by August 11, 2003 0 comments

Security is an issue with wireless networks. If you fail to take appropriate measures when designing a Wi-Fi network, it can be compromised. WEP (Wired Equivalent Privacy), currently the primary security measure used on wireless networks, is used to encrypt all communication. Unfortunately, it isn’t very secure and can be cracked, which is what we’re going to demonstrate in this article. We used a laptop running Linux and a wireless card for the job.

Since a WLAN is not a switched network, a hacker can use a packet sniffer to capture all data transmitted by any wireless device in the region. If WEP is enabled on the WLAN, then all packets being transmitted will be encrypted with the packet’s data payload and a secret number (the WEP key). It will then be passed through a shredding engine called RC4.

Unfortunately, the problem is that the RC4 mechanism combines the secret WEP key with a 24-bit random number called an IV (Initialization Vector) to encrypt the data. So, every encrypted packet contains an IV, and since the IV length is restricted to 24-bits only, the RC4 mechanism eventually starts picking the same values. An attacker could pick out repeating IVs by passively listening to encrypted traffic, and guess the WEP key. This, however, is fairly time consuming. Another way is by exploiting weak IVs. Some numbers in the range of 0 to 16,777,215 don’t work well with the RC4 encryption mechanism.

When these weak IVs are used, the resulting encrypted packet can be run through mathematical functions to get a part of the WEP key. By capturing a large number of packets, a hacker can acquire sufficient Weak IVs to retrieve the full key. This is what we did.

We used Airsnort (on PCQEssentials CD as airsnort-0.2.2.tar.gz) for Linux to capture packets. To use it, login as root, mount the CD and copy this file to your home directory. Run the following commands to untar it and generate the executable binary and install it.

# tar —zxvf airsnort-0.2.2.tar.gz
# cd airsnort-0.2.2
# ./
# make

Now, it’s time to play dirty. Put your wireless LAN card into ‘monitor mode’, which will then listen to all traffic on the Wi-Fi network, and remain invisible to others. We used a Cisco Aironet card, which can be set to monitor mode as follows.

# echo ‘Mode: r’ > /proc/driver/airsnort/ethx/Config
# echo ‘Mode: y’ > /proc/driver/airsnort/ethx/Config

Here, replace ethx with the adapter name corresponding to your wireless card.

Start your Wi-Fi device using the # ifconfig wifi0 up command. Finally, fire up Airsnort. Set the device name (wifi0) in the Network Device field and hit the START button to capture packets. 

The time needed to crack depends on the encryption length of WEP keys used, which can vary from 64 to 256 bits. Longer encryption keys are more difficult to crack. 

Airsnort can generally crack a 64-bit encryption key after capturingat least 1200 weak IV packets. Busy hotspots with lots of
traffic are more vulnerable and would take lesser time to crack.

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.