WEPCrack

WEPCrack

URLs:

WEPCrack: http://wepcrack. sourceforge .net

prismdump : http://developer.axis.com/download/tools/

Supported Platforms

Most popular Unix-based OSs (Windows to some extent)

A Brief History

Early in 2001, it was discovered that the use of RC4, as it was implemented in wireless 802.11 encryption, was fundamentally flawed. This discovery, which was publicized by Fluhrer, Mantin, and Shamir in a paper titled " Weaknesses in the Key Scheduling Algorithm of RC4 ," slapped the entire 802.11 wireless market right across the face. According to this paper, WEP could be cracked in a couple of hours with the proper programming.

Although the infamous paper went into great technical detail regarding the flaws of the KSA and its theoretical impact on WEP, it supposedly was not proven beyond this. However, it was not long before a reader turned the ideas into reality. Thus, WEPCrack was born.

It should be noted that another group tested the theories described in the paper and reportedly cracked WEP before WEPCrack was released; however, they did not publicly release this program. It should also be noted that AirSnort is currently the leading WEP-cracking program. Still, WEPCrack gets credit for being the first public release.

Description

WEPCrack is a script program that is coded in Perl. This means that, theoretically, an operating system need only have Perl installed and operational to use WEPCrack. Although this is a great theory, in reality WEPCrack is only fully functional on Unix-based systems.

WEPCrack will selectively capture, log, and crack RC4-protected encrypted packets sent by hardware/software using the 802.11b standard. It does this through the use of several separate scripts, each of which performs an essential part of the cracking process. In addition to the necessary cracking scripts, WEPCrack also includes a testing script that will generate a sample "weak IV" file based on a given password. The following breaks down each script and lists its purpose.

• prism-getIV.pl This script reads prismdump/Ethereal capture files and scans them for weak IVs. All weak IVs are recorded with the first byte of the encrypted packet associated with the detected weak IV in the IVFile.log file. This script can be run live with the capturing program, or with an existing capture file.

• WEPCrack.pl This script takes the existing IVFile.log file and processes it using the weaknesses discovered by Fluhrer, Mantin, and Shamir. It will recalculate the first three iterations of the KSA/PRGA and use this information to reverse-engineer a possible byte of the key used to encrypt the packet. Once the file is processed , the script performs a statistical analysis to determine the most likely key. Although this script can be wrong, the chances of this occurring are rare.

• WeakIVGen.pl This script allows its user to enter a key (5-bit or 13-bit), from which it will generate an IVFile.log file. This file will contain a list of all the possible weak IVs that would exist for the given key.

• prism-decode.pl This script will attempt to read and decode capture files from prismdump and Ethereal. Although it does not provide that much information, it can assist in quickly listing BSSIDs and other valuable bits of information.

From this short overview on each of the scripts included in WEPCrack, you can see what it can and cannot do. Although this program will crack WEP, allow you to tinker with the algorithm, and even add your own code if you choose, it will not sniff a wireless network for encrypted packets. If this is your goal, you will need to capture the data first, using either prismdump or Ethereal.

Installation

WEPCrack installation is simple. It comes as four Perl scripts, which will run on any *nix operating system that has a Perl engine installed. However, the requirements for the programs needed to capture the data might be a bit more rigorous . To see how to install Ethereal, see the Ethereal section earlier in this chapter.

Remember that several of these scripts will work on Windows environments. However, there are differences between the Windows version of Perl and the *nix version; these differences affect the reliability of WEPCrack and seem to break parts of it in a Windows environment.

Using WEPCrack

Before using WEPCrack, you will need to collect massive amounts of data. The current version of WEPCrack only searches for and attacks one type of weak IV. This is not unusual, and is in fact the attack method most WEP-cracking programs use. However, this does mean that you will need to capture roughly seven gigabytes worth of information to be fairly sure you have enough sample data to extract the key. Again, to do this, you will need either prismdump or Ethereal. Because we have already covered Ethereal in this book, we will now provide some tips on installing prismdump.

In addition, you will need to think in terms of decimal form. This is because WEPCrack's scripts use decimal form for input and output. The files it creates and the key produced will need to be converted to their hex or ASCII equivalent before they can be entered into a WNIC's settings. This is an important pointone that will frustrate you if forgotten.

prismdump

prismdump is a capture program that only works with WNICs using the Prism chipset. It can be downloaded from http://developer.axis.com/download/tools/ and is actually an add-on for Ethereal, allowing it (or Ethereal) to capture encrypted data traveling through the WLAN. You will need to install this program to get WEPCrack working.

To install prismdump, you will need the following items:

• The source files from http://developer.axis.com/download/tools/

• The Ethereal wiretap library

• GTK and Zlib installed

• A C compiler

This list might be short, but it will require some installation other than the default installation of many *nix operating systems.

Once the prerequisites are met, it is time to install the program. To do this:

1. Build Ethereal's wiretap library (run ./configure followed by a make in the Ethereal code directory).

2. Open prismdump's makefile .

3. Set the CC and LD to the name of the installed compiler (for example, gcc).

4. Define the WIRETAP_PATH by pointing it to the location of the wiretap library.

5. Define the GLIB_INCLUDE path to point to the location of the GTK include files.

6. " make install ", which should result in an executable named prismdump .

7. A typical makefile, whose lines might need to be adjusted to successfully install prismdump, appears as follows :

    CC=gcc  LD=gcc  # To do: Use GNU autoconf  #  #  # Path to the WIRETAP Libary (Part of ethereal source). The header files are  # assumed to be in the same place as the actual library (libwiretap.a)  #  WIRETAP_PATH=/usr/src/ethereal/wiretap  WIRETAP_LIB=wiretap.a  WIRETAP_INCLUDE=-I$(WIRETAP_PATH)  #  # Path to GLIB  #  GLIB_INCLUDE=-I/usr/lib/glib/include 

Once the prismdump program is successfully installed, it is time to start using WEPCrack. We suggest that you install all the programs and scripts into one folder, as illustrated in Figure 9.24. This will keep everything organized, and reduce the amount of typing required to use command-line execution.

Upon completion, it is time to put WEPCrack to the test. The following pages will break each script down and explain in detail what it does and how to use it.

prism-getIV.pl

This script by itself is useless. It requires a capture file created by prismdump or Ethereal. As an example, Figure 9.25 depicts prismdump capturing encrypted data and dumping it to a file called test.t . When enough data has been collected, you can stop the capture and run the file through prism-getIV.pl using the command ./prism-getIV.pl < test.t .

It should be noted that prism-getIV.pl can also accept data from the STDIN of another program. In other words, prismdump can be commanded to dump its data directly into prism-getIV.pl for immediate analysis. To do this, simply type the command prismdump prism-getIV.pl , which literally means "pipe the results of prismdump into prism-getIV.pl ."

During the analysis of the STDIN or capture file, the script will list all the captured weak IVs and the first byte of encrypted text. As you learned in Chapter 5, this is all the information you need to reproduce a byte of the secret key (with a 95% probability of error). A sample of this is depicted in Figure 9.26. In addition to listing this information, a file is created called IVFile.log that contains the weak IV and encrypted byte for later analysis (see Figures 9.26 and 9.27). Note that the entries are listed in decimal form.

WEPCrack.pl

After enough information has been captured and analyzed , you can attempt to crack the WEP key. This is accomplished using the WEPCrack.pl script. In this script, you will find the code that reproduces the first three iterations of the KSA/PRGA and then reverse- engineers the key byte. This byte value is put in an array, and then the next weak IV-encrypted first byte pair is tested. After the whole file has been processed, the array is searched to discover which calculated key bytes appear the most often. This value is then listed by the program.

As you can see from Figure 9.28, WEPCrack.pl will run on Windows NT/XP if Perl is installed. To run this script, ensure you have an IVFile.log file available, and run wepcrack.pl ivfile.log . This will result in a success or failure, based on the amount of data collected and number of key bytes cracked. Figure 9.28 illustrates the cracking of a WEP key of 103 097 109 101 115 , which can be converted from decimal form into the ASCII word games .

weakIVGen.pl

If you are merely interested in learning how this program works and in tweaking the code to see whether you can get it to work better or provide you with more information, you do not have to capture any data. Thankfully, the author of WEPCrack included a very useful tool that generates a sample of captured weak IV-first encrypted byte pairs. This script creates a IVFile.log file that you can then verify using the WEPCrack.pl script. To create the log file, you will need the decimal equivalent of the secret key. In other words, the five character ASCII key games would have to be converted to 103 097 109 101 115 to be useful with this script. Once converted, type the command weakivgen.pl 103:097:109:101:115 to create the log file. Note the colons between each value. After this command is executed, the script will list all the pairs as they are calculated, and create the IVFile.log file for you to crack (see Figure 9.29).

As you can see, WEPCrack is a powerful educational tool. According to the author, "WEPCrack's intention was to be a research tool, not a 'sploit (vulnerability exploit)," which is exactly the best purpose for this tool. Because of the way it is written, and the fact that it uses Perl as its programming language, WEPCrack is an easy program to tinker with and to understand just how WEP is cracked on any operating system. So, although it might lack in user features and a pretty GUI, it is the supreme example of a good hack. Therefore, we have included the source code in its entirety, in Appendix B, "WEPCrack Exploit Code Example," for your perusal.