WEP Rundown
by intimidat0r
Part I: About WEP
WEP stands for Wired Equivalent Privacy. It is the standard for wireless encryption thus far. Many people dont even use WEP because they think security unnecessary, cant be bothered, or think WEP is pointless, since it can be cracked, though it typically takes a very long time to get enough data to pull a WEP key, especially a very large one.
WEP is comprised of a secret key and an encryption. The secret key, shared between the access point and everybody on the wireless network, consists of 5 or 13 characters. It is used by the encryption process to obfuscate the packets exchanged throughout the WLAN, or Wireless Local Area Network. The packets are all uniquely scrambled, so if someone cracks one packets key, they wont be able to view the others without cracking theirs as well.
This is done by using the secret key in conjunction with three more characters (the Initialization Vector, or IV) that are randomly chosen by the wireless hardware. For example, if your key were “hello”, it may create “abchello” for one packet, and “xyzhello” for another.
WEP also uses XOR, or Exclusive OR, for encryption. XOR compares two bits and, if theyre different, it returns a 1. Otherwise, it returns a 0. For example, 1 XOR 1 would be 0, and 1 XOR 0 would be 1.
Arrays are a word every programmer should have in their arsenal. Arrays are variables that can hold multiple values. For example, the array alphabet[26] would hold 26 values, labeled 0 through 25.
alphabet[0] = ‘A’;
alphabet[1] = ‘B’;
void swap(char &first, char &second)
{
char temp = first;
first = second;
second = temp;
}
swap(alphabet[0], alphabet[1]);
If the array values were swapped randomely many times, it would be impossible to tell which array element holds which value.
The actual algorithm used by WEP to encrypt the packets is RC4. RC4 consists of two steps: the Key Scheduling Algorithm and the Pseudo Random Generation Algorithm. The first part, the Key Scheduling Algorithm, or KSA, looks like this in C code, assuming k[] is an array of the secret keys:
int n = 256;
char s[n];
// initialization
for (int i = 0; i <= (n – 1); i++)
s[i] = i;
int j = 0;
// scrambling
for (int l = 0; l <= (n – 1); l++)
{
j += s[l] + k[l];
swap(s[l], s[j]);
}
Let’s go over this code, so we understand what it does:
1. The integer ‘n’ determines how strong the encryption is. WEP uses 256.
2. The array of characters ‘k’ is the secret key combined with the three pseudo characters. It is not changed at all in our program.
3. The initialization stage begins where the ‘// initialization’ comment is, obviously. It just seeds the array ’s’ with values 0-255, corresponding to the element they’re inserted into.
4. The integer ‘j’ is used to hold the value during scrambling. It is initialized to 0 because it must always start on 0.
5. Next, (where the ‘// scrambling’ comment is) the scrambling process begins. It basically creates the “random” ’s’ array from the previously boring ’s’ array.
6. Inside the loop, the first part merges their key (k) with the random array (s) to create a finalized character. Then, the call to swap() puts it into the array of finalized characters.
Now it’s time for the second part of the RC4 algorithm, the Pseudo Random Generation Algorithm (PRGA). This part outputs a streaming key based on the KSA’s pseudo-random array. This streaming key will then be merged with the cleartext data to create the encrypted data.
int i = 0;
int j = 0;
int z;
while (there_is_data_to_be_encrypted)
{
i++;
j += s[i];
swap(s[i], s[j]);
z = s[s[i] + s[j]];
// z is outputted here
// and then XOR’d with cleartext
}
1. The integers ‘i’ and ‘j’ are declared and initialized to 0.
2. There is a loop that runs until the end of the packet of data is reached.
3. ‘i’ is incremented in every iteration of the loop to keep it running.
4. ‘j’ holds the pseudo-random number.
5. Another call to swap() switches the characters in s[i] and s[j].
6. ‘z’ is calculated by adding s[i] and s[j] and taking the value in the element corresponding to their sum. The reason for this will be explained why later on.
7. ‘z’ is XOR’d in with the cleartext to create the new encrypted text.
CRC stands for Cyclic Redundancy Checksum. When packets are sent across the network, there has to be a way for the receiving host to know the packet has not been damaged in any way. This is the CRC’s purpose. Before the data is sent, CRC calculates a value, or checksum, for the packet, which is sent with the packet. When it is received, the target host calculates a new checksum from it using CRC. If the CRCs match, the packet’s credibility has been confirmed.
So let’s summarize. The Access Point creates the pseudo-random characters. They are merged with the prechosen shared key to create the secret key. The KSA then uses this key to create the pseudo-random array, which is used by the PRGA to create a streaming key. This key is then XOR’d with the cleartext to create the encrypted data, and the CRC jumps in and creates a checksum for it.
Then, the receiving host decrypts it. The characters appended on by the AP are removed and merged with the shared key to recreate the secret key. The secret key goes through the whole RC4 process, and is XOR’d with the encrypted text, creating the cleartext and checksum. The checksum is removed and another is created. They are then compared to see if the data survived, and the user is authentic.
Part II: Cracking WEP
Before we get into cracking WEP, let’s cover a few more flaws in the encryption process:
* There is a 5% chance that the values in s[0]-s[3] will not be changed after the first three iterations by the KSA.
* The first value in the encrypted data is the SNAP, which is 0xAA, or 170 base 10. Sniffing the first byte of encrypted text and XOR-ing it with 170 will give the first output byte of the PRGA.
* A certain format of the bytes given by the AP will indicate that it is weak and subject to cracking. The format is (B + 3, 255, X), where B is the first byte of the secret key. X can be any value.
We’re going to talk about the KSA now. Let’s define some variables for a “testing environment”:
* The captured character code from the AP is 3,255,7. We sniffed it out of the air. We will be using it because testing has shown it is a very weak code.
* The shared password is 22222. We are just telling you this so you will understand the process. In practice, you would not know this.
* N is 256, of course.
* If there is a value above 256, a modulo operation will be performed on it. The resulting value will be used.
* The array ’s’ has already been seeded, with values 0-255.
Open up the program Kismet. Kismet is a free wireless scanner for Linux. When you open it, you will see a list of WLANs that are in range. Choose one and make a note of these four details (note that the target computer can be any host on the WLAN):
* AP MAC address
* Target computer’s MAC address
* WEP Key used
* Wi-Fi channel used
Open up Aircrack and it will start capturing packets. You’ll also notice that it’s capturing IVs. But this takes a long time. It could even take several hours or days to capture a sufficient number of IVs to crack the WEP key.
Luckily, we can speed things up. For example, if the WLAN were very busy, there would be more traffic, resulting in more IVs being captured. If we were to continuously ping the network, it would result in more traffic, and speed things up nicely:
ping -t -l 50000 ip_address
So what to do now? We have a bit of data, but we have to get a WEP key here. It’s time to break out void11. void11 forces the AP to deauthenticate all of the hosts attached to it, virtually cutting off all of the hosts. The first thing they will automaticall do is try to reconnect to the AP. This generates an extreme amount of traffic, though it’s not very subtle.
Yet another technique is called a replay attack. This captures a packet from a host on the WLAN, and then spoofs the host and continues to replay the packet over and over again. This generates a very large amount of traffic. A good program for this is airreplay. This is what void11 was for. If you run airreplay right after stopping void11, airreplay will pickup the necessary packets caused by the deauth attack from void11.
Open up airodump. Now, thanks to the replay attack, the IV count has risen to about 200 per second. Wow! You’ll probably get all the necessary packets within 10 minutes. All of these IVs are being written out into a capture file. Open up aircrack. It will read in all the IVs from the capture file, and perform a statistical analysis on them. Then, it will attempt to brute force its way in. Once it has found the key, it will tell you.
Part III: Protect Your WLAN
The first thing you should do is change your default SSID and password. This is obvious, but it’s surprising how many people neglect to do it.
You’re also going to want to upgrade the AP’s firmware as often as possible. If you want good security, switch from WEP to WPA or WPA2. These are uncrackable…so far. Disable SSID broadcast. This will stop a NetStumbler scan, and some other lowly programs, though Kismet and AirMagnet don’t rely on SSID broadcast.
Another good option is MAC address filtering. This allows you to setup a filter, only allowing computers with certain MAC addresses in, or denying certain MAC addresses.
