In this recipe, we are going to learn about WEP encryption cracking. Wired Equivalent Privacy (WEP) is a security protocol, specified in the IEEE Wireless Fidelity (Wi-Fi) standard, 802.11b, and designed to provide a Wireless Local Area Network (WLAN) with a level of security and privacy comparable to what is usually expected of a wired LAN. WEP works on RC4 encryption and has been widely used on the Internet as a part of HTTPS. The flaw here is not RC4 but the way RC4 had been implemented. The problem was the reuse of IVs. For this exercise, we will be using a tool called Wifite. This tool is used to attack multiple WEP-, WPA-, and WPS-encrypted networks in a row. This tool is customizable and can be automated with only a few arguments. Wifite aims to be the "set it and forget it" wireless auditing tool.
For this activity, we will require wifite (preinstalled in Kali), an active and running wireless adaptor, and a wireless router running WEP encryption.
wifite -upgrade
wifite -showb
The output will be as shown in the following screenshot:
Wifite
The output will be as shown in the following screenshot:
Ctrl + C 3
The output will be as shown in the following screenshot:
In the background, what the framework does initially is put the wireless adaptor into monitor mode using the airmon-ng
command, a part of the aircrack-ng
suite, and start the enumeration list:
wifite -upgrade
: This command upgrades the wifite framework to the latest versionwifite -showb
: This command lists all the available wireless networks detected over the networkThe details of how WEP cracking works are as follows:
WEP prepares a keyschedule (seed); this is a concatenation of the user's shared secret key with a random-generated 24-bit initialization vector (IV). The IV increases the life of the secret key because the station can change the IV for each frame transmission. WEP then sends that output as a resulting "seed" to a pseudo-random number generator that produces a keystream. The length of this keystream is equal to the length of the frame's payload plus a 32-bit (Integrity Check Value (ICV)).
The reason WEP failed is because the IVs were short and in clear text; the 24-bit field keystream generated by RC4 is relatively small. As the IV's are static and the stream of IV is short ,hence they are reused. There has been no standard as to how the IV has to be set or changed; there are possible scenarios where wireless adapters from the same vendors end up having the same IV sequences.
An attacker can keep sniffing data and collect all the IVs available and then successfully crack the password. For more information, visit http://www.isaac.cs.berkeley.edu/isaac/wep-faq.html .
3.15.211.107