Thursday, January 7, 2016

The many hurdles of cracking a WEP network

Goal: To obtain the password of a wifi network encrypted using WEP.

I thought this to be an easy task as I read around the web, but it became a huge task consuming way too much of my time and money, for this task which was actually totally unneeded for me, just a curiosity, well, I may as well write about it.

While crawling around I naturally searched for a windows based solution, early on I found out that there is a consensus about the best wifi cracking suite of programs called aircrack-ng.

While going to their site I found that they say that cracking under windows is much less stable, robust and will never be as good as cracking from linux as windows adds layers of protection which prevent some of the cracking techniques.

Ok, so I will do it using a linux distribution.

I went back to my research and found out about the kali linux dist, it is a distribution based on Debian linux which already contains lots and lots of hacking/cracking utilities.
Which will save me lots of time, so I downloaded a Kali linux virtual machine so I can run it in parallel to my main OS (windows 8).

While working from that virtual machine I found out that my laptop's internal wifi card is no good for hacking other wifis, as a basic prerequisite is to have a wifi card which can go into "Monitoring" mode, which is a mode where it can passively capture wifi packets flying from routers to clients, so most of the wifi cards are no good for that task.

I searched around and ordered a usb-wifi card containing a chipset (ralink 3070) which supports this monitor mode.
After about a month and about 30$, I got my wifi card.

Hooked it up to my laptop and began a painful process of trying to get my virtual machine to control the usb wifi card as if it is physically connected to it, because it seems that my windows machine might recognize it, but doesn't transfer it as it is to the virtual machine.
After many hours I decided to install a kali linux distribution on a usb flash disk, and boot from that disk, that way it should be able to recognize the wifi usb dongle.

Installed Kali OS on a usb flash disk, hooked up the new usb wifi card and ... nothing, it didn't recognize the usb connection, I did everything I could think about, updated drivers, firmware, everything I could find online - to no avail!

I went back to the research and found that most people recommend an other chipset (atheros based, exactly this model: AWUS036NHA) for wifi which also supports this "monitor" mode, so off i went to ebay, 50$ and about a month, and this new usb wifi card got hooked to my computer ran by my Kali linux distribution from my usb drive.

My USB wifi got recognized out of the box! YAY.
Now to the software part.

I am no newbie to computers, and had many thoughts about moving from windows to linux, at least on my special projects laptop (not on the family computer of course), after the following experience, I finally decided against moving to a linux (ubuntu) distribution.

After doing some reading, I found out that in order to crack that WEP thingy, I need to run about 20 linux commands containing complicated arguments sent to the command line, so I thought to look for a shortcut.
I get the whole linux-geek thing, yeah, it is better to know the ins and outs of every utility I run, but I can't master them all, so I prefer to thoroughly understand the applications which I need for my day to day use, and leave the rest to nice gui based applications, which encapsulate the internal logic, and work with me as a user to satisfy my needs, and not to cover every aspect the command line application can handle.

So I found out that there are only several GUI wrappers for aircrack-ng and even those aren't working well, as they expose so much unneeded functionality.

Let me explain, lets say I am a user who wants to crack a WEP password, so I would expect to fire an application, which will show me all the networks around, I will click on the desired network, will see a progress bar, steadily filling up, and BAM will get the password - nothing more, nothing less.
Instead these linux frontends expose so much internal logic, which is really frustrating.

So, I did find one good frontend for the task called "fern" - this one looks amazing, if it worked on my machine.
For some reason, it didn't manage to turn my wifi card to that "monitor" mode.

So I went back to the command line and thought of doing it the good old command line way, but it seems that there is a problem and airmon-ng doesn't succeed in changing my card to monitoring mode.
After some reading I found an other solution:
Shut down the wifi card ifconfig wlan1 down
Change the mode: iwconfig wlan1 mode monitor
Start the wifi card: ifconfig wlan1 up

Now I started FERN, but still it doesn't work - bye bye fern.

Back to the command line.
So the aircrack-ng suite contains many applications, but for my lean needs I used the following:
airmon-ng: for managing the "monitor" mode (at the end I used the above method instead of this one as it didn't work!)
airodump-ng: view networks & view and dump to a file all packets
aireplay-ng: Injects packets of different kinds to the router so it will be faster to capture packets for this network (this one is optional)
aircrack-ng: Parses the packets from the dump file airodump created, and attempts to crack the password.

So the method goes as follows (crudely):
  • Change the network card to "monitor" mode (airmon-ng or ifconfig + iwconfig)
  • Scan the networks around (airodump-ng)
  • Find the network you want to hack and save the channel, bssid and name.
  • Scan the packets coming out of that wifi network (airodump-ng) and dump them to a file
  • If the capturing of the packets is too slow then you can make it faster by injecting packets to that network (aireplay-ng)
  • After capturing at least 5000 packets, crack the passwords using that dump (aircrack-ng)

Needless to say that I wasn't pleased by this complicated procedure, so I kept searching and found an other frontend which is still very complicated for a frontend as in order to work with it, you need to understand way too much about the internals of hacking wep, but still, it is better than the command line, and there aren't any good alternatives, so I used aircrackGUI.
Download: wget
Extract: tar -zxvf AircrackGUI-M4-Ultimate-1.0.0-Beta2-32bits.tgz
Run: ./aircrack-GUI

Yes, the best tool is already four years old with no updates seen in the horizon.

This frontend works exactly like the command line, it just spares you the need to copy paste the bssid for example and is much more pleasant to the eyes.
It worked only after I got this strange exception that some library is missing:
Download library: wget
Install it: dpkg -i libssl0.9.8_0.9.8o-4squeeze14_i386.deb

At the end of this whole venture I found the WEP password as a HEX number, which apparently should be used as is in the password area of the wifi connection (just without the colons), so in order to use it, I removed the colons, then copy and pasted that string to the wifi password form.

That's it.

My conclusions?
  • I should really stick to windows
  • Linux users are very smart guys but IMHO they should learn to build GUI applications
  • Linux GUI applications should be targeted towards the user needs and encapsulate the advanced functionality, instead of exposing all of the command line options in a GUI manner.
  • I don't really need my neighbor's wifi password

EDIT (2016)
As of this year (2016) I am actively earning 3000$/month from blogging (not this blog, this is for my fun), I have blogged here a big article about my mistakes and my success in getting to that goal (I intend to leave my working job till the end of 2016, living off my blogging), if my success inspires you then please leave me a comment there:
My Personal Journey

No comments: