begin collecting information. See Figure 9.21.

Figure 9.21: AirSnort Starts Monitoring

After some weak initialization vectors have been collected, AirSnort will begin attempting to crack the WEP key. A vast majority (approximately 95 percent) of weak initialization vectors provide no usable information about the WEP key. One way you can try to decrease the amount of time it takes to crack the key is by increasing the crack breadth in AirSnort. According to the Shmoo group’s Frequently Asked Questions site for AirSnort (http://airsnort.shmoo.com/faq.html) this will increase the number of key possibilities examined when AirSnort attempts to crack the WEP key. See Figure 9.22.

Figure 9.22: Increasing the Crack Breadth

The most difficult part of attacking wireless networks deployed with WEP encryption enabled is the amount of time it takes. It usually requires a minimum of 1200 weak initialization vectors to crack the WEP key. It can take days or even weeks to capture this many weak initialization vectors.

Attacking WEP with WEPCrack on Windows

WEPCrack (http://wepcrack.sourceforge.net) is a set of Open Source PERL scripts intended to break 802.11 WEP secret keys. It was the first publicly available implementation of the attack described by Fluhrer, Mantin, and Shamir in their paper. Since a PERL interpreter is not installed by default with Windows Server 2003 (or any version of Windows, for that matter), you will need to install one to run the scripts. One or both of the following freely available solutions will give you what you need: Cygwin (www.cygwin.com) or ActiveState ActivePerl (www.activestate.com/Products/ActivePerl).

The more robust option is to install Cygwin. Cygwin is a Linux-like environment for Windows that consists of a DLL (cygwin1.dll) to provide Linux emulation functionality and a seemingly exhaustive collection of tools, which provide the Linux look and feel. The full suite of PERL development tools and libraries are available; however, the PERL interpreter is all that is required to run the WEPCrack scripts, as shown in Figure 9.23.

Figure 9.23: Executing WEPCrack.pl in Cygwin

The other option, using a Windows-based PERL interpreter, may be desirable if you have no need for Linux emulation functionality on your workstation or server. ActiveState ActivePerl, available by free download from the ActiveState Web site (www.activestate.com), provides a robust PERL development environment that is native to Windows. WEPCrack was written so that it could be ported to any platform that has a PERL interpreter without needing to modify the code. Figure 9.24 demonstrates the WEPCrack.pl script running natively in Windows without modification from a Windows command prompt.

Figure 9.24: Executing WEPCrack.pl at the Windows Command Prompt

Using the Cracked Key in Windows XP

Once you have cracked the WEP key, you must configure your client to access the network. In Windows XP, this requires the following four steps:

1. Open the Wireless Network Properties.

2. Add a Preferred Network.

3. Enter the SSID.

4. Enter the WEP key.

First, double-click the Wireless Network Connection icon on the Windows taskbar. This will open the Wireless Network Connection status window. Select the Wireless Networks tab. See Figure 9.25.

Figure 9.25: The Wireless Network Properties

Click the Add… button to open the Wireless Network Properties window. Enter the SSID of the network that you want to access. Next, uncheck the This key is provided for me automatically checkbox. This will make the Network Key and Confirm Network Key text boxes available. See Figure 9.26.

Figure 9.26: Preparing to Enter the Captured Key

Enter the WEP key that you obtained in the Network Key and Confirm Network Key textboxes and then click OK. You have now accessed a WEP-protected network. See Figure 9.27.

Figure 9.27: Accessing the Network

Using the Cracked Key in Windows 2000

To access a wireless network that you have cracked the WEP key for from Windows 2000, follow these four steps:

1. Open the Client Manager.

2. Create a new Profile.

3. Enter the SSID of the target network.

4. Enter the captured WEP key.

The first thing you need to do is open your client manager. Double-click the client manager icon on the Windows taskbar. This will bring up the Client Manager window, as shown in Figure 9.28.

Figure 9.28: The ORiNOCO Client Manager

Navigate to Actions | Add/Edit Configuration Profile to create a new configuration profile for the network you want to associate with. See Figure 9.29.

Figure 9.29: Preparing to Add a New Configuration Profile

This opens the Add/Edit Configuration Profile window. Select the radio button beside an empty configuration profile and add a name for the target network. See Figure 9.30.

Figure 9.30: Naming the Target

Click on Edit Profile to open the Edit Configuration window. In the Network Name textbox, enter the SSID of the network you want to associate with. See Figure 9.31.

Figure 9.31: The Edit Configuration Window

Next, click the Encryption tab and enter the WEP key that you cracked, and then click OK. You have now accessed a WEP-protected network. See Figure 9.32.

Figure 9.32: Entering the Cracked WEP Key

Using the Cracked Key in Linux

Accessing a wireless network that you have cracked the WEP key for from Linux requires only two steps.

1. Edit the wireless.opts file.

2. Restart PCMCIA services.

The first thing you will need to do is edit the /etc/pcmcia/wireless.conf file to include the SSID of the target network and the WEP key that you cracked. See Figure 9.33.

Figure 9.33: Open wireless.opts for Editing

Make sure that you have commented out the appropriate lines in the /etc/pcmcia/wireless.opts file, as shown in Figure 9.34. Then find the appropriate section for your wireless card and enter the SSID in the “ESSID” field. Next, change the Mode to “Ad-Hoc” and the Key to the WEP key that you cracked, as shown in Figure 9.35.