Archives for Apr,2015

INTRODUCTION
In the previous posts we looked at how to use a modified Nexus 7 to gain access to a WPA secured network by cracking the WPA handshake or by exploiting WPS. Now it is somewhat of a rarity to see WEP networks in existence these days, however for the sake of completeness this guide will look at how we can attack these networks. We will also look at how we can bypass MAC filtering.

TL:DR – Never use WEP

Disclaimer: the author and contributors to this document will accept no responsibility for the consequences of the actions of individuals concerning wireless networks. Penetration testing networks other than your own may be illegal in your country. It is your sole responsibility to act in compliance with all relevant legislation and regulations.

BACKGROUND
Wired Equivalent Privacy (WEP) is a RC4 stream cipher, which means a key is used to seed a pseudo-random keystream which is used for encoding (similar to a one-time pad). Because the keystream is not truly random it means the same key cannot be used twice to seed. Otherwise the key can be calculated by gathering enough data.

To combat this shortfall an Initialisation Vector (IV) is transmitted from the router to the client to add to the key so that it is not a constant value. The IV makes up 24 bits of the seed with the key making up the rest (either 36 bits or 100 bits depending on if we are using 64 bit or 128 bit WEP). Unfortunately 24 bits is not enough randomness for a busy network and there is still a 50% probability of a duplicate key after 5000 packets.

Because the first few bytes of a header of a packet are known or predictable (similar to how enigma was cracked) then it is possible to work out the key once we capture enough packets. Using the IV’s we can guess each letter of the key sequentially rather than having to bruteforce the complete key (see here.

DEMONSTRATION WEP ATTACK
This assumes we’ve got a device setup as discussed in the previous article. Now let’s have a go at this on our demo network:

1. Enable monitor mode on the wifi interface
2. Identify the network we are looking to attack
3. Start listening and capturing ivs
4. Deauthenticate connected clients to increase capture rate

For a complete guide to running these attacks please refer to the aircrack-ng simple wep cracking guide. For simplicity I will be using the wifite python script. This script handles all of the steps described above without us needing to remember all of the commands, and if you are interested in what is doing in each step you can view the source.

Enable monitor mode on the interface

Find the network to target.

Attack the target using wifite (automatically & recommended) or via aircrack-ng

Now we have the WEP key in plaintext and can use it to connect to the network or decrypt network traffic.

MAC SPOOFING
For added security a router can add MAC filtering which only allows devices with set MAC addresses access even once the password is known.

However it is pretty trivial to change the MAC address of our wireless interface and access the network as an imposter. This involves listening to a network to find the MAC address of a connected client and then setting their MAC address as our own.

1. Find client to impersonate
2. Disable monitor mode on the wireless interface
3. Change MAC address of the interface
4. Profit…

First we need to find a client to impersonate. We do this by using airodump-ng to monitor (assuming monitor mode is already enabled, see above for this step).

airodump-ng -i mon0 -c 5 -b 3C:81:D8:95:6B:EC

Where mon0 is our monitoring interface, 5 is the channel to lock to (optional), 3C:81:D8:95:6B:EC is the MAC address of our target router (optional).

Here we see that a client (AC:7B:A1:5B:CF:11) is connected to our target network (3C:81:D8:95:6B:EC).

airmon-ng stop wlan1

where wlan1 is the wireless interface to stop monitoring on

We can use ifconfig to list information about all the interfaces we have available. This will show us what our current mac address is.

ifconfig -a

macchanger -m AC:7B:A1:5B:CF:11 wlan1

Where AC:7B:A1:5B:CF:11 is the MAC address we want to change to, and wlan1 is the wireless interface we wish to change the MAC address of.

Now when we run ifconfig again we will see that the MAC address has changed

ifconfig -a

And voila! Your interface is now an imposter. Trying to connect to a MAC filtered network is not an issue as you have an approved MAC address.

This handy trick can be used to bypass time restrictions that some routers use to restrict internet usage to 30 mins or so before trying to make you pay. Change the MAC address, you appear as a new user.

SUMMARY
We have shown how trivial it is to crack WEP keys and gain unauthorised access to a wireless network and how to bypass a MAC address filter if one is in place.